feat: allow more nvidia and nvme files from extensions

See: https://github.com/siderolabs/extensions/pull/1033

Signed-off-by: Noel Georgi <git@frezbo.dev>
(cherry picked from commit 79fa2e3001082cf21be92c52b3da4e844313184d)

Dockerfile

@@ -783,10 +783,6 @@ RUN <<END
     ln -s /etc/ssl /rootfs/usr/share/ca-certificates
     ln -s /etc/ssl /rootfs/usr/local/share/ca-certificates
     ln -s /etc/ssl /rootfs/etc/ca-certificates
-    ln -s /usr/local/bin/nvidia-smi /rootfs/usr/bin/nvidia-smi
-    ln -s /usr/local/bin/nvidia-ctk /rootfs/usr/bin/nvidia-ctk
-    ln -s /usr/local/bin/nvidia-cdi-hook /rootfs/usr/bin/nvidia-cdi-hook
-    ln -s /usr/local/sbin/nvme /rootfs