github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3335] mpv: hardware video decoding nvdec does not work #2093

New issue
Open
opened 2026-05-05 08:46:13 -06:00 by gitea-mirror · 12 comments
gitea-mirror commented 2026-05-05 08:46:13 -06:00
Owner
Copy link

Originally created by @gedec-coin-one on GitHub (Apr 9, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3335

seems nvdec need nvidia_uvm kernel module loadded to work.
Without firejail, when I running mpv, it will load nvidia_uvm module automatically (if it not loaded yet),
but inside firejail, it not gonna work, so nvdec can't work either.

temporary workaround:
mannually load nvidia_uvm module, eg. sudo modprobe nvidia_uvm.

FYI:
firejail version: 0.9.62
kernel version: 5.6.3
nvidia-drivers version: 440.82
my current mpv.local file:

env __NV_PRIME_RENDER_OFFLOAD=1
env __VK_LAYER_NV_optimus=NVIDIA_only
env __GLX_VENDOR_LIBRARY_NAME=nvidia
ignore nodbus
ignore nogroups
ignore nonewprivs
ignore private-dev
ignore noexec ${HOME}
Originally created by @gedec-coin-one on GitHub (Apr 9, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3335 seems `nvdec` need `nvidia_uvm` kernel module loadded to work. Without firejail, when I running mpv, it will load `nvidia_uvm` module automatically (if it not loaded yet), but inside firejail, it not gonna work, so `nvdec` can't work either. temporary workaround: mannually load `nvidia_uvm` module, eg. `sudo modprobe nvidia_uvm`. FYI: firejail version: 0.9.62 kernel version: 5.6.3 nvidia-drivers version: 440.82 my current mpv.local file: ``` env __NV_PRIME_RENDER_OFFLOAD=1 env __VK_LAYER_NV_optimus=NVIDIA_only env __GLX_VENDOR_LIBRARY_NAME=nvidia ignore nodbus ignore nogroups ignore nonewprivs ignore private-dev ignore noexec ${HOME} ```
gitea-mirror added the
bug
graphics
 labels 2026-05-05 08:46:13 -06:00
gitea-mirror commented 2026-05-05 08:46:15 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 9, 2020):

Might be similar to #2447. That was never actually cleared-up.

Without firejail, when I running mpv, it will load nvidia_uvm module automatically (if it not loaded yet),

IMO it's not mpv but the linux kernel that loads the nvidia_uvm module. In any case, the mpv profile uses private-bin env,mpv,python*,youtube-dl, which might be too restrictive in this context. I suggest ignoring that too. Another possibility (in combination with what you already ignored) is noroot. Did you try the --build/--build= options yet?

<!-- gh-comment-id:611342958 --> @ghost commented on GitHub (Apr 9, 2020): Might be similar to #2447. That was never actually cleared-up. > Without firejail, when I running mpv, it will load nvidia_uvm module automatically (if it not loaded yet), IMO it's not mpv but the linux kernel that loads the nvidia_uvm module. In any case, the mpv profile uses `private-bin env,mpv,python*,youtube-dl`, which might be too restrictive in this context. I suggest ignoring that too. Another possibility (in combination with what you already ignored) is `noroot`. Did you try the --build/--build= options yet?
gitea-mirror commented 2026-05-05 08:46:16 -06:00
Author
Owner
Copy link

@gedec-coin-one commented on GitHub (Apr 9, 2020):

Might be similar to #2447.

I tried --noprofile too, not work.

it's not mpv but the linux kernel that loads the nvidia_uvm module

English is not my first language, I meant mpv triggered something then made kernel loads that.

I tried ignore private-bin env,mpv,python*,youtube-dl and ignore noroot,each then both,
and the --build/--build= options, still not work.

here is the profile --build= option generated:

############################################
# /usr/bin/mpv profile
############################################
# Persistent global definitions
# include /etc/firejail/globals.local

### basic blacklisting
include /etc/firejail/disable-common.inc
# include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
# include /etc/firejail/disable-programs.inc

### home directory whitelisting
whitelist ~/.icons/default
whitelist ~/.icons/default/cursors
whitelist ~/.cursors/default
whitelist ~/.cursors/default/cursors
whitelist ~/.icons/breeze_cursors
whitelist ~/.icons/breeze_cursors/cursors
whitelist ~/.cursors/breeze_cursors
whitelist ~/.cursors/breeze_cursors/cursors
whitelist ~/.Xdefaults-Phantom-Pro
whitelist ~/.pulse-cookie
whitelist ~/.rubberband.wisdom.d
whitelist ~/.XCompose
whitelist ~/.fonts
whitelist ~/.local/share/fonts
whitelist ~/.fonts.conf
whitelist ~/.fonts.conf.d
whitelist ~/.config/fontconfig
whitelist ~/Videos
whitelist ~/.config/mpv
whitelist ~/.nv
include /etc/firejail/whitelist-common.inc

### filesystem

# private-tmp
# File accessed in /tmp directory:
# /tmp/firejail-strace.7wIibg,
# private-dev
# This is the list of devices accessed (on top of regular private-dev devices:
# /dev/dri/card0,/dev/shm/cuda_injection_path_shm,/dev/dri/renderD129,
private-etc machine-id,libva.conf,fonts,mpv,ssl,nvidia,
blacklist /var
private-bin xset,dbus-send,which,sed,grep,mv,bash,mpv,
# private-lib
whitelist /usr/share/icons
whitelist /usr/share/pixmaps
whitelist /usr/share/cursors
whitelist /usr/share/glvnd
whitelist /usr/share/X11
whitelist /usr/share/fonts
whitelist /usr/share/nvidia

### security filters
caps.drop all
nonewprivs
seccomp
# seccomp.keep futex,poll,ioctl,wait4,restart_syscall,getpid,read,write,stat,recvmsg,openat,munmap,mmap,close,sched_yield,lseek,mprotect,execve,clone,writev,sendto,access,getdents64,fstat,mremap,rmdir,unlink,recvfrom,fstatfs,sendmsg,rt_sigprocmask,readlink,rt_sigaction,brk,madvise,fcntl,getpgrp,getrandom,geteuid,set_robust_list,prctl,getegid,getuid,sched_setattr,getgid,socket,connect,fadvise64,shutdown,mkdir,splice,eventfd2,arch_prctl,pipe,dup2,rt_sigreturn,socketpair,getpeername,getsockname,uname,set_tid_address,dup,prlimit64,lstat,setsockopt,statfs,clock_getres,getresuid,getresgid,sigaltstack,fallocate,pipe2,renameat2,ftruncate,newfstatat,umask,sched_get_priority_max,sched_get_priority_min,sched_getaffinity,getsockopt,sysinfo,getppid,gettid,sched_getattr
# 84 syscalls total
# Probably you will need to add more syscalls to seccomp.keep. Look for
# seccomp errors in /var/log/syslog or /var/log/audit/audit.log while
# running your sandbox.

### network
protocol unix,
net none

### environment
shell none
<!-- gh-comment-id:611371620 --> @gedec-coin-one commented on GitHub (Apr 9, 2020): > Might be similar to #2447. I tried `--noprofile` too, not work. > it's not mpv but the linux kernel that loads the nvidia_uvm module English is not my first language, I meant mpv triggered something then made kernel loads that. I tried `ignore private-bin env,mpv,python*,youtube-dl` and `ignore noroot`,each then both, and the `--build/--build=` options, still not work. here is the profile `--build=` option generated: ``` ############################################ # /usr/bin/mpv profile ############################################ # Persistent global definitions # include /etc/firejail/globals.local ### basic blacklisting include /etc/firejail/disable-common.inc # include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc # include /etc/firejail/disable-programs.inc ### home directory whitelisting whitelist ~/.icons/default whitelist ~/.icons/default/cursors whitelist ~/.cursors/default whitelist ~/.cursors/default/cursors whitelist ~/.icons/breeze_cursors whitelist ~/.icons/breeze_cursors/cursors whitelist ~/.cursors/breeze_cursors whitelist ~/.cursors/breeze_cursors/cursors whitelist ~/.Xdefaults-Phantom-Pro whitelist ~/.pulse-cookie whitelist ~/.rubberband.wisdom.d whitelist ~/.XCompose whitelist ~/.fonts whitelist ~/.local/share/fonts whitelist ~/.fonts.conf whitelist ~/.fonts.conf.d whitelist ~/.config/fontconfig whitelist ~/Videos whitelist ~/.config/mpv whitelist ~/.nv include /etc/firejail/whitelist-common.inc ### filesystem # private-tmp # File accessed in /tmp directory: # /tmp/firejail-strace.7wIibg, # private-dev # This is the list of devices accessed (on top of regular private-dev devices: # /dev/dri/card0,/dev/shm/cuda_injection_path_shm,/dev/dri/renderD129, private-etc machine-id,libva.conf,fonts,mpv,ssl,nvidia, blacklist /var private-bin xset,dbus-send,which,sed,grep,mv,bash,mpv, # private-lib whitelist /usr/share/icons whitelist /usr/share/pixmaps whitelist /usr/share/cursors whitelist /usr/share/glvnd whitelist /usr/share/X11 whitelist /usr/share/fonts whitelist /usr/share/nvidia ### security filters caps.drop all nonewprivs seccomp # seccomp.keep futex,poll,ioctl,wait4,restart_syscall,getpid,read,write,stat,recvmsg,openat,munmap,mmap,close,sched_yield,lseek,mprotect,execve,clone,writev,sendto,access,getdents64,fstat,mremap,rmdir,unlink,recvfrom,fstatfs,sendmsg,rt_sigprocmask,readlink,rt_sigaction,brk,madvise,fcntl,getpgrp,getrandom,geteuid,set_robust_list,prctl,getegid,getuid,sched_setattr,getgid,socket,connect,fadvise64,shutdown,mkdir,splice,eventfd2,arch_prctl,pipe,dup2,rt_sigreturn,socketpair,getpeername,getsockname,uname,set_tid_address,dup,prlimit64,lstat,setsockopt,statfs,clock_getres,getresuid,getresgid,sigaltstack,fallocate,pipe2,renameat2,ftruncate,newfstatat,umask,sched_get_priority_max,sched_get_priority_min,sched_getaffinity,getsockopt,sysinfo,getppid,gettid,sched_getattr # 84 syscalls total # Probably you will need to add more syscalls to seccomp.keep. Look for # seccomp errors in /var/log/syslog or /var/log/audit/audit.log while # running your sandbox. ### network protocol unix, net none ### environment shell none ```
gitea-mirror commented 2026-05-05 08:46:17 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 9, 2020):

Thanks for posting the --build output. Did that actually work to run mpv with nvdec?

<!-- gh-comment-id:611439407 --> @ghost commented on GitHub (Apr 9, 2020): Thanks for posting the --build output. Did that actually work to run mpv with nvdec?
gitea-mirror commented 2026-05-05 08:46:18 -06:00
Author
Owner
Copy link

@gedec-coin-one commented on GitHub (Apr 10, 2020):

Thanks for posting the --build output. Did that actually work to run mpv with nvdec?

no, it's still not work unless load nvidia_uvm module manually.

<!-- gh-comment-id:611860717 --> @gedec-coin-one commented on GitHub (Apr 10, 2020): > Thanks for posting the --build output. Did that actually work to run mpv with nvdec? no, it's still not work unless load nvidia_uvm module manually.
gitea-mirror commented 2026-05-05 08:46:19 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 10, 2020):

After a decent portion of sleep I think this is probably seccomp related. Can you try the seccomp.keep list seen in your output from the --build command instead of seccomp?

