From 7ff2d31165bdb0dff3be78735ece9921fcdda3ba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dav=C3=AD=C3=B0=20Steinn=20Geirsson?= <david@dsg.is>
Date: Sat, 21 Feb 2026 00:59:26 +0000
Subject: [PATCH] fix: allow MADV_HUGEPAGE/MADV_COLLAPSE and prlimit64 in gpu
 seccomp policy

NVIDIA's driver uses madvise with MADV_HUGEPAGE and MADV_COLLAPSE for
GPU memory (scoped to render server only), and prlimit64 during
initialization (added to gpu_common).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 jail/seccomp/x86_64/gpu_common.policy        | 1 +
 jail/seccomp/x86_64/gpu_render_server.policy | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/jail/seccomp/x86_64/gpu_common.policy b/jail/seccomp/x86_64/gpu_common.policy
index 6156cd931..ef6cd41c2 100644
--- a/jail/seccomp/x86_64/gpu_common.policy
+++ b/jail/seccomp/x86_64/gpu_common.policy
@@ -128,5 +128,6 @@ sched_get_priority_min: 1
 # Required for NVIDIA GPU
 mknodat: 1
 statfs: 1
+prlimit64: 1
 setsockopt: 1
 sendmmsg: 1
diff --git a/jail/seccomp/x86_64/gpu_render_server.policy b/jail/seccomp/x86_64/gpu_render_server.policy
index d3e5fbbbf..22d921f00 100644
--- a/jail/seccomp/x86_64/gpu_render_server.policy
+++ b/jail/seccomp/x86_64/gpu_render_server.policy
@@ -16,3 +16,6 @@ socketpair: arg0 == AF_UNIX && arg1 == SOCK_SEQPACKET|SOCK_CLOEXEC && arg2 == 0
 
 # allow signalfd()
 signalfd4: 1
+
+# NVIDIA driver uses huge pages for GPU memory
+madvise: arg2 == MADV_HUGEPAGE || arg2 == MADV_COLLAPSE