fix: allow MADV_HUGEPAGE/MADV_COLLAPSE and prlimit64 in gpu seccomp policy

NVIDIA's driver uses madvise with MADV_HUGEPAGE and MADV_COLLAPSE for GPU memory (scoped to render server only), and prlimit64 during initialization (added to gpu_common). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-21 00:59:26 +00:00 · 2026-02-21 00:59:26 +00:00 · 7ff2d31165
commit 7ff2d31165
parent 601d42aa36
2 changed files with 4 additions and 0 deletions
--- a/jail/seccomp/x86_64/gpu_common.policy
+++ b/jail/seccomp/x86_64/gpu_common.policy
@ -128,5 +128,6 @@ sched_get_priority_min: 1
 # Required for NVIDIA GPU
 mknodat: 1
 statfs: 1
+prlimit64: 1
 setsockopt: 1
 sendmmsg: 1
--- a/jail/seccomp/x86_64/gpu_render_server.policy
+++ b/jail/seccomp/x86_64/gpu_render_server.policy
@ -16,3 +16,6 @@ socketpair: arg0 == AF_UNIX && arg1 == SOCK_SEQPACKET|SOCK_CLOEXEC && arg2 == 0

 # allow signalfd()
 signalfd4: 1
+
+# NVIDIA driver uses huge pages for GPU memory
+madvise: arg2 == MADV_HUGEPAGE || arg2 == MADV_COLLAPSE