#seccomp
seccomp.keep futex,poll,ioctl,wait4,restart_syscall,getpid,read,write,stat,recvmsg,openat,munmap,mmap,close,sched_yield,lseek,mprotect,execve,clone,writev,sendto,access,getdents64,fstat,mremap,rmdir,unlink,recvfrom,fstatfs,sendmsg,rt_sigprocmask,readlink,rt_sigaction,brk,madvise,fcntl,getpgrp,getrandom,geteuid,set_robust_list,prctl,getegid,getuid,sched_setattr,getgid,socket,connect,fadvise64,shutdown,mkdir,splice,eventfd2,arch_prctl,pipe,dup2,rt_sigreturn,socketpair,getpeername,getsockname,uname,set_tid_address,dup,prlimit64,lstat,setsockopt,statfs,clock_getres,getresuid,getresgid,sigaltstack,fallocate,pipe2,renameat2,ftruncate,newfstatat,umask,sched_get_priority_max,sched_get_priority_min,sched_getaffinity,getsockopt,sysinfo,getppid,gettid,sched_getattr
<!-- gh-comment-id:611904463 --> @ghost commented on GitHub (Apr 10, 2020): After a decent portion of sleep I think this is probably seccomp related. Can you try the seccomp.keep list seen in your output from the --build command instead of seccomp? ``` #seccomp seccomp.keep futex,poll,ioctl,wait4,restart_syscall,getpid,read,write,stat,recvmsg,openat,munmap,mmap,close,sched_yield,lseek,mprotect,execve,clone,writev,sendto,access,getdents64,fstat,mremap,rmdir,unlink,recvfrom,fstatfs,sendmsg,rt_sigprocmask,readlink,rt_sigaction,brk,madvise,fcntl,getpgrp,getrandom,geteuid,set_robust_list,prctl,getegid,getuid,sched_setattr,getgid,socket,connect,fadvise64,shutdown,mkdir,splice,eventfd2,arch_prctl,pipe,dup2,rt_sigreturn,socketpair,getpeername,getsockname,uname,set_tid_address,dup,prlimit64,lstat,setsockopt,statfs,clock_getres,getresuid,getresgid,sigaltstack,fallocate,pipe2,renameat2,ftruncate,newfstatat,umask,sched_get_priority_max,sched_get_priority_min,sched_getaffinity,getsockopt,sysinfo,getppid,gettid,sched_getattr ```
gitea-mirror commented 2026-05-05 08:46:20 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 10, 2020):

@glitsj16 with --noprofile, there are no seccomp filters.
@gedec-coin-one have you (or your distro) set force-nonewprivs (or anythin else) in firejail.config?

<!-- gh-comment-id:611932520 --> @rusty-snake commented on GitHub (Apr 10, 2020): @glitsj16 with `--noprofile`, there are no seccomp filters. @gedec-coin-one have you (or your distro) set force-nonewprivs (or anythin else) in firejail.config?
gitea-mirror commented 2026-05-05 08:46:21 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 10, 2020):

@rusty-snake Right. I guess I need more/better sleep heh. Too bad I don't have hardware to fully test mpv with nvdec. Our profile seems to cause issues with that specifically, cfr. #2447.

<!-- gh-comment-id:611943588 --> @ghost commented on GitHub (Apr 10, 2020): @rusty-snake Right. I guess I need more/better sleep heh. Too bad I don't have hardware to fully test mpv with nvdec. Our profile seems to cause issues with that specifically, cfr. #2447.
gitea-mirror commented 2026-05-05 08:46:22 -06:00
Author
Owner
Copy link

@gedec-coin-one commented on GitHub (Apr 10, 2020):

have you (or your distro) set force-nonewprivs (or anythin else) in firejail.config?

I'm using Gentoo right now, seems force-nonewprivs is disabled by default.

Screenshot_20200410_202123

firejail.config

# This is Firejail system-wide configuration file. The file contains
# keyword-argument pairs, one per line. Most features are enabled by default.
# Use 'yes' or 'no' as configuration values.

# Enable AppArmor functionality, default enabled.
# apparmor yes

# Number of ARP probes sent when assigning an IP address for --net option,
# default 2. This is a partial implementation of RFC 5227. A 0.5 seconds
# timeout is implemented for each probe. Increase this number to 4 if your
# local layer 2 network uses RSTP (IEEE 802.1w). Permitted values are
# between 1 and 30.
# arp-probes 2

# Enable or disable bind support, default enabled.
# bind yes

# Allow (DRM) execution in browsers, default disabled.
# browser-allow-drm no

# Disable U2F in browsers, default enabled.
# browser-disable-u2f yes

# Enable or disable cgroup support, default enabled.
# cgroup yes

# Enable or disable chroot support, default enabled.
# chroot yes

# Enable or disable dbus handling by --nodbus flag, default enabled.
# dbus yes

# Disable /mnt, /media, /run/mount and /run/media access. By default access
# to these directories is enabled. Unlike --disable-mnt profile option this
# cannot be overridden by --noblacklist or --ignore.
# disable-mnt no

