2 files changed, 14 insertions, 2 deletions
diff --git a/etc/profile-m-z/noprofile.profile b/etc/profile-m-z/noprofile.profile
index 7d0e01d98..c2e4999ea 100644
--- a/etc/profile-m-z/noprofile.profile
+++ b/etc/profile-m-z/noprofile.profile
@@ -15,6 +15,8 @@
 noblacklist /sys/fs
 noblacklist /sys/module
+nowhitelist /sys/module/nvidia*
+ignore read-only /sys/module/nvidia*
 allow-debuggers
 allusers
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index cdad5e220..abef85515 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -743,10 +743,20 @@ void fs_proc_sys_dev_boot(void) {
        disable_file(BLACKLIST_FILE, "/sys/firmware");
        disable_file(BLACKLIST_FILE, "/sys/hypervisor");
-        { // allow user access to some directories in /sys/ by specifying 'noblacklist' option
-                profile_add("blacklist /sys/fs");
+        // Soft-block some paths in /sys/ (can be undone in profiles).
+        profile_add("blacklist /sys/fs");
+        // Hardware acceleration with the nvidia proprietary driver may fail
+        // without access to these paths (see #6372).
+        if (access("/dev/nvidiactl", R_OK) == 0 && arg_no3d == 0) {
+                profile_add("whitelist /sys/module/nvidia*");
+                profile_add("read-only /sys/module/nvidia*");
+        }
+        else {
                profile_add("blacklist /sys/module");
        }
        disable_file(BLACKLIST_FILE, "/sys/power");
        disable_file(BLACKLIST_FILE, "/sys/kernel/debug");
        disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo");

diff --git a/etc/profile-m-z/noprofile.profile b/etc/profile-m-z/noprofile.profile index 7d0e01d98..c2e4999ea 100644 --- a/etc/profile-m-z/noprofile.profile +++ b/etc/profile-m-z/noprofile.profile
@@ -15,6 +15,8 @@
15		15
16	noblacklist /sys/fs	16	noblacklist /sys/fs
17	noblacklist /sys/module	17	noblacklist /sys/module
		18	nowhitelist /sys/module/nvidia*
		19	ignore read-only /sys/module/nvidia*
18		20
19	allow-debuggers	21	allow-debuggers
20	allusers	22	allusers


diff --git a/src/firejail/fs.c b/src/firejail/fs.c index cdad5e220..abef85515 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -743,10 +743,20 @@ void fs_proc_sys_dev_boot(void) {
743		743
744	disable_file(BLACKLIST_FILE, "/sys/firmware");	744	disable_file(BLACKLIST_FILE, "/sys/firmware");
745	disable_file(BLACKLIST_FILE, "/sys/hypervisor");	745	disable_file(BLACKLIST_FILE, "/sys/hypervisor");
746	{ // allow user access to some directories in /sys/ by specifying 'noblacklist' option	746
747	profile_add("blacklist /sys/fs");	747	// Soft-block some paths in /sys/ (can be undone in profiles).
		748	profile_add("blacklist /sys/fs");
		749
		750	// Hardware acceleration with the nvidia proprietary driver may fail
		751	// without access to these paths (see #6372).
		752	if (access("/dev/nvidiactl", R_OK) == 0 && arg_no3d == 0) {
		753	profile_add("whitelist /sys/module/nvidia*");
		754	profile_add("read-only /sys/module/nvidia*");
		755	}
		756	else {
748	profile_add("blacklist /sys/module");	757	profile_add("blacklist /sys/module");
749	}	758	}
		759
750	disable_file(BLACKLIST_FILE, "/sys/power");	760	disable_file(BLACKLIST_FILE, "/sys/power");
751	disable_file(BLACKLIST_FILE, "/sys/kernel/debug");	761	disable_file(BLACKLIST_FILE, "/sys/kernel/debug");
752	disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo");	762	disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo");