From af44e33b19becf3cda6919a10268cca731a1e306 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Tue, 25 Jun 2024 22:52:05 +0000 Subject: modif: keep /sys/module/nvidia* if prop driver and no no3d (#6387) It has been reported in #6372 that after upgrading the nvidia proprietary driver from version 550.78 to 550.90.07, programs using hardware acceleration fail unless paths in `/sys/module/nvidia*` are accessible. Example: $ firejail --noprofile prime-run /bin/glxdemo [...] X Error of failed request: BadValue (integer parameter out of range for operation) Major opcode of failed request: 150 (GLX) Minor opcode of failed request: 3 (X_GLXCreateContext) Value in failed request: 0x0 Serial number of failed request: 22 Current serial number in output stream: 23 [...] Meanwhile, the AMD proprietary driver (AMDGPU Pro) seems to depend on `/sys/module/amdgpu` for OpenCL (though it is unclear how to detect that driver). See commit 95c8e284d ("Allow accessing /sys/module directory", 2018-05-08) and commit 9dd581d25 ("Allow AMD GPU usage by Blender", 2018-05-08) from PR #1932. So whitelist `/sys/module/nvidia*` by default if the nvidia proprietary driver is detected and `no3d` is not used. Note: The driver check is copied from src/firejail/util.c (see #841). To keep the current behavior (that is, block all modules), add `blacklist /sys/module` to globals.local. Fixes #6372. Reported-by: @GreatBigWhiteWorld Reported-by: @orzogc Reported-by: @krop Reported-by: @michelesr Suggested-by: @glitsj16 Tested-by: @flyxyz123 --- etc/profile-m-z/noprofile.profile | 2 ++ 1 file changed, 2 insertions(+) (limited to 'etc/profile-m-z/noprofile.profile') diff --git a/etc/profile-m-z/noprofile.profile b/etc/profile-m-z/noprofile.profile index 7d0e01d98..c2e4999ea 100644 --- a/etc/profile-m-z/noprofile.profile +++ b/etc/profile-m-z/noprofile.profile @@ -15,6 +15,8 @@ noblacklist /sys/fs noblacklist /sys/module +nowhitelist /sys/module/nvidia* +ignore read-only /sys/module/nvidia* allow-debuggers allusers -- cgit v1.2.3-70-g09d2