# Set the limit for file copy in several --private-* options. The size is set
# in megabytes. By default we allow up to 500MB.
# Note: the files are copied in RAM.
# file-copy-limit 500

# Enable or disable file transfer support, default enabled.
# file-transfer yes

# Enable Firejail green prompt in terminal, default disabled
# firejail-prompt no

# Follow symlink as user. While using --whitelist feature,
# symlinks pointing outside home directory are followed only
# if both the link and the real file are owned by the user.
# Enabled by default
# follow-symlink-as-user yes

# Force use of nonewprivs.  This mitigates the possibility of
# a user abusing firejail's features to trick a privileged (suid
# or file capabilities) process into loading code or configuration
# that is partially under their control.  Default disabled.
# force-nonewprivs no

# Allow sandbox joining as a regular user, default enabled.
# root user can always join sandboxes.
# join yes

# Enable or disable sandbox name change, default enabled.
# name-change yes

# Enable or disable networking features, default enabled.
# network yes

# Enable or disable overlayfs features, default enabled.
# overlayfs yes

# Remove /usr/local directories from private-bin list, default disabled.
# private-bin-no-local no

# Enable or disable private-home feature, default enabled
# private-home yes

# Enable or disable private-cache feature, default enabled
# private-cache yes

# Enable or disable private-lib feature, default enabled
# private-lib yes

# Enable --quiet as default every time the sandbox is started. Default disabled.
# quiet-by-default no

# Enable or disable restricted network support, default disabled. If enabled,
# networking features should also be enabled (network yes).
# Restricted networking grants access to --interface, --net=ethXXX and
# --netfilter only to root user. Regular users are only allowed --net=none.
# restricted-network no

# Change default netfilter configuration. When using --netfilter option without
# a file argument, the default filter is hardcoded (see man 1 firejail). This
# configuration entry allows the user to change the default by specifying
# a file containing the filter configuration. The filter file format is the
# format of  iptables-save  and iptable-restore commands. Example:
# netfilter-default /etc/iptables.iptables.rules

# Enable or disable seccomp support, default enabled.
# seccomp yes

# Enable or disable user namespace support, default enabled.
# userns yes

# Enable or disable whitelisting support, default enabled.
# whitelist yes

# Enable or disable X11 sandboxing support, default enabled.
# x11 yes

# Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
# a full list of resolutions available on your specific setup.
# xephyr-screen 640x480
# xephyr-screen 800x600
# xephyr-screen 1024x768
# xephyr-screen 1280x1024

# Firejail window title in Xephyr, default enabled.
# xephyr-window-title yes

# Xephyr command extra parameters. None by default; these are examples.
# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
# xephyr-extra-params -grayscale

# Xpra server command extra parameters. None by default; this is an example.
# xpra-extra-params --dpi 96

# Enable this option if you have a version of Xpra that supports --attach switch
# for start command, default disabled.
# xpra-attach no

# Screen size for --x11=xvfb, default 800x600x24.  The third dimension is
# color depth; use 24 unless you know exactly what you're doing.
# xvfb-screen 640x480x24
# xvfb-screen 800x600x24
# xvfb-screen 1024x768x24
# xvfb-screen 1280x1024x24

