[GH-ISSUE #2072] Nvida drivers using firejail

gitea-mirror commented

2026-05-05 08:03:46 -06:00

Owner

Originally created by @Raj2032 on GitHub (Jul 28, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2072

If I installed Nvidia drivers through firejail and I completly block Nvidia from having access to any of my files and other stuff, would Nvidia work still and would it be impossible for Nvidia to collect any additional information about my computer?

Originally created by @Raj2032 on GitHub (Jul 28, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2072 If I installed Nvidia drivers through firejail and I completly block Nvidia from having access to any of my files and other stuff, would Nvidia work still and would it be impossible for Nvidia to collect any additional information about my computer?

gitea-mirror closed this issue

2026-05-05 08:03:47 -06:00

gitea-mirror commented

2026-05-05 08:03:49 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jul 28, 2018):

It wouldn't be able to send anything to Nvidia during the install, but that says nothing about whether the modules send anything back when they're loaded or running. And no, you can't use firejail to sandbox kernel modules.

That being said, I would just use your distribution packages to install the driver — it's generally much less of a headache.

@chiraag-nataraj commented on GitHub (Jul 28, 2018): It wouldn't be able to send anything to Nvidia during the install, but that says nothing about whether the modules send anything back when they're loaded or running. And no, you can't use firejail to sandbox kernel modules. That being said, I would just use your distribution packages to install the driver — it's generally much less of a headache.

gitea-mirror commented

2026-05-05 08:03:49 -06:00

Author

Owner

@Raj2032 commented on GitHub (Jul 28, 2018):

" distribution packages to install the driver " What is that exactly?

On Sun, Jul 29, 2018 at 9:34 AM ಚಿರಾಗ್ ನಟರಾಜ್ notifications@github.com
wrote:

It wouldn't be able to send anything to Nvidia during the install, but
that says nothing about whether the modules send anything back when they're
loaded or running. And no, you can't use firejail to sandbox kernel modules.

That being said, I would just use your distribution packages to install
the driver — it's generally much less of a headache.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/netblue30/firejail/issues/2072#issuecomment-408641501,
or mute the thread
https://github.com/notifications/unsubscribe-auth/Ab79Bmx4JpPkMkgz4a6_j8Gzwlp7zc5pks5uLPUOgaJpZM4VlOB-
.

@Raj2032 commented on GitHub (Jul 28, 2018): " distribution packages to install the driver " What is that exactly? On Sun, Jul 29, 2018 at 9:34 AM ಚಿರಾಗ್ ನಟರಾಜ್ <notifications@github.com> wrote: > It wouldn't be able to send anything to Nvidia during the install, but > that says nothing about whether the modules send anything back when they're > loaded or running. And no, you can't use firejail to sandbox kernel modules. > > That being said, I would just use your distribution packages to install > the driver — it's generally much less of a headache. > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > <https://github.com/netblue30/firejail/issues/2072#issuecomment-408641501>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/Ab79Bmx4JpPkMkgz4a6_j8Gzwlp7zc5pks5uLPUOgaJpZM4VlOB-> > . >

gitea-mirror commented

2026-05-05 08:03:50 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jul 28, 2018):

Most distributions have a way to install the Nvidia driver through their package system. For example, Debian has the nvidia-driver package. Other distributions have similar ones.

@chiraag-nataraj commented on GitHub (Jul 28, 2018): Most distributions have a way to install the Nvidia driver through their package system. For example, Debian has the `nvidia-driver` package. Other distributions have similar ones.

gitea-mirror commented

2026-05-05 08:03:51 -06:00

Author

Owner

@Raj2032 commented on GitHub (Jul 28, 2018):

And how would I know a kernal module won't invade a person's privacy,
especially since this is closed source?

On Sun, Jul 29, 2018 at 9:40 AM ಚಿರಾಗ್ ನಟರಾಜ್ notifications@github.com
wrote:

Most distributions have a way to install the Nvidia driver through their
package system. For example, Debian has the nvidia-driver package. Other
distributions have similar ones.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/netblue30/firejail/issues/2072#issuecomment-408641741,
or mute the thread
https://github.com/notifications/unsubscribe-auth/Ab79BlPeVd5M20YS9nB0KtpC7Na0oM4iks5uLPZQgaJpZM4VlOB-
.

@Raj2032 commented on GitHub (Jul 28, 2018): And how would I know a kernal module won't invade a person's privacy, especially since this is closed source? On Sun, Jul 29, 2018 at 9:40 AM ಚಿರಾಗ್ ನಟರಾಜ್ <notifications@github.com> wrote: > Most distributions have a way to install the Nvidia driver through their > package system. For example, Debian has the nvidia-driver package. Other > distributions have similar ones. > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > <https://github.com/netblue30/firejail/issues/2072#issuecomment-408641741>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/Ab79BlPeVd5M20YS9nB0KtpC7Na0oM4iks5uLPZQgaJpZM4VlOB-> > . >

gitea-mirror commented

2026-05-05 08:03:52 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jul 29, 2018):

You don't know that. But firejail won't protect you against that because it's meant to sandbox programs. All of the kernel-based systems it uses are meant to sandbox userspace programs. They don't work on kernel modules.

@chiraag-nataraj commented on GitHub (Jul 29, 2018): You don't know that. But firejail won't protect you against that because it's meant to sandbox _programs_. All of the kernel-based systems it uses are meant to sandbox userspace programs. They don't work on kernel modules.

gitea-mirror commented

2026-05-05 08:03:53 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jul 29, 2018):

The only thing you can protect in this case is the installation method. And in that sense, I trust the distribution's package manager more than some binary installer.

