what exactly does --device=dri open?

[Winnie Poon]

Dear flatpak developers,

I would like to understand more what this --device=dri does.

We have some work on our end to enable hardware acceleration on Linux, so direct access to GPU to offload the CPU.  It's done via the libva which uses the vaapi driver to communicate with the GPU. After we have a decoded VAAPI frame, we map it into GL to draw it.

We have it working and tested it **outside** the sandbox, then we packaged it using flatpak and was surprise direct access to GPU works fine in the sandbox as well.  We did open a hole "--device=dri" for OpenGL to work, but it looks like this --device=dri also opens up a lot of things inside the sandbox.

It seems like with this hole "--device=dri", from inside the sandbox we can directly access the GPU, meaning then i guess freely interacts with the vappi driver to access the GPU, and  of course map it into GL to draw.

Can someone explain to me in more details what this "--device=dri" opens up?

Is there a way to open up a "smaller" hole?

Is it safe/secure to use "--device=dri" which seems to break open the sandbox and allow the app to reach out to do a lot of things as if it's outside the sandbox?

Thank you so much for your time.

Winnie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/flatpak/attachments/20200211/aa85709c/attachment.htm>