# Xvfb command extra parameters.  None by default; this is an example.
# xvfb-extra-params -pixdepths 8 24 32
<!-- gh-comment-id:612008784 --> @gedec-coin-one commented on GitHub (Apr 10, 2020): > have you (or your distro) set force-nonewprivs (or anythin else) in firejail.config? I'm using Gentoo right now, seems force-nonewprivs is disabled by default. <img width="459" alt="Screenshot_20200410_202123" src="https://user-images.githubusercontent.com/54626868/78990429-fe362d00-7b68-11ea-9f18-ee0607886c95.png"> firejail.config ``` # This is Firejail system-wide configuration file. The file contains # keyword-argument pairs, one per line. Most features are enabled by default. # Use 'yes' or 'no' as configuration values. # Enable AppArmor functionality, default enabled. # apparmor yes # Number of ARP probes sent when assigning an IP address for --net option, # default 2. This is a partial implementation of RFC 5227. A 0.5 seconds # timeout is implemented for each probe. Increase this number to 4 if your # local layer 2 network uses RSTP (IEEE 802.1w). Permitted values are # between 1 and 30. # arp-probes 2 # Enable or disable bind support, default enabled. # bind yes # Allow (DRM) execution in browsers, default disabled. # browser-allow-drm no # Disable U2F in browsers, default enabled. # browser-disable-u2f yes # Enable or disable cgroup support, default enabled. # cgroup yes # Enable or disable chroot support, default enabled. # chroot yes # Enable or disable dbus handling by --nodbus flag, default enabled. # dbus yes # Disable /mnt, /media, /run/mount and /run/media access. By default access # to these directories is enabled. Unlike --disable-mnt profile option this # cannot be overridden by --noblacklist or --ignore. # disable-mnt no # Set the limit for file copy in several --private-* options. The size is set # in megabytes. By default we allow up to 500MB. # Note: the files are copied in RAM. # file-copy-limit 500 # Enable or disable file transfer support, default enabled. # file-transfer yes # Enable Firejail green prompt in terminal, default disabled # firejail-prompt no # Follow symlink as user. While using --whitelist feature, # symlinks pointing outside home directory are followed only # if both the link and the real file are owned by the user. # Enabled by default # follow-symlink-as-user yes # Force use of nonewprivs. This mitigates the possibility of # a user abusing firejail's features to trick a privileged (suid # or file capabilities) process into loading code or configuration # that is partially under their control. Default disabled. # force-nonewprivs no # Allow sandbox joining as a regular user, default enabled. # root user can always join sandboxes. # join yes # Enable or disable sandbox name change, default enabled. # name-change yes # Enable or disable networking features, default enabled. # network yes # Enable or disable overlayfs features, default enabled. # overlayfs yes # Remove /usr/local directories from private-bin list, default disabled. # private-bin-no-local no # Enable or disable private-home feature, default enabled # private-home yes # Enable or disable private-cache feature, default enabled # private-cache yes # Enable or disable private-lib feature, default enabled # private-lib yes # Enable --quiet as default every time the sandbox is started. Default disabled. # quiet-by-default no # Enable or disable restricted network support, default disabled. If enabled, # networking features should also be enabled (network yes). # Restricted networking grants access to --interface, --net=ethXXX and # --netfilter only to root user. Regular users are only allowed --net=none. # restricted-network no # Change default netfilter configuration. When using --netfilter option without # a file argument, the default filter is hardcoded (see man 1 firejail). This # configuration entry allows the user to change the default by specifying # a file containing the filter configuration. The filter file format is the # format of iptables-save and iptable-restore commands. Example: # netfilter-default /etc/iptables.iptables.rules # Enable or disable seccomp support, default enabled. # seccomp yes # Enable or disable user namespace support, default enabled. # userns yes # Enable or disable whitelisting support, default enabled. # whitelist yes # Enable or disable X11 sandboxing support, default enabled. # x11 yes # Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for # a full list of resolutions available on your specific setup. # xephyr-screen 640x480 # xephyr-screen 800x600 # xephyr-screen 1024x768 # xephyr-screen 1280x1024 # Firejail window title in Xephyr, default enabled. # xephyr-window-title yes # Xephyr command extra parameters. None by default; these are examples. # xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev # xephyr-extra-params -grayscale # Xpra server command extra parameters. None by default; this is an example. # xpra-extra-params --dpi 96 # Enable this option if you have a version of Xpra that supports --attach switch # for start command, default disabled. # xpra-attach no # Screen size for --x11=xvfb, default 800x600x24. The third dimension is # color depth; use 24 unless you know exactly what you're doing. # xvfb-screen 640x480x24 # xvfb-screen 800x600x24 # xvfb-screen 1024x768x24 # xvfb-screen 1280x1024x24 # Xvfb command extra parameters. None by default; this is an example. # xvfb-extra-params -pixdepths 8 24 32 ```
gitea-mirror commented 2026-05-05 08:46:23 -06:00
Author
Owner
Copy link

@Ryujinra commented on GitHub (Apr 10, 2020):

I should weigh in here since I created #2447, found the problem, and found a solution that works for me (I forgot to return to #2447 and post this solution earlier).

