direct_rendering: Mount read-only all /sys/module/nvidia* folders

Without those folders CUDA will not work. The `/sys/module/nvidia` was already mounted read only to make 500+ driver work. Thanks to @silvestron for reporting and debugging this issue.
igo95862 · Feb 15, 2025 · 56ad57a · 56ad57a
1 parent bd82670
commit 56ad57a
Showing 1 changed file with 9 additions and 6 deletions.
diff --git a/src/bubblejail/services.py b/src/bubblejail/services.py
@@ -590,12 +590,15 @@ def iter_bwrap_options(self) -> ServiceGeneratorType:
         yield DevBind("/dev/dri")
 
         # Nvidia specific binds
-        for x in Path("/dev/").iterdir():
-            if x.name.startswith("nvidia"):
-                yield DevBind(x)
-
-        # Nvidia driver 500+ requires read access to sysfs
-        yield ReadOnlyBindTry("/sys/module/nvidia")
+        for nv_dev in Path("/dev/").iterdir():
+            if nv_dev.name.startswith("nvidia"):
+                yield DevBind(nv_dev)
+
+        # Nvidia driver 500+ requires read access to sysfs module directories
+        # and CUDA does not work without them.
+        for nv_mod in Path("/sys/module/").iterdir():
+            if nv_mod.name.startswith("nvidia"):
+                yield ReadOnlyBindTry(nv_mod)
 
     name = "direct_rendering"
     pretty_name = "Direct Rendering"