GNU bug report logs - #77827
[PATCH] gnu: librewolf: Fix video playback.

Previous Next

Package: guix-patches;

Reported by: Jakob Kirsch <jakob.kirsch <at> web.de>

Date: Tue, 15 Apr 2025 16:48:02 UTC

Severity: normal

Tags: patch

Done: Ian Eure <ian <at> retrospec.tv>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Jussi Timperi <jussi.timperi <at> iki.fi>
To: Julian Flake <julian <at> flake.de>
Cc: 77827 <at> debbugs.gnu.org, Jakob Kirsch <jakob.kirsch <at> web.de>, Ian Eure <ian <at> retrospec.tv>
Subject: [bug#77827] Video playback still fails with 4fd529d
Date: Sun, 20 Apr 2025 00:24:43 +0300

Hi,

On 19 April 2025 21:32, Julian Flake <julian <at> flake.de> wrote:

> --8<---------------cut here---------------start------------->8---
> ➜  ~ librewolf
> libva info: VA-API version 1.22.0
> libva info: Trying to open /run/current-system/profile/lib/dri/iHD_drv_video.so
> libva info: va_openDriver() returns -1
> libva info: Trying to open /run/current-system/profile/lib/dri/i965_drv_video.so
> libva info: va_openDriver() returns -1
> --8<---------------cut here---------------end--------------->8---

intel-vaapi-driver isn't whitelisted in the RDD sandbox, so it will block
opening the drivers. Running with MOZ_SANDBOX_LOGGING=1 will show something
like:

    [30324] Sandbox: SandboxBroker: denied op=open rflags=2000000 perms=0 path=/gnu/store/jji80qsrw6dm3zsgwxhz5301d5ww0ga8-intel-vaapi-driver-2.4.1/lib/dri/i965_drv_video.so for pid=30400
    [30400] Sandbox: Failed errno -13 op open flags 02000000 path /home/jussi/.guix-profile/lib/dri/i965_drv_video.so
    [30324] Sandbox: SandboxBroker: denied op=access rflags=0 perms=0 path=/gnu/store/jji80qsrw6dm3zsgwxhz5301d5ww0ga8-intel-vaapi-driver-2.4.1/lib/dri/i965_drv_video.so for pid=30400
    [30400] Sandbox: Failed errno -13 op access flags 00 path /home/jussi/.guix-profile/lib/dri/i965_drv_video.so
    libva info: va_openDriver() returns -1

HW video decoding working with MOZ_DISABLE_RDD_SANDBOX=1 further
confirms it being the sandbox issue.

Upstream solved it for Nix by whitelisting the entire store[1]. As Ian
mentioned, there's a patch in #72265[2] trying to do the same for guix.


Footnotes:
[1]  https://hg-edge.mozilla.org/releases/mozilla-release/file/FIREFOX_137_0_2_RELEASE/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp#l478

[2]  https://issues.guix.gnu.org/72265

Best,
--
Jussi
This bug report was last modified 127 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.