The issue is that the nvidia-uvm device node is not created in /dev when mpv is run via firejail, which in turn prevents CUDA/NVDEC from working.

To solve this without any changes to firejail, you can just use the script nvidia provides to setup the device nodes manually on startup: https://docs.nvidia.com/cuda/cuda-installation-guide-linux/index.html#runfile-verifications. Must be run as root.

Now, the setting up of these device nodes is supposed to be the job of nvidia-modprobe from what I can tell, but it doesn't work properly for some reason on some machines (maybe related to it being a setuid binary), so in these cases I believe firejail is preventing the (kernel's?) automatic setup of any missing device nodes when a program like mpv is called from within the firejail container. You can take a closer look at nvidia's script above to see exactly what permissions are needed to set up these nodes and what internal firejail restrictions may be preventing this process.

Hope this helps get to the bottom of this tricky issue.

<!-- gh-comment-id:612011834 --> @Ryujinra commented on GitHub (Apr 10, 2020): I should weigh in here since I created #2447, found the problem, and found a solution that works for me (I forgot to return to #2447 and post this solution earlier). **The issue is that the `nvidia-uvm` device node is not created in `/dev` when `mpv` is run via firejail, which in turn prevents CUDA/NVDEC from working.** To solve this without any changes to firejail, you can just use the script nvidia provides to setup the device nodes manually on startup: https://docs.nvidia.com/cuda/cuda-installation-guide-linux/index.html#runfile-verifications. Must be run as root. Now, the setting up of these device nodes is supposed to be the job of `nvidia-modprobe` from what I can tell, but it doesn't work properly for some reason on some machines (maybe related to it being a setuid binary), so in these cases I believe firejail is preventing the (kernel's?) automatic setup of any missing device nodes when a program like `mpv` is called from within the firejail container. You can take a closer look at nvidia's script above to see exactly what permissions are needed to set up these nodes and what internal firejail restrictions may be preventing this process. Hope this helps get to the bottom of this tricky issue.
gitea-mirror commented 2026-05-05 08:46:24 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 10, 2020):

@Ryujinra Thank you very much for providing this vital piece of information here. Chances are that we can work with this missing piece of the mpv/nvdec puzzle. I just added a comment to #2447 so users can find this thread more easily. Appreciated, stay healthy!

<!-- gh-comment-id:612037634 --> @ghost commented on GitHub (Apr 10, 2020): @Ryujinra Thank you very much for providing this vital piece of information here. Chances are that we can work with this missing piece of the mpv/nvdec puzzle. I just added a comment to #2447 so users can find this thread more easily. Appreciated, stay healthy!
gitea-mirror commented 2026-05-05 08:46:25 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 10, 2020):

@gedec-coin-one can you try firejail --noprofile --noblacklist=/sys/module mpv

<!-- gh-comment-id:612117547 --> @rusty-snake commented on GitHub (Apr 10, 2020): @gedec-coin-one can you try `firejail --noprofile --noblacklist=/sys/module mpv`
gitea-mirror commented 2026-05-05 08:46:26 -06:00
Author
Owner
Copy link

@gedec-coin-one commented on GitHub (Apr 11, 2020):

@gedec-coin-one can you try firejail --noprofile --noblacklist=/sys/module mpv

still not work

[ffmpeg] AVHWDeviceContext: cu->cuInit(0) failed -> CUDA_ERROR_UNKNOWN: unknown error
<!-- gh-comment-id:612303401 --> @gedec-coin-one commented on GitHub (Apr 11, 2020): > @gedec-coin-one can you try `firejail --noprofile --noblacklist=/sys/module mpv` still not work ``` [ffmpeg] AVHWDeviceContext: cu->cuInit(0) failed -> CUDA_ERROR_UNKNOWN: unknown error ```
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2093
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?