Unable to activate gamescope.capSysNice option

I am using gamescope via steam on my Nixos Unstable with hyprland.

I use gamescope to spoof the resolution in order to decrease the demand on my iGPU (RX 780M)

I activated gamescope this way:

        gamescope = {
          enable = true;
          args = [
            "-w 1620"
            "-h 1080"
            "-S stretch"
            "-f"
            "-e"
          ];
        };

Then I modify the game launch options in steam and it works.

I would like to activate the CAP_SYS_NICE cap as gamescope complains about it.

No CAP_SYS_NICE, falling back to regular-priority compute and threads.
Performance will be affected.

So I tried to set to true the gamescope.capSysNice but when I try to start a game it does not start, and I can see the following in the logs:

failed to inherit capabilities: Operation not permittedUploaded AppInterfaceStats to Steam

Does anyone succeed in using this option?

I have the same problem.
In my earlier attempts to fix it somehow had bwrap complaining about unexpected capabilities but I’ve forgotten what I did.

After that I tried adding

security.wrappers."steam" = {
  setuid = true;
  owner = "root";
  group = "root";
  source = "${pkgs.steam}/bin/steam";
};

Which produced the error

bwrap: Creating new namespace failed: nesting depth or /proc/sys/user/max_*_namespaces exceeded (ENOSPC)

I checked the namespace limits and they seem plenty.
Looking through the source for programs.steam I saw that in the event gamescope.capSysNice is set it does setuid on bwrap, so tried doing that manually, but that changed nothing.
Tried gamescope capabilities manually, changing nothing. Tried gamescope setuid but that gave me Invalid MIT-MAGIC-COOKIE-1 key so I guess that upset xwayland or something.

Don’t really know what I’m doing, and now out of ideas.

Having the same problem. Does anyone have any solution?

Unfortunately no. I did not find any answers.

I’m also facing this issue.

I’ve been messing around with it and I think I have somewhat of an understanding of what is going on (I’m not an expert, so make sure to do your own research (specifically the suid and bwrap)):

Bubblewrap is the main program that handles creating the environment that steam runs in. It ensures all files are symlinked in the right place and that games can be ran.

When you set capSysNice to true, bwrap (bubblewrap) gets wrapped with suid and gamescope gets wrapped with capabilities = 'cap_sys_nice+pie'.

So, launching steam sets the bwrap process as root, with the knowledge it’s running under your user. Launching gamescope from within steam requires launching it within bwrap, which right now is root. bwrap by default strips capabilites and so gamescope can’t renice itself (failed to inherit capabilities:...), so you have to add the argument --cap-add ALL (ALL is probably a bit much, but I didn’t spend time trying to figure out exactly which permissions it needs). The problem is bwrap won’t let you do this because of suid bit (don’t want to be able to escalate permissions). We run into this error.

I was able to get steam-run gamescope to launch correctly when I removed the suid from bwrap and manually added --cap-add ALL to the steam-run script. I think you can do this with extending extraBwrapArgs for the steam packages.

security.wrappers.bwrap.setuid = lib.mkForce false;

The problem is I now get this error (probably related?):

vkCreateDevice failed with a high-priority queue (general + compute). Falling back to regular priority (general).
vkCreateDevice failed with a high-priority queue (compute). Falling back to regular priority (all).

The other issue is that when doing the same process for steam it fails to launch because of this error:

steam-runtime-check-requirements[1035377]: W: Child process exited with code 1: bwrap: Unexpected capabilities but not setuid, old file caps config?

Somehow capabilities would need to be cleared from within steam somewhere. I tried messing around a bit with launching the game like (and not modifying steam):

bwrap --cap-add ALL --dev-bind / / gamescope -- %command%

But that didn’t work (Unexpected capabilities but not setuid, old file caps config?).

Hope that this can help someone understand this stuff better or get a better grasp at what needs to be solved.

Further reading:

• bwrap refuses to run with ambient capabilities · Issue #380 · containers/bubblewrap · GitHub
• gamescope: Does not work with lutris · Issue #292620 · NixOS/nixpkgs · GitHub
• gamescope: not sure how to set capabilities since it uses bubblewrap · Issue #208936 · NixOS/nixpkgs · GitHub

A bit more investigating on why the last thing didn’t work is because steam launches this process within the %command%:

~/.local/share/Steam/steamapps/common/SteamLinuxRuntime_sniper/pressure-vessel/libexec/steam-runtime-tools-0/srt-bwrap

Which is steam runtime tools bwrap. So we run into the same issue of bwrap not inheriting the capabilities that it is given.

The %command% expands to something like:

/home/darkkronicle/.local/share/Steam/ubuntu12_32/reaper SteamLaunch AppId=960090 -- /home/darkkronicle/.local/share/Steam/ubuntu12_32/steam-launch-wrapper -- /home/darkkronicle/.local/share/Steam/steamapps/common/SteamLinuxRuntime_sniper/_v2-entry-point --verb=waitforexitandrun -- /home/darkkronicle/.local/share/Steam/steamapps/common/Proton 8.0/proton waitforexitandrun /mnt/aelius/games/steam/steamapps/common/BloonsTD6/BloonsTD6.exe

So I’m thinking that putting bwrap with the added capabilities right before the proton call may work, but I can’t get it to launch when I add that. There isn’t even any error.

Ok I am very close now

/run/wrappers/bin/bwrap --dev-bind / / --cap-add ALL -- gamescope -- capsh --caps="" -- %command%

This launches gamescope correctly, but fails with:

/home/darkkronicle/.local/share/Steam/ubuntu12_32/reaper: /home/darkkronicle/.local/share/Steam/ubuntu12_32/reaper: cannot execute binary file

My guess is I need to modify the bwrap arguments.

Hey!

Did you find a solution to make it work?

I tried what you did and search everywhere for a solution but it seems to be a limitation on buildFHSEnv as per this issue, however what you did seems to work around it somehow?

I would love to use gamescope with capSysNice enabled since without it degrades in performances after 30 minutes of use

Thanks!

Thanks for sharing that issue, I haven’t seen that yet and that adds some good context (especially in the more technical explanations). That also explains why it’s still failing to set itself to highpriority even “with” the capability.

As for getting a full on solution, I have yet to be successful. I don’t really think that this can be done without implementing something that was proposed on this issue and adding a way to “escape” back to userspace. But even if it’s done, I don’t know how the game would launch because the dynamic linking would probably fail.

I guess maybe running all of steam inside gamescope may be a temporary fix? But that is certainly far from ideal.

I’ve noticed the same thing, it would be nice

I guess maybe running all of steam inside gamescope may be a temporary fix? But that is certainly far from ideal.

It doesn’t really work on my configuration, but that seems to be a me issue this time lmao

I mean, there is a solution discussed in the issue, and that is patching the kernel to allow cap_sys_nice to work directly, but it seems pretty insecure to me, still a solution though!

Really looking forward to a solution/fix as gamescope seems to work fine for 20-30 minutes and then it starts stuttering like crazy without max priority. Currently using renice to manually set priority to -20. I had to give my user account permissions to adjust niceness so I could use it without sudo, and then I added && sleep 5; renice -n -20 -p $(pgrep gamescope-wl) to my launch arguments so it could be done automatically.