From patchwork Mon Mar 23 17:07:58 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Frederic Laing <dev@fredfunk.tech>
X-Patchwork-Id: 26318
Return-Path: <libcamera-devel-bounces@lists.libcamera.org>
X-Original-To: parsemail@patchwork.libcamera.org
Delivered-To: parsemail@patchwork.libcamera.org
Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com
	[92.243.16.209])
	by patchwork.libcamera.org (Postfix) with ESMTPS id C890FBE086
	for <parsemail@patchwork.libcamera.org>;
	Mon, 23 Mar 2026 17:08:06 +0000 (UTC)
Received: from lancelot.ideasonboard.com (localhost [IPv6:::1])
	by lancelot.ideasonboard.com (Postfix) with ESMTP id DB21262776;
	Mon, 23 Mar 2026 18:08:05 +0100 (CET)
Authentication-Results: lancelot.ideasonboard.com; dkim=pass (2048-bit key;
	unprotected) header.d=fredfunk.tech header.i=@fredfunk.tech
	header.b="4Hxb3q1q"; dkim-atps=neutral
Received: from mail-4318.protonmail.ch (mail-4318.protonmail.ch
	[185.70.43.18])
	by lancelot.ideasonboard.com (Postfix) with ESMTPS id E7BBE62647
	for <libcamera-devel@lists.libcamera.org>;
	Mon, 23 Mar 2026 18:08:03 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fredfunk.tech;
	s=protonmail; t=1774285683; x=1774544883;
	bh=Yr4KDzB2zjSwznvNH4g3EY2QZIrgNWFVLwD4pL/3I9s=;
	h=Date:To:From:Cc:Subject:Message-ID:Feedback-ID:From:To:Cc:Date:
	Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector;
	b=4Hxb3q1q4XbaHILPPw2Lc8Xrcs9s9xaZspdLfTZoNVyqjSomVIZv2TCg2JMZiuT8v
	QFYBZbQNxwoB7nQf4eKodbJZu6TqV0YKLHlXPwA60iRx9ZfFrbyYTubc1M3BsE/CdN
	67nQ2hulXI6p4WMdH38refMHWzjoKALBtfWq+beOqcrs1ifsvJSUcwMs0C6XO1SZky
	0usVQ5iJj1sZ3l0+Pxll+ywTf6weKJDH5cdVKQUACLVb7M500SfmlGDHESmV9wGWUo
	dCaayPhNIJptA0X0FF9Ovcuem7ywIGqBtjCFDPc+E8J0nzHRxfMDe6lEeLLCL6VjF2
	LsEma/fbnHHpQ==
Date: Mon, 23 Mar 2026 17:07:58 +0000
To: libcamera-devel@lists.libcamera.org
From: Frederic Laing <dev@fredfunk.tech>
Cc: Frederic Laing <dev@fredfunk.tech>
Subject: [PATCH] ipa: fall back to in-process mode when isolation fails
Message-ID: <20260323170700.105171-1-dev@fredfunk.tech>
Feedback-ID: 182542373:user:proton
X-Pm-Message-ID: ced575e561d0798ba26725407286d51c44b8b08b
MIME-Version: 1.0
X-BeenThere: libcamera-devel@lists.libcamera.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <libcamera-devel.lists.libcamera.org>
List-Unsubscribe: <https://lists.libcamera.org/options/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>
List-Archive: <https://lists.libcamera.org/pipermail/libcamera-devel/>
List-Post: <mailto:libcamera-devel@lists.libcamera.org>
List-Help: <mailto:libcamera-devel-request@lists.libcamera.org?subject=help>
List-Subscribe: <https://lists.libcamera.org/listinfo/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>
Errors-To: libcamera-devel-bounces@lists.libcamera.org
Sender: "libcamera-devel" <libcamera-devel-bounces@lists.libcamera.org>

When the isolated IPA proxy fails to start (e.g. because fork() is
blocked by a sandbox's seccomp filter), fall back to loading the IPA
module in-process using the Threaded proxy instead of failing entirely.

This enables libcamera to work inside Flatpak and other sandboxed
environments where process isolation via clone3() with CLONE_NEWUSER
and CLONE_NEWNET is not permitted.

When isolation is explicitly forced via LIBCAMERA_IPA_FORCE_ISOLATION
or the ipa.force_isolation configuration option, the fallback is
suppressed and the proxy creation fails with an error instead, to
preserve the intended security policy.

Tested on OnePlus 6T (Qualcomm SDM845) with IMX371 front camera.
Tested on Google Pixel 3a (Qualcomm SDM670) with IMX355 front camera.

Signed-off-by: Frederic Laing <dev@fredfunk.tech>
Nacked-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
---
 include/libcamera/internal/ipa_manager.h | 29 ++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/include/libcamera/internal/ipa_manager.h b/include/libcamera/internal/ipa_manager.h
index f8ce7801..03553711 100644
--- a/include/libcamera/internal/ipa_manager.h
+++ b/include/libcamera/internal/ipa_manager.h
@@ -48,8 +48,33 @@ public:
 		auto proxy = [&]() -> std::unique_ptr<T> {
 			if (self->isSignatureValid(m))
 				return std::make_unique<typename T::Threaded>(m, configuration);
-			else
-				return std::make_unique<typename T::Isolated>(m, configuration);
+
+			auto isolated = std::make_unique<typename T::Isolated>(m, configuration);
+			if (isolated->isValid())
+				return isolated;
+
+#if HAVE_IPA_PUBKEY
+			if (self->forceIsolation_) {
+				LOG(IPAManager, Error)
+					<< "IPA process isolation failed for "
+					<< m->path()
+					<< " and isolation is forced";
+				return isolated;
+			}
+#endif
+
+			/*
+			 * Fall back to in-process loading when process
+			 * isolation fails. This typically happens inside
+			 * sandboxed environments (e.g. Flatpak) where
+			 * fork() is blocked by the seccomp filter.
+			 */
+			LOG(IPAManager, Warning)
+				<< "IPA process isolation failed for "
+				<< m->path()
+				<< ", falling back to in-process mode";
+
+			return std::make_unique<typename T::Threaded>(m, configuration);
 		}();
 
 		if (!proxy->isValid()) {