Unable to activate gamescope.capSysNice option

I am using gamescope via steam on my Nixos Unstable with hyprland.

I use gamescope to spoof the resolution in order to decrease the demand on my iGPU (RX 780M)

I activated gamescope this way:

        gamescope = {
          enable = true;
          args = [
            "-w 1620"
            "-h 1080"
            "-S stretch"
            "-f"
            "-e"
          ];
        };

Then I modify the game launch options in steam and it works.

I would like to activate the CAP_SYS_NICE cap as gamescope complains about it.

No CAP_SYS_NICE, falling back to regular-priority compute and threads.
Performance will be affected.

So I tried to set to true the gamescope.capSysNice but when I try to start a game it does not start, and I can see the following in the logs:

failed to inherit capabilities: Operation not permittedUploaded AppInterfaceStats to Steam

Does anyone succeed in using this option?

I have the same problem.
In my earlier attempts to fix it somehow had bwrap complaining about unexpected capabilities but I’ve forgotten what I did.

After that I tried adding

security.wrappers."steam" = {
  setuid = true;
  owner = "root";
  group = "root";
  source = "${pkgs.steam}/bin/steam";
};

Which produced the error

bwrap: Creating new namespace failed: nesting depth or /proc/sys/user/max_*_namespaces exceeded (ENOSPC)

I checked the namespace limits and they seem plenty.
Looking through the source for programs.steam I saw that in the event gamescope.capSysNice is set it does setuid on bwrap, so tried doing that manually, but that changed nothing.
Tried gamescope capabilities manually, changing nothing. Tried gamescope setuid but that gave me Invalid MIT-MAGIC-COOKIE-1 key so I guess that upset xwayland or something.

Don’t really know what I’m doing, and now out of ideas.

Having the same problem. Does anyone have any solution?

Unfortunately no. I did not find any answers.

I’m also facing this issue.

I’ve been messing around with it and I think I have somewhat of an understanding of what is going on (I’m not an expert, so make sure to do your own research (specifically the suid and bwrap)):

Bubblewrap is the main program that handles creating the environment that steam runs in. It ensures all files are symlinked in the right place and that games can be ran.

When you set capSysNice to true, bwrap (bubblewrap) gets wrapped with suid and gamescope gets wrapped with capabilities = 'cap_sys_nice+pie'.

So, launching steam sets the bwrap process as root, with the knowledge it’s running under your user. Launching gamescope from within steam requires launching it within bwrap, which right now is root. bwrap by default strips capabilites and so gamescope can’t renice itself (failed to inherit capabilities:...), so you have to add the argument --cap-add ALL (ALL is probably a bit much, but I didn’t spend time trying to figure out exactly which permissions it needs). The problem is bwrap won’t let you do this because of suid bit (don’t want to be able to escalate permissions). We run into this error.

I was able to get steam-run gamescope to launch correctly when I removed the suid from bwrap and manually added --cap-add ALL to the steam-run script. I think you can do this with extending extraBwrapArgs for the steam packages.

security.wrappers.bwrap.setuid = lib.mkForce false;

The problem is I now get this error (probably related?):

vkCreateDevice failed with a high-priority queue (general + compute). Falling back to regular priority (general).
vkCreateDevice failed with a high-priority queue (compute). Falling back to regular priority (all).

The other issue is that when doing the same process for steam it fails to launch because of this error:

steam-runtime-check-requirements[1035377]: W: Child process exited with code 1: bwrap: Unexpected capabilities but not setuid, old file caps config?

Somehow capabilities would need to be cleared from within steam somewhere. I tried messing around a bit with launching the game like (and not modifying steam):

bwrap --cap-add ALL --dev-bind / / gamescope -- %command%

But that didn’t work (Unexpected capabilities but not setuid, old file caps config?).

Hope that this can help someone understand this stuff better or get a better grasp at what needs to be solved.

Further reading:

• bwrap refuses to run with ambient capabilities · Issue #380 · containers/bubblewrap · GitHub
• gamescope: Does not work with lutris · Issue #292620 · NixOS/nixpkgs · GitHub
• gamescope: not sure how to set capabilities since it uses bubblewrap · Issue #208936 · NixOS/nixpkgs · GitHub

A bit more investigating on why the last thing didn’t work is because steam launches this process within the %command%:

~/.local/share/Steam/steamapps/common/SteamLinuxRuntime_sniper/pressure-vessel/libexec/steam-runtime-tools-0/srt-bwrap

Which is steam runtime tools bwrap. So we run into the same issue of bwrap not inheriting the capabilities that it is given.

The %command% expands to something like:

/home/darkkronicle/.local/share/Steam/ubuntu12_32/reaper SteamLaunch AppId=960090 -- /home/darkkronicle/.local/share/Steam/ubuntu12_32/steam-launch-wrapper -- /home/darkkronicle/.local/share/Steam/steamapps/common/SteamLinuxRuntime_sniper/_v2-entry-point --verb=waitforexitandrun -- /home/darkkronicle/.local/share/Steam/steamapps/common/Proton 8.0/proton waitforexitandrun /mnt/aelius/games/steam/steamapps/common/BloonsTD6/BloonsTD6.exe

So I’m thinking that putting bwrap with the added capabilities right before the proton call may work, but I can’t get it to launch when I add that. There isn’t even any error.

Ok I am very close now

/run/wrappers/bin/bwrap --dev-bind / / --cap-add ALL -- gamescope -- capsh --caps="" -- %command%

This launches gamescope correctly, but fails with:

/home/darkkronicle/.local/share/Steam/ubuntu12_32/reaper: /home/darkkronicle/.local/share/Steam/ubuntu12_32/reaper: cannot execute binary file

My guess is I need to modify the bwrap arguments.