--gpu: Automated NVIDIA driver install: Allow new privileges #162

CHANGELOG.md

@@ -13,14 +13,19 @@ Project website: https://github.com/mviereck/x11docker
    Set `--wm=IMAGE` to run local image IMAGE as window manager.
    [(#158)](https://github.com/mviereck/x11docker/issues/158)
 ### Fixed
+ - `--gpu` with automated NVIDIA drivr installation:
+   Don't set `--security-opt=no-new-privileges`.
+   [(#162)](https://github.com/mviereck/x11docker/issues/162)
  - WSL: Add Windows System32 path to `PATH`. Can miss with `sudo`.
    [(#153)](https://github.com/mviereck/x11docker/issues/153)
  - `--update`, `--update-master`: Support more common `tar` beside `unzip`.
    [(#115)](https://github.com/mviereck/x11docker/issues/115)
  - `--vcxsrv`, `--xwin`: fix for free display number check.
+   Add `xwininfo` to dependency check of `--xwin`.
    [(#155)](https://github.com/mviereck/x11docker/issues/155)
  - `--pulseaudio` on Windows: Check multiple drives for cygwin64.
-   [(#145)](https://github.com/mviereck/x11docker/issues/145)
+   Share pulseaudio cookie.
+   [(#161)](https://github.com/mviereck/x11docker/issues/161)
 
 
 ## [5.6.0](https://github.com/mviereck/x11docker/releases/tag/v5.6.0) - 2019-05-02

x11docker

@@ -1381,7 +1381,6 @@ setup_gpu() {                   # option --gpu: share /dev/dri and check nvidia
     verbose -d "Detected NVIDIA driver version $Nvidiaversion on host."
     Nvidiadriver=$(find /usr/local/share/x11docker/NVIDIA*$Nvidiaversion*.run $Hostuserhome/.local/share/x11docker/NVIDIA*$Nvidiaversion*.run 2>/dev/null | head -n1 )
     Nvidiadriver="$(myrealpath "$Nvidiadriver" 2>/dev/null)"
-
     case "$Runtime" in
       "nvidia") 
         verbose -d "NVIDIA runtime detected. Not installing driver."
@@ -1395,8 +1394,9 @@ setup_gpu() {                   # option --gpu: share /dev/dri and check nvidia
           [ "$Capdropall" = "yes" ] && warning "To install proprietary closed source NVIDIA driver,
   x11docker must give some capabilities to container that would be dropped
   otherwise for security reasons. Container security is reduced now.
+  However, given capabilities are still within default Docker capabilities.
   You would not have this issue with free nouveau driver on host."
-
+          :
         } || {
           Nvidiadriver=""
           note "You are using proprietary closed source NVIDIA driver.
@@ -3698,7 +3698,7 @@ setup_capabilities() {          # check linux capabilities needed by container
   }
   [ "$Switchcontainerusercaps" = "yes" ] && store_runoption cap "SETUID SETGID DAC_OVERRIDE AUDIT_WRITE"
 
-  [ "$Sharegpu" = "yes" ] && [ "$Nvidiadriver" ] && store_runoption cap "SETUID SETGID DAC_OVERRIDE CHOWN FOWNER"
+  [ "$Sharegpu" = "yes" ] && [ "$Nvidiadriver" ] && store_runoption cap "SETUID SETGID DAC_OVERRIDE CHOWN FOWNER" && Nonewprivileges="no"
 
   # Issues with hidepid=2 seen on NixOS (issue #83)
   { [ "$Switchcontaineruser" = "yes" ] || [ "$Containeruser" != "$Hostuser" ] ; } && {
@@ -4243,8 +4243,8 @@ create_dockerrc() {             # create dockerrc: This script runs as root (or
 
   # --pulseaudio, cookie copy on Windows over tcp only yet.
   echo     "  echo '[ -e $Cshare/pulsecookie ] && {'"
-  echo     "  echo   mkdir -p \"\$Containeruserhome/.config/pulse\""
-  echo     "  echo   cp \"$Cshare/pulsecookie\" \"\$Containeruserhome/.config/pulse/cookie\""
+  echo     "  echo   'mkdir -p \"\$Containeruserhome/.config/pulse\"'"
+  echo     "  echo   'cp \"$Cshare/pulsecookie\" \"\$Containeruserhome/.config/pulse/cookie\"'"
   echo     "  echo '}'"
 
   [ -n "$Newdisplay" ] && echo "  echo '[ -e /tmp/.X11-unix/X$Newdisplaynumber ] || ln -s /X$Newdisplaynumber /tmp/.X11-unix'"