seccomp ioctl and intel iHD libva driver
Running tracker on a Fedora 37 box, using the intel-media-driver iHD libva driver causes repeated seccomp failures in tracker-extract-3, caused by the ioctl system call being unauthorized in the sandbox:
Jan 10 10:55:55 fedora tracker-extract-3[26476]: Disallowed syscall "ioctl" caught in sandbox
Jan 10 10:55:59 fedora tracker-extract-3[26518]: Disallowed syscall "ioctl" caught in sandbox
Jan 10 10:56:03 fedora tracker-extract-3[26603]: Disallowed syscall "ioctl" caught in sandbox
This syscall is used there:
(gdb) bt
#0 __GI___ioctl (fd=51, request=3222037606) at ../sysdeps/unix/sysv/linux/ioctl.c:36
#1 0x00007fff818f81e0 in mosdrmIoctl (fd=51, request=request@entry=3222037606, arg=arg@entry=0x7fffe0ff787c) at /usr/src/debug/intel-media-driver-22.5.4-1.fc37.x86_64/media_driver/linux/common/os/i915/xf86drm.c:171
#2 0x00007fff818f8219 in drmIoctl (fd=<optimized out>, request=request@entry=3222037606, arg=arg@entry=0x7fffe0ff787c) at /usr/src/debug/intel-media-driver-22.5.4-1.fc37.x86_64/media_driver/linux/common/os/i915/xf86drm.c:178
#3 0x00007fff818fa5da in mos_gem_bo_madvise_internal (bufmgr_gem=0x7fff880bac90, bo_gem=0x7fffb4147680, state=1) at /usr/src/debug/intel-media-driver-22.5.4-1.fc37.x86_64/media_driver/linux/common/os/i915/mos_bufmgr.c:830
#4 mos_gem_bo_unreference_final (bo=0x7fffb4147680, time=5298) at /usr/src/debug/intel-media-driver-22.5.4-1.fc37.x86_64/media_driver/linux/common/os/i915/mos_bufmgr.c:1651
#5 0x00007fff818fa77c in mos_gem_bo_unreference (bo=0x7fffb4147680) at /usr/src/debug/intel-media-driver-22.5.4-1.fc37.x86_64/media_driver/linux/common/os/i915/mos_bufmgr.c:1690
#6 mos_gem_bo_unreference (bo=0x7fffb4147680) at /usr/src/debug/intel-media-driver-22.5.4-1.fc37.x86_64/media_driver/linux/common/os/i915/mos_bufmgr.c:1674
#7 0x00007fff81ad6fe0 in mos_bo_unreference (bo=<optimized out>) at /usr/src/debug/intel-media-driver-22.5.4-1.fc37.x86_64/media_driver/linux/common/os/i915/mos_bufmgr_api.c:120
#8 DdiMediaUtil_FreeBuffer (buf=0x7fffb4111890) at /usr/src/debug/intel-media-driver-22.5.4-1.fc37.x86_64/media_driver/linux/common/ddi/media_libva_util.cpp:1530
#9 DdiDecodeAVC::FreeResourceBuffer (this=0x7fffb400e000) at /usr/src/debug/intel-media-driver-22.5.4-1.fc37.x86_64/media_driver/linux/common/codec/ddi/media_ddi_decode_avc.cpp:872
#10 DdiDecodeAVC::DestroyContext (this=0x7fffb400e000, ctx=0x7fff880f7b40) at /usr/src/debug/intel-media-driver-22.5.4-1.fc37.x86_64/media_driver/linux/common/codec/ddi/media_ddi_decode_avc.cpp:567
#11 0x00007fff81ab6231 in DdiDecodeCleanUp (decCtx=0x7fffb4010000, ctx=0x7fff880f7b40) at /usr/src/debug/intel-media-driver-22.5.4-1.fc37.x86_64/media_driver/linux/common/codec/ddi/media_libva_decoder.cpp:998
#12 DdiDecode_DestroyContext (context=<optimized out>, ctx=0x7fff880f7b40) at /usr/src/debug/intel-media-driver-22.5.4-1.fc37.x86_64/media_driver/linux/common/codec/ddi/media_libva_decoder.cpp:1467
#13 DdiMedia_DestroyContext (ctx=0x7fff880f7b40, context=<optimized out>) at /usr/src/debug/intel-media-driver-22.5.4-1.fc37.x86_64/media_driver/linux/common/ddi/media_libva.cpp:3237
#14 0x00007fffe01e0629 in vaDestroyContext (dpy=dpy@entry=0x7fff88064c00, context=<optimized out>) at ../va/va.c:1265
#15 0x00007fffb2be58c6 in gst_va_decoder_close (self=0x7fff88006e10) at ../sys/va/gstvadecoder.c:275
#16 0x00007fffb2be5a14 in gst_va_base_dec_stop (decoder=0x7fff88077490) at ../sys/va/gstvabasedec.c:78
#17 0x00007ffff09803da in gst_video_decoder_change_state (element=<optimized out>, transition=GST_STATE_CHANGE_PAUSED_TO_READY) at ../gst-libs/gst/video/gstvideodecoder.c:2885
#18 0x00007ffff0b6a5f1 in gst_element_change_state (element=element@entry=0x7fff88077490, transition=transition@entry=GST_STATE_CHANGE_PAUSED_TO_READY) at ../gst/gstelement.c:3083
#19 0x00007ffff0b6ac27 in gst_element_set_state_func (element=0x7fff88077490, state=GST_STATE_READY) at ../gst/gstelement.c:3037
#20 0x00007ffff0b43b0b in gst_bin_element_set_state (next=GST_STATE_READY, current=GST_STATE_PAUSED, start_time=0, base_time=0, element=0x7fff88077490, bin=0x7fffc800a360) at ../gst/gstbin.c:2581
#21 gst_bin_change_state_func (element=0x7fffc800a360, transition=GST_STATE_CHANGE_PAUSED_TO_READY) at ../gst/gstbin.c:2923
#22 0x00007ffff04bcc22 in gst_decode_bin_change_state (element=0x7fffc800a360, transition=GST_STATE_CHANGE_PAUSED_TO_READY) at ../gst/playback/gstdecodebin2.c:5465
#23 0x00007ffff0b6a5f1 in gst_element_change_state (element=element@entry=0x7fffc800a360, transition=transition@entry=GST_STATE_CHANGE_PAUSED_TO_READY) at ../gst/gstelement.c:3083
#24 0x00007ffff0b6ac27 in gst_element_set_state_func (element=0x7fffc800a360, state=GST_STATE_READY) at ../gst/gstelement.c:3037
#25 0x00007ffff0b43b0b in gst_bin_element_set_state (next=GST_STATE_READY, current=GST_STATE_PAUSED, start_time=0, base_time=0, element=0x7fffc800a360, bin=0x7fffc80093d0) at ../gst/gstbin.c:2581
#26 gst_bin_change_state_func (element=0x7fffc80093d0, transition=GST_STATE_CHANGE_PAUSED_TO_READY) at ../gst/gstbin.c:2923
#27 0x00007ffff04d143e in gst_uri_decode_bin_change_state (element=0x7fffc80093d0, transition=GST_STATE_CHANGE_PAUSED_TO_READY) at ../gst/playback/gsturidecodebin.c:2882
#28 0x00007ffff0b6a5f1 in gst_element_change_state (element=element@entry=0x7fffc80093d0, transition=transition@entry=GST_STATE_CHANGE_PAUSED_TO_READY) at ../gst/gstelement.c:3083
#29 0x00007ffff0b6ac27 in gst_element_set_state_func (element=0x7fffc80093d0, state=GST_STATE_READY) at ../gst/gstelement.c:3037
#30 0x00007ffff0b43b0b in gst_bin_element_set_state (next=GST_STATE_READY, current=GST_STATE_PAUSED, start_time=0, base_time=0, element=0x7fffc80093d0, bin=0x7fffe4019400) at ../gst/gstbin.c:2581
#31 gst_bin_change_state_func (element=0x7fffe4019400, transition=GST_STATE_CHANGE_PAUSED_TO_READY) at ../gst/gstbin.c:2923
#32 0x00007ffff0b96016 in gst_pipeline_change_state (element=0x7fffe4019400, transition=GST_STATE_CHANGE_PAUSED_TO_READY) at ../gst/gstpipeline.c:529
#33 0x00007ffff0b6a5f1 in gst_element_change_state (element=element@entry=0x7fffe4019400, transition=transition@entry=GST_STATE_CHANGE_PAUSED_TO_READY) at ../gst/gstelement.c:3083
#34 0x00007ffff0b6ac27 in gst_element_set_state_func (element=0x7fffe4019400, state=GST_STATE_READY) at ../gst/gstelement.c:3037
#35 0x00007ffff0ae1bff in discoverer_cleanup (dc=dc@entry=0x7fffc8010220) at ../gst-libs/gst/pbutils/gstdiscoverer.c:1952
#36 0x00007ffff0ae2e97 in gst_discoverer_discover_uri (discoverer=0x7fffc8010220, uri=uri@entry=0x7fffc8428bf0 "file:///home/<edited for privacy>.mp4", err=err@entry=0x7fffe0ff81c8) at ../gst-libs/gst/pbutils/gstdiscoverer.c:2625
#37 0x00007ffff1775d58 in discoverer_init_and_run (uri=<optimized out>, extractor=0x5555558b9ca0) at ../src/tracker-extract/tracker-extract-gstreamer.c:1196
#38 tracker_extract_gstreamer (uri=<optimized out>, type=<optimized out>, info=<optimized out>) at ../src/tracker-extract/tracker-extract-gstreamer.c:1357
#39 0x00007ffff1777450 in tracker_extract_get_metadata (info=0x7fffc80dac60, error=0x7fffe0ff82f0) at ../src/tracker-extract/tracker-extract-gstreamer.c:1431
#40 0x0000555555562860 in get_file_metadata (task=task@entry=0x555555788590, info_out=info_out@entry=0x7fffe0ff82e8, error=error@entry=0x7fffe0ff82f0) at ../src/tracker-extract/tracker-extract.c:305
#41 0x000055555556b11e in get_metadata (task=0x555555788590) at ../src/tracker-extract/tracker-extract.c:499
#42 single_thread_get_metadata (queue=0x5555559244e0) at ../src/tracker-extract/tracker-extract.c:543
#43 0x00007ffff7e839c2 in g_thread_proxy (data=0x7fffe4021000) at ../glib/gthread.c:831
#44 0x00007ffff790c14d in start_thread (arg=<optimized out>) at pthread_create.c:442
#45 0x00007ffff798da00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
The difference with an out-of-the-box installation of Fedora 37, is that I tweaked the rank of the gstreamer elements to use the va elements instead of vaapi.