Summary: | [Tracker] virtual/opencl providers should set SANDBOX_PREDICT or SANDBOX_WRITE in /etc/sandbox.d/99opencl | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Dennis Schridde <dschridde+gentoobugs> |
Component: | Current packages | Assignee: | Gentoo X packagers <x11> |
Status: | UNCONFIRMED --- | ||
Severity: | normal | CC: | o.freyermuth, sam |
Priority: | Normal | Keywords: | Tracker |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=580208 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 580208, 648726 |
Description
Dennis Schridde
2018-02-24 19:37:47 UTC
/dev/dri/render* is actually 0666 on my system, which should be safe as the interface was designed to allow only rendering, as opposed to management and modesetting of the card as a whole. Hence it appears to be safe to list it in SANDBOX_WRITE. Since /etc/sandbox.d/ does not appear to support prefix matches or wildcard globs, every render node has to be explicitly listed in SANDBOX_WRITE. Could this be automated through a udev rule generating the /etc/sandbox.d/99opencl file? That should then even cover hotplugged devices. |