Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 648728 - [Tracker] virtual/opencl providers should set SANDBOX_PREDICT or SANDBOX_WRITE in /etc/sandbox.d/99opencl
Summary: [Tracker] virtual/opencl providers should set SANDBOX_PREDICT or SANDBOX_WRIT...
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo X packagers
Keywords: Tracker
Depends on:
Blocks: 580208 648726
  Show dependency tree
Reported: 2018-02-24 19:37 UTC by Dennis Schridde
Modified: 2021-10-17 02:17 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Dennis Schridde 2018-02-24 19:37:47 UTC
Packages that use OpenCL during build (e.g. those utilising media-gfx/imagemagick or media-gfx/graphicksmagick, including those bundling them, but also sci-geosciences/qgis-3.0.0 via pyuic wrapper) will attempt to access /dev/dri/render* during build, which will cause a build failure due to sandbox violations.

If the render nodes were listed in SANDBOX_PREDICT in a new /etc/sandbox.d/99opencl file, this would be fixed.

Comment 1 Dennis Schridde 2018-02-24 19:44:10 UTC
/dev/dri/render* is actually 0666 on my system, which should be safe as the interface was designed to allow only rendering, as opposed to management and modesetting of the card as a whole.  Hence it appears to be safe to list it in SANDBOX_WRITE.
Comment 2 Dennis Schridde 2018-02-25 00:11:17 UTC
Since /etc/sandbox.d/ does not appear to support prefix matches or wildcard globs, every render node has to be explicitly listed in SANDBOX_WRITE.  Could this be automated through a udev rule generating the /etc/sandbox.d/99opencl file?  That should then even cover hotplugged devices.