@chiraag-nataraj commented on GitHub (Jul 29, 2018): The _only_ thing you can protect in this case is the installation method. And in that sense, I trust the distribution's package manager more than some binary installer.

gitea-mirror commented

2026-05-05 08:03:54 -06:00

Author

Owner

@Raj2032 commented on GitHub (Jul 29, 2018):

" All of the kernel-based systems it uses are meant to sandbox userspace
programs" Sorry I didn't understand this, are you saying that the package
manager system we use where we install Nvidia drivers already sandboxes
these drivers?

On Sun, Jul 29, 2018 at 11:22 AM ಚಿರಾಗ್ ನಟರಾಜ್ notifications@github.com
wrote:

Closed #2072 https://github.com/netblue30/firejail/issues/2072.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/netblue30/firejail/issues/2072#event-1758722496, or mute
the thread
https://github.com/notifications/unsubscribe-auth/Ab79Bka4Az7uAN1VFANjlz67XV7IKg7nks5uLQ4-gaJpZM4VlOB-
.

@Raj2032 commented on GitHub (Jul 29, 2018): " All of the kernel-based systems it uses are meant to sandbox userspace programs" Sorry I didn't understand this, are you saying that the package manager system we use where we install Nvidia drivers already sandboxes these drivers? On Sun, Jul 29, 2018 at 11:22 AM ಚಿರಾಗ್ ನಟರಾಜ್ <notifications@github.com> wrote: > Closed #2072 <https://github.com/netblue30/firejail/issues/2072>. > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > <https://github.com/netblue30/firejail/issues/2072#event-1758722496>, or mute > the thread > <https://github.com/notifications/unsubscribe-auth/Ab79Bka4Az7uAN1VFANjlz67XV7IKg7nks5uLQ4-gaJpZM4VlOB-> > . >

gitea-mirror commented

2026-05-05 08:03:55 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jul 29, 2018):

No. What I'm saying is that sandboxing kernel modules is entirely out of the scope of firejail because the kernel technologies it uses (seccomp-bpf filters, capabilities, namespaces) are all designed to sandbox programs, not modules.

@chiraag-nataraj commented on GitHub (Jul 29, 2018): No. What I'm saying is that sandboxing kernel modules is _entirely_ out of the scope of firejail because the kernel technologies it uses (seccomp-bpf filters, capabilities, namespaces) are all designed to sandbox programs, not modules.

gitea-mirror commented

2026-05-05 08:03:56 -06:00

Author

Owner

@Raj2032 commented on GitHub (Jul 29, 2018):

Is there a way to sandbox kernel modules?

On Sun, Jul 29, 2018 at 8:22 PM ಚಿರಾಗ್ ನಟರಾಜ್ notifications@github.com
wrote:

No. What I'm saying is that sandboxing kernel modules is entirely out
of the scope of firejail because the kernel technologies it uses
(seccomp-bpf filters, capabilities, namespaces) are all designed to sandbox
programs, not modules.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/netblue30/firejail/issues/2072#issuecomment-408666634,
or mute the thread
https://github.com/notifications/unsubscribe-auth/Ab79BmzWz098zwL5yrYPxWAvKsIUhIjZks5uLYzqgaJpZM4VlOB-
.

@Raj2032 commented on GitHub (Jul 29, 2018): Is there a way to sandbox kernel modules? On Sun, Jul 29, 2018 at 8:22 PM ಚಿರಾಗ್ ನಟರಾಜ್ <notifications@github.com> wrote: > No. What I'm saying is that sandboxing kernel modules is *entirely* out > of the scope of firejail because the kernel technologies it uses > (seccomp-bpf filters, capabilities, namespaces) are all designed to sandbox > programs, not modules. > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > <https://github.com/netblue30/firejail/issues/2072#issuecomment-408666634>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/Ab79BmzWz098zwL5yrYPxWAvKsIUhIjZks5uLYzqgaJpZM4VlOB-> > . >

gitea-mirror commented

2026-05-05 08:03:57 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jul 29, 2018):

Nope, not that I'm aware of. See this: https://unix.stackexchange.com/questions/266131/are-there-sandboxing-concepts-for-proprietary-binary-kernel-modules-in-linux#266385

@chiraag-nataraj commented on GitHub (Jul 29, 2018): Nope, not that I'm aware of. See this: https://unix.stackexchange.com/questions/266131/are-there-sandboxing-concepts-for-proprietary-binary-kernel-modules-in-linux#266385

gitea-mirror commented

2026-05-05 08:03:58 -06:00

Author

Owner

@Raj2032 commented on GitHub (Jul 29, 2018):

Oh

On Sun, Jul 29, 2018 at 10:43 PM ಚಿರಾಗ್ ನಟರಾಜ್ notifications@github.com
wrote:

Nope, not that I'm aware of.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/netblue30/firejail/issues/2072#issuecomment-408675378,
or mute the thread
https://github.com/notifications/unsubscribe-auth/Ab79BugoHpI9GbWrTlqqZ7d5i-moWFzRks5uLa32gaJpZM4VlOB-
.

@Raj2032 commented on GitHub (Jul 29, 2018): Oh On Sun, Jul 29, 2018 at 10:43 PM ಚಿರಾಗ್ ನಟರಾಜ್ <notifications@github.com> wrote: > Nope, not that I'm aware of. > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > <https://github.com/netblue30/firejail/issues/2072#issuecomment-408675378>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/Ab79BugoHpI9GbWrTlqqZ7d5i-moWFzRks5uLa32gaJpZM4VlOB-> > . >

Rows
Columns

[GH-ISSUE #2072] Nvida drivers using firejail #1400