Launchpad has imported 27 comments from the remote bug at https://bugzilla.mozilla.org/show_bug.cgi?id=1732580.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2021-09-26T22:07:53+00:00 W-jan-k wrote: Created attachment 9242948 aboutsupport.txt Gnome Wayland, Debian Testing, Intel (Darkspirit from bug 1726510 comment 36) > $ sudo snap remove firefox > $ sudo snap install firefox > $ snap run firefox > WebGL and WebRender work according to about:support, but > https://webglsamples.org/aquarium/aquarium.html does not work. > > It does not appear your computer supports WebGL. > > Click here for more information. > > Status: WebGL creation failed: * tryNativeGL (FEATURE_FAILURE_NO_DISPLAY) * > > Exhausted GL driver options. (FEATURE_FAILURE_WEBGL_EXHAUSTED_DRIVERS) > > No word on about:support about this FEATURE_FAILURE_NO_DISPLAY thing. > > $ sudo cat /var/log/syslog | grep denied > > Sep 26 23:36:58 darkspirit-laptop kernel: [41105.417113] audit: type=1400 > > audit(1632692218.808:14756): apparmor="DENIED" operation="open" > > profile="snap.firefox.firefox" > > name="/proc/sys/dev/i915/perf_stream_paranoid" pid=49327 comm="firefox" > > requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 > > Sep 26 23:36:59 darkspirit-laptop kernel: [41105.850276] audit: type=1400 > > audit(1632692219.240:14757): apparmor="DENIED" operation="open" > > profile="snap.firefox.firefox" > > name="/proc/sys/dev/i915/perf_stream_paranoid" pid=49258 comm="Renderer" > > requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 > --- > Manually installed firefox - without dangerous, but with acking - works the > same as official firefox: > $ sudo snap remove firefox > $ sudo snap ack firefox_595.assert > $ sudo snap install firefox_595.snap > $ snap run firefox > https://webglsamples.org/aquarium/aquarium.html > > It does not appear your computer supports WebGL. > Click here for more information. > Status: WebGL creation failed: * tryNativeGL (FEATURE_FAILURE_NO_DISPLAY) * > Exhausted GL driver options. (FEATURE_FAILURE_WEBGL_EXHAUSTED_DRIVERS) > > /var/log/syslog: > Same two errors as above and this one is new: > > Sep 26 23:21:31 darkspirit-laptop kernel: [40177.949121] audit: type=1400 > > audit(1632691291.299:14602): apparmor="DENIED" operation="open" > > profile="snap.firefox.firefox" name="/proc/46373/environ" pid=46215 > > comm=427265616B70616420536572766572 requested_mask="r" denied_mask="r" > > fsuid=1000 ouid=1000 Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1946599/comments/0 ------------------------------------------------------------------------ On 2021-09-26T23:43:34+00:00 W-jan-k wrote: $ snap info firefox > channels: > latest/stable: 92.0-3 2021-09-09 (595) 159MB - > latest/candidate: 92.0.1-1 2021-09-23 (625) 159MB - > latest/beta: 93.0b9-1 2021-09-24 (628) 155MB - > latest/edge: ↑ > esr/stable: 78.14.0esr-1 2021-09-07 (591) 148MB - > esr/candidate: 91.1.0esr-1 2021-09-10 (603) 158MB - > esr/beta: ↑ > esr/edge: ↑ $ sudo snap remove firefox --purge; sudo snap install firefox --channel=esr/stable; snap run firefox https://webglsamples.org/aquarium/aquarium.html > firefox (esr/stable) 78.14.0esr-1 from Mozilla✓ installed works Edit: because it uses the official Mozilla config (GLX/Xwayland) $ sudo snap remove firefox; sudo snap install firefox --channel=esr/candidate; snap run firefox https://webglsamples.org/aquarium/aquarium.html > firefox (esr/candidate) 91.1.0esr-1 from Mozilla✓ installed broken $ sudo snap remove firefox; sudo snap install firefox --channel=latest/candidate; snap run firefox https://webglsamples.org/aquarium/aquarium.html > firefox (candidate) 92.0.1-1 from Mozilla✓ installed broken $ sudo snap remove firefox; sudo snap install firefox --channel=latest/beta; snap run firefox https://webglsamples.org/aquarium/aquarium.html > firefox (beta) 93.0b9-1 from Mozilla✓ installed broken Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1946599/comments/1 ------------------------------------------------------------------------ On 2021-09-27T00:39:13+00:00 W-jan-k wrote: 93.0b9: Problem does not occur with GLX/Xwayland. Problem also occurs with EGL/Xwayland. $ DISABLE_WAYLAND=1 MOZ_X11_EGL=1 snap run firefox https://webglsamples.org/aquarium/aquarium.html Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1946599/comments/2 ------------------------------------------------------------------------ On 2021-09-28T17:42:23+00:00 W-jan-k wrote: Tested: * GLX is used on Gnome X11/Nvidia: fine * EGL is used on Wayland because MOZ_ENABLE_WAYLAND is used (either Snap sets it as default or xwayland is not available) * As of 94, EGL will also be used on X11 (bug 1695933). This bug is also reproducible with Firefox Snap 92 when setting gfx.x11-egl.force-enabled to true on Gnome X11/Nvidia, but I don't see any DENIED in syslog. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1946599/comments/3 ------------------------------------------------------------------------ On 2021-09-28T18:10:42+00:00 Robert Mader wrote: Hm, this reminds me of bug 1700601 and bug 1696691. For the record: I'm going to land bug 1732002 to give us some more time to figure out stuff like this. Nvidia does not yet default to Wayland sessions on Ubuntu so setups with default configuration remain unaffected. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1946599/comments/4 ------------------------------------------------------------------------ On 2021-09-28T18:19:12+00:00 W-jan-k wrote: Created attachment 9243285 about:support from Firefox snap 92, Gnome X11, Intel Also reproducible with Firefox Snap 92 and gfx.x11-egl.force-enabled=true on Gnome X11/Intel. No crash report. Edit: Attachment is XFCE X11, but Gnome X11 looks the same. glxtest works without problem, WebGL info on about:support is correct. It's just that WebGL doesn't work on websites. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1946599/comments/5 ------------------------------------------------------------------------ On 2021-09-29T16:43:30+00:00 Robert Mader wrote: Ah I see. Sounds like it needs to get fixed by whoever maintains the Snap sandbox - likely little we can do in FF. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1946599/comments/6 ------------------------------------------------------------------------ On 2021-09-29T16:47:55+00:00 Olivier Tilloy wrote: Pasting a comment of mine from bug 1726510: « I instrumented the corresponding code and rebuilt the snap: in GetAndInitDisplay() (gfx/gl/GLLibraryEGL.cpp), egl.fGetDisplay() (eglGetDisplay()) always returns null. This requires further investigation. » Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1946599/comments/7 ------------------------------------------------------------------------ On 2021-09-29T16:54:39+00:00 Olivier Tilloy wrote: The apparmor denials on "/proc/sys/dev/i915/perf_stream_paranoid" mentioned in the description are red herrings: I can see them too, but if I edit the snap's generated apparmor profile (`/var/lib/snapd/apparmor/profiles/snap.firefox.firefox`) to allow read access to that file and reload it, the denials go away but the problem with WebGL persists. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1946599/comments/8 ------------------------------------------------------------------------ On 2021-09-30T16:58:13+00:00 Olivier Tilloy wrote: I instrumented further the code, and here are my observations so far: When launching firefox, the very first call to `GLLibraryEGL::CreateDisplay()` returns a valid EGL display. This is being called from `RenderThread::CreateGLContextEGL()`, from the app's main process. Subsequent calls to `GLLibraryEGL::CreateDisplay()` follow a different code path (from `GLContextProviderEGL::CreateHeadless()`, from child (content) processes), and those invariably return `null`, which results in WebGL not working. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1946599/comments/9 ------------------------------------------------------------------------ On 2021-09-30T17:16:02+00:00 Olivier Tilloy wrote: Running the app with `MOZ_DISABLE_CONTENT_SANDBOX=1` "fixes" WebGL, so there is something in the content sandbox that prevents access to an EGL display. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1946599/comments/10 ------------------------------------------------------------------------ On 2021-09-30T17:23:31+00:00 W-jan-k wrote: Disabling widget.dmabuf-webgl.enabled doesn't make a difference. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1946599/comments/11 ------------------------------------------------------------------------ On 2021-10-01T15:23:22+00:00 W-jan-k wrote: Summary: STR on Debian Testing: $ sudo apt install snapd $ sudo systemctl start snapd $ sudo snap install firefox When using a Wayland session: * EGL/Wayland backend: broken: `$ snap run firefox https://webglsamples.org/aquarium/aquarium.html` works: `$ MOZ_DISABLE_CONTENT_SANDBOX=1 snap run firefox https://webglsamples.org/aquarium/aquarium.html` * EGL/Xwayland: broken: `$ DISABLE_WAYLAND=1 MOZ_X11_EGL=1 snap run firefox https://webglsamples.org/aquarium/aquarium.html` works: `$ MOZ_DISABLE_CONTENT_SANDBOX=1 DISABLE_WAYLAND=1 MOZ_X11_EGL=1 snap run firefox https://webglsamples.org/aquarium/aquarium.html` * fine with glx/xwayland: `$ DISABLE_WAYLAND=1 snap run firefox https://webglsamples.org/aquarium/aquarium.html` When using an X11 session: * EGL/X11: broken: `$ MOZ_X11_EGL=1 snap run firefox https://webglsamples.org/aquarium/aquarium.html` works: `$ MOZ_DISABLE_CONTENT_SANDBOX=1 MOZ_X11_EGL=1 snap run firefox https://webglsamples.org/aquarium/aquarium.html` * fine with GLX/X11: `$ snap run firefox https://webglsamples.org/aquarium/aquarium.html` Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1946599/comments/12 ------------------------------------------------------------------------ On 2021-10-01T16:22:30+00:00 Olivier Tilloy wrote: Also, reducing `security.sandbox.content.level` to `2` (from its default value of `4`) in `about:config` makes the problem go away. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1946599/comments/13 ------------------------------------------------------------------------ On 2021-10-01T16:32:15+00:00 Olivier Tilloy wrote: And setting `security.sandbox.content.read_path_whitelist` to `$SNAP/` (e.g. `/snap/firefox/595/`, the trailing slash is important), also makes the problem go away, confirming that the content process sandboxing is what prevents the WebGL code from accessing the EGL library. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1946599/comments/14 ------------------------------------------------------------------------ On 2021-10-01T16:40:10+00:00 Olivier Tilloy wrote: I'm tempted to patching `SandboxBrokerPolicyFactory::InitContentPolicy()` to call `policy->AddPath(rdonly, "$SNAP/")` when firefox is running as a snap. This will obviously require a thorough security review. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1946599/comments/15 ------------------------------------------------------------------------ On 2021-10-01T22:33:25+00:00 Gpascutto wrote: I would expect https://searchfox.org/mozilla- central/source/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp#499 to pick up libraries shipped alongside Firefox. I guess what's happening here is that the library is shipped in the snap (but not in the default system), not next to the binary, and then "something" is done to make the dynamic linker pick it up? Our sandbox knows about LD_LIBRARY_PATH and such https://searchfox.org/mozilla- central/rev/c3d7964c593e0bedabea2fea0b35ba243cf9e696/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp#258 but I guess this is using something different? In general readonly permission to trusted system library dirs should not be a security concern. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1946599/comments/16 ------------------------------------------------------------------------ On 2021-10-04T20:33:20+00:00 Olivier Tilloy wrote: Indeed, the library is shipped by the snap. To be exact, it is shipped by the platform snap that the firefox snap uses as its base (gnome-3-38-2004), and the snap sees it at `$SNAP/gnome- platform/usr/lib/x86_64-linux-gnu/libEGL.so`. The snap's launcher modifies `LD_LIBRARY_PATH` accordingly. This is the value for a webcontent (child) process (where `x21` is the snap's revision, because I manually installed an instrumented build): LD_LIBRARY_PATH=/snap/firefox/x21/usr/lib/firefox:/var/lib/snapd/lib/gl:/var/lib/snapd/lib/gl32:/var/lib/snapd/void:/snap/firefox/x21/usr/lib:/snap/firefox/x21/usr/lib/x86_64-linux- gnu:/snap/firefox/x21/gnome-platform/lib/x86_64-linux- gnu:/snap/firefox/x21/gnome-platform/usr/lib/x86_64-linux- gnu:/snap/firefox/x21/gnome-platform/usr/lib:/snap/firefox/x21/gnome- platform/lib:/snap/firefox/x21/gnome-platform/usr/lib/x86_64-linux- gnu/dri:/var/lib/snapd/lib/gl:/snap/firefox/x21/gnome- platform/usr/lib/x86_64-linux-gnu/libunity:/snap/firefox/x21/gnome- platform/usr/lib/x86_64-linux-gnu/pulseaudio The path in question is there, so it's not immediately clear to me why it's not being added to the policy's list of readonly paths. Maybe the call to `realpath(…)` doesn't work well with the snap's confinement? Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1946599/comments/17 ------------------------------------------------------------------------ On 2021-10-05T14:34:21+00:00 Olivier Tilloy wrote: I was able to narrow down the one missing path (required to make WebGL work) to `$SNAP/gnome-platform/usr/share/glvnd/egl_vendor.d/`. That path contains one single file (`50_mesa.json`): { "file_format_version" : "1.0.0", "ICD" : { "library_path" : "libEGL_mesa.so.0" } } Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1946599/comments/18 ------------------------------------------------------------------------ On 2021-10-05T14:39:38+00:00 Olivier Tilloy wrote: So the problem is not with `LD_LIBRARY_PATH` or with how the sandbox parses its value to add readonly permissions, it is with a configuration file that's located in a place that the policy doesn't allow read access to by default, and which contains information for EGL to locate the right implementation to load. In that light, and considering that we might see other similar bugs (caused by configuration files for certain libs not being readable) in the future, my suggestion in comment 15 seems to be a valid and future- proof solution. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1946599/comments/19 ------------------------------------------------------------------------ On 2021-10-05T16:59:09+00:00 Olivier Tilloy wrote: Created attachment 9244377 Bug 1732580 - Allow read access to files under $SNAP/ in the webcontent sandbox. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1946599/comments/20 ------------------------------------------------------------------------ On 2021-10-08T19:15:21+00:00 Pulsebot wrote: Pushed by [email protected]: https://hg.mozilla.org/integration/autoland/rev/f52ebe8f3b52 Allow read access to files under $SNAP/ in the webcontent sandbox. r=gcp Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1946599/comments/21 ------------------------------------------------------------------------ On 2021-10-09T08:26:58+00:00 Mlaza wrote: https://hg.mozilla.org/mozilla-central/rev/f52ebe8f3b52 Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1946599/comments/22 ------------------------------------------------------------------------ On 2021-10-11T12:00:50+00:00 Release-mgmt-account-bot wrote: The patch landed in nightly and beta is affected. :olivier, is this bug important enough to require an uplift? If not please set `status_beta` to `wontfix`. For more information, please visit [auto_nag documentation](https://wiki.mozilla.org/Release_Management/autonag#uplift_beta.py). Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1946599/comments/25 ------------------------------------------------------------------------ On 2021-10-11T13:21:32+00:00 Olivier Tilloy wrote: Yes, this definitely needs to be uplifted to beta. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1946599/comments/26 ------------------------------------------------------------------------ On 2021-10-11T13:24:20+00:00 Olivier Tilloy wrote: Comment on attachment 9244377 Bug 1732580 - Allow read access to files under $SNAP/ in the webcontent sandbox. ### Beta/Release Uplift Approval Request * **User impact if declined**: WebGL doesn't work for users of the firefox snap in Wayland sessions. * **Is this code covered by automated tests?**: Yes * **Has the fix been verified in Nightly?**: Yes * **Needs manual test from QE?**: No * **If yes, steps to reproduce**: * **List of other uplifts needed**: None * **Risk to taking this patch**: Low * **Why is the change risky/not risky? (and alternatives if risky)**: Not risky because only the snap package is affected (the sandbox allows one additional folder for readonly access if the $SNAP environment variable is set). * **String changes made/needed**: Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1946599/comments/27 ------------------------------------------------------------------------ On 2021-10-11T13:42:28+00:00 Olivier Tilloy wrote: This patch also appears to fix another problem that happens only in Wayland sessions, and was reported in Ubuntu (against the upcoming 21.10 release which ships the Firefox snap by default): https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1946599. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1946599/comments/30 ** Changed in: firefox Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946599 Title: Firefox break when returning from console with wayland (nvidia) on ubuntu 21.10 beta To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/1946599/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
