| 17 Jun 2026 |
 Atemu | Oh, and, apparently, it's already known: https://gitlab.freedesktop.org/mesa/mesa/-/work_items/15025 | 23:32:05 |
| 18 Jun 2026 |
|  c2fc2f joined the room. | 13:42:27 |
| 19 Jun 2026 |
 Marie | https://github.com/containers/bubblewrap/issues/653
Does this fix the steamvr capability thing? If we add --not-a-security-boundary to steams fhsenv, once released? | 08:31:34 |
 magic_rb | Holy shit fucking finally | 08:50:56 |
| magic_rb | It should fix also the chromium in steamos thing iirc | 08:51:13 |
| Atemu | Unfortunately not because you need CAP_SYS_NICE in the root namespace | 15:03:16 |
 K900 | In reply to @marie:marie.cologne
https://github.com/containers/bubblewrap/issues/653
Does this fix the steamvr capability thing? If we add --not-a-security-boundary to steams fhsenv, once released? No, you can't gain capabilities inside a userns | 15:11:43 |
| magic_rb | We can do that with run0 no technically. Launch steam with cap_sys_nice, bwrap would then neatly pass it through | 15:13:29 |
| K900 | As in the kernel won't let you | 15:12:02 |
| magic_rb | * | 15:14:07 |
| K900 | In reply to @magic_rb:matrix.redalder.org
It should fix also the chromium in steamos thing iirc I don't think it will either | 15:12:54 |
| K900 | The real problem is that user namespaces are inherently no_new_privs | 15:13:11 |
| K900 | Well you can do it to the entire Steam process tree yeah | 15:13:50 |
| K900 | Actually I'm not sure if you can even inherit capabilities into a userns | 15:14:35 |
| K900 | But maybe? | 15:14:38 |
| Atemu | You might in general but this one specifically, you can't | 15:16:35 |
 ElvishJerricco | isn't the whole point of user namespaces that you get all capabilities, they're just scoped by the ones the creator had in the parent namespace? | 15:16:41 |
| magic_rb | Yeah thats what i thought. If the creator has nice, then anything in the ns should be able to | 15:17:51 |
| Atemu | You'd think but no | 15:18:06 |
| Atemu | And it's intentional | 15:18:16 |
| magic_rb | :( | 15:18:32 |
| K900 | In reply to @elvishjerricco:matrix.org
isn't the whole point of user namespaces that you get all capabilities, they're just scoped by the ones the creator had in the parent namespace? I don't think so | 15:18:32 |
| K900 | Not when you're doing UID remapping | 15:18:41 |
| K900 | Which we are | 15:18:44 |
| magic_rb | So what is the solution to our nice problem, rtkit? | 15:18:55 |
| Atemu | Long story short: Your options are either to patch your graphics driver to not require the cap for high-prio queues or use Monado | 15:19:11 |
| magic_rb | Cause if im to port jovian to the frame, ill need some other solution | 15:19:30 |
| ElvishJerricco | $ unshare -Uc --keep-caps setpriv -dd | rg -o sys_nice
sys_nice
sys_nice
sys_nice
sys_nice
sys_nice
also works with -r instead of -c
| 15:19:37 |
| magic_rb | Fucking if i have to patch the kernel, so be it | 15:19:42 |
| ElvishJerricco | you definitely have the cap | 15:19:43 |
