libGL error: MESA-LOADER: failed to retrieve device information
I found a bug with Mesa.
It works fine as root but fails as normal user.
I have 2 reproduction cases.
You must have mesa-demos installed.
glxinfo | head
name of display: :0 libGL error: MESA-LOADER: failed to retrieve device information libGL error: Version 4 or later of flush extension not found libGL error: failed to load driver: i915 libGL error: MESA-LOADER: failed to retrieve device information display: :0 screen: 0 direct rendering: Yes
But sudo glxinfo works correctly without any errors.
It gives the same errors as above and the gears don't load.
After a while my desktop freezes.
OTOH sudo glxgears works.
#4 Updated by Ned Flanders over 1 year ago
- File permissions-hardened.log permissions-hardened.log added
- File permissions-vanilla.log permissions-vanilla.log added
I found one more important piece of information.
This bug only exists on alpine-hardened.
On alpine-vanilla it works fine.
I send attached a comparison of some directories permissions between hardened and vanilla that may be the reason for the differences.
Some grsec setting may be the source of this bug.
#5 Updated by Shiz ... over 1 year ago
Yes, it seems subsystem detection in libdrm fails because of the failing readlink() call. I think this is caused by grsecurity's GRKERNSEC_SYSFS_RESTRICT, which restricts non-root access to big parts of /sys.
I'm not sure what the best approach to solve this is, as there is no runtime-settable
/proc/sys/kernel/grsecurityentry for this...
#10 Updated by Natanael Copa over 1 year ago
The sysfs does leak information that may be useful for an attacker, which is why grsecurity chose to lock it down.
In general, I prefer that we have locked/hardened/secure defaults and let users open up things they need, rather than having things open by default and let users lock down/harden their config to becomes more secure if they can.