Bug#888952: nvidia-driver and opencl

Andreas Beckmann anbe at debian.org
Tue Feb 6 11:18:12 UTC 2018 

On 2018-02-05 18:12, Andreas Beckmann wrote:
>        EPERM  The caller was not privileged (did not have the CAP_SYS_MODULE capability), or module loading is disabled (see /proc/sys/kernel/modules_disabled in proc(5)).

> So perhaps we need to apply some capabilities to nvidia-modprobe, try this:

Let's debug the capabilities of a setuid root program on your machine,
using a few lines shamelessly stolen from capsh.c :-)
You could also add this to your verbosified nvidia-modprobe.

===== test-setuid.c =====
#include <unistd.h>
#include <sys/types.h>
#include <stdio.h>
#include <sys/capability.h>

int main()
{
        printf("getuid()  = %ld\n", (long)getuid());
        printf("geteuid() = %ld\n", (long)geteuid());
        printf("getgid()  = %ld\n", (long)getgid());
        printf("getegid() = %ld\n", (long)getegid());

        cap_t all;
        char *text;
        all = cap_get_proc();
        text = cap_to_text(all, NULL);
        printf("Current: %s\n", text);
        cap_free(text);
        cap_free(all);
}
=========================

you may need to install libcap-dev

$ gcc -o test-setuid test-setuid.c -lcap
$ sudo cp test-setuid /usr/bin/test-setuid
$ sudo chown root:root /usr/bin/test-setuid
$ sudo chmod u+s /usr/bin/test-setuid
$ /usr/bin/test-setuid
$ sudo /usr/bin/test-setuid
$ sudo rm /usr/bin/test-setuid


This is what I get:

$ /usr/bin/test-setuid
getuid()  = 1000
geteuid() = 0
getgid()  = 1000
getegid() = 1000
Current: = cap_sys_nice+eip
cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read+ep

$ sudo /usr/bin/test-setuid
getuid()  = 0
geteuid() = 0
getgid()  = 0
getegid() = 0
Current: =
cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read+ep


Andreas

More information about the pkg-nvidia-devel mailing list