modules/programs: sandboxing: add "whitelistDri" option for gfx-intensive apps

2024-02-02 17:18:51 +00:00 · 2024-02-02 17:18:51 +00:00 · 2bb9115f35
commit 2bb9115f35
parent 065d045640
1 changed files with 19 additions and 5 deletions
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@ -63,11 +63,6 @@ let
            "/run/user"  #< particularly /run/user/$id/wayland-1, pulse, etc.
            "/run/secrets/home"  #< TODO: this could be restricted per-app based on the HOME paths they need
            "/usr/bin/env"
-            # /dev/dri/renderD128: requested by wayland-egl (e.g. KOreader, animatch, geary)
-            #   but everything seems to gracefully fallback to *something* (MESA software rendering?)
-            #   GPU attack surface is *large*: <https://security.stackexchange.com/questions/182501/modern-linux-gpu-driver-security>
-            # TODO: restrict /dev/dri to just the applications that actually benefit from it
-            # "/dev/dri" "/sys/dev/char" "/sys/devices" (lappy: "/sys/devices/pci0000:00")
          ] ++ sandbox.extraPaths;
        }
  );
@ -295,6 +290,17 @@ let
          e.g. sandbox.capabilities = [ "net_admin" "net_raw" ];
        '';
      };
+      sandbox.whitelistDri = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          allow sandbox to access the kernel's /dev/dri interface(s).
+          this enables GPU acceleration, particularly for mesa applications,
+          however, this basically amounts to letting the sandbox send GPU-specific
+          commands directly to the GPU (or, its kernel module), which is a rather
+          broad and unaudited attack surface.
+        '';
+      };
      sandbox.extraPaths = mkOption {
        type = types.listOf types.str;
        default = [];
@ -353,6 +359,14 @@ let
      #   can't populate it here because it varies per-user.
      # this gets the symlink into the sandbox, but not the actual secret.
      fs = lib.mapAttrs (_homePath: _secretSrc: {}) config.secrets;
+
+      sandbox.extraPaths = lib.mkIf config.sandbox.whitelistDri [
+        # /dev/dri/renderD128: requested by wayland-egl (e.g. KOreader, animatch, geary)
+        # - but everything seems to gracefully fallback to *something* (MESA software rendering?)
+        #   - CPU usage difference between playing videos in Gtk apps (e.g. fractal) with v.s. without DRI is 10% v.s. 90%.
+        # - GPU attack surface is *large*: <https://security.stackexchange.com/questions/182501/modern-linux-gpu-driver-security>
+        "/dev/dri" "/sys/dev/char" "/sys/devices" # (lappy: "/sys/devices/pci0000:00", moby needs something different)
+      ];
    };
  });
  toPkgSpec = with lib; types.coercedTo types.package (p: { package = p; }) pkgSpec;