search

igo95862 / bubblejail

Bubblewrap based sandboxing for desktop applications
264 stars 17 forks source link

Nvidia acceleration doesn't work without /sys/module/nvidia/initstate #123

Closed consolation548 closed 2 months ago

consolation548 commented 3 months ago

Output of bubblejail --version

0.9.1

Your distro name and version

6.6.47-gentoo-x86_64

Description

i need to specify /sys/module/nvidia/initstate in root share "Read Only" paths to get acceleration work properly. Otherwise, alas, i'm getting this error:

$ glxinfo
name of display: :0
X Error of failed request:  BadValue (integer parameter out of range for operation)

same on steam.

SteamUpdateUI: An X Error occurred
X Error of failed request:  BadValue (integer parameter out of range for operation)

Here's the trace 

read(6, "\0.shstrtab\0.gnu.hash\0.dynsym\0.dy"..., 176) = 176
close(6)                                = 0
access("/sys/module/nvidia/initstate", R_OK) = -1 ENOENT (No such file or directory)
stat("/sys/bus/pci/devices", 0x7ffc01a84bd0) = -1 ENOENT (No such file or directory)

This happened after an update to nvidia drivers..

here's the current (last) version which i am using

$ nvidia-smi
Thu Aug 29 00:16:17 2024       
+-----------------------------------------------------------------------------------------+
| NVIDIA-SMI 560.35.03
igo95862 commented 3 months ago

Hello @consolation548

Unfortunately I do not have Nvidia GPU to test bubblejail with. Maybe it is worth passing entire /sys/module/nvidia folder for the [direct_rendering] service?

igo95862 commented 3 months ago

@ProgKing didn't you have the similar issue with X Error of failed request: BadValue ?

consolation548 commented 3 months ago

Hello @consolation548

Unfortunately I do not have Nvidia GPU to test bubblejail with. Maybe it is worth passing entire /sys/module/nvidia folder for the [direct_rendering] service?

@igo95862 , hi, yes that probably will be a solution

but, in general, acceleration starts working fine even if we pass only one file -- initstate (which is literally just says if nvidia driver is running) you may also want to pass sys/module/nvidia/version since some programs may refer to it if you want to keep it more SeLeCtIvE :)

igo95862 commented 3 months ago

I wonder if passing entire /sys/module/nvidia allows for overclocking and other undesirable from sandboxing perspective features.

igo95862 commented 3 months ago

@bratekarate @gnusenpai I think you helped me originally add support for Nvidia. Can I ask you to look in to this /sys/module/nvidia/initstate issue?

gnusenpai commented 3 months ago

I don't think there's any risk here. Podman passes through the entirety of /sys/module by the looks of things. The only thing an unprivileged user can do is read very basic information.

igo95862 commented 3 months ago

Alright. I think I will add the /sys/module/nvidia as read only.

By the way do you also experience the X Error of failed request: BadValue (integer parameter out of range for operation) issue?

gnusenpai commented 3 months ago

By the way do you also experience the X Error of failed request: BadValue (integer parameter out of range for operation) issue?

Adding /sys/module/nvidia to the sandbox fixes that for me, but I've only tried basic 3D test apps.

igo95862 commented 2 months ago

I added read-only access to the /sys/module/nvidia in 96aa27836e501e726918d3fc1827ad5be11ceb72. Can you give it a test?

igo95862 commented 2 months ago

0.9.2 released with the fix.