I'm not entirely sure whether to post this as a bug against sci-misc/boinc or media-gfx/imagemagick. As there appear to be a few related historical bugs relating to imagemagick (and I feel that is where this probably needs resolving), I've opt'd to post it against imagemagick for now. Feel free to move/change the title etc. to be more appropriate.

A recent system upgrade has updated me to media-gfx/imagemagick-7.0.8.14, but a subsequent rebuild of sci-misc/boinc (which calls the /usr/bin/convert utility from imagemagick) is now failing with sandbox violations:
----------------------------------------------------
 * ACCESS DENIED:  open_wr:      /dev/dri/card0
X server found. dri2 connection failed! 
 * ACCESS DENIED:  open_wr:      /dev/dri/card0
open("/dev/dri/card0", O_RDWR) failed: Permission denied
Device open failed, aborting...
----------------------------------------------------

As you can see, it is trying to access /dev/dri/card0, but the contents of /etc/sandbox.d/99imagemagick are:
SANDBOX_PREDICT="/dev/nvidiactl:/dev/nvidia-uvm:/dev/ati/card:/dev/dri/card:/dev/dri/renderD128"

which doesn't appear to be enough for my case.

If I append "/dev/dri/card0" to the sandbox.d file, then I no-longer receive the sandbox violation. I do, however, now see a "permissions denied" error, but the installation does seem to proceed and all seems to work. (Why do we use SANDBOX_PREDICT instead of SANDBOX_WRITE?)

Please can we either add "/dev/dri/card0" to the SANDBOX_PREFIX list or some sort of wildcard/regex match? (I tried "/dev/dri/card[0-9]", but that does not work.)

In addition, I think a switch to SANDBOX_WRITE should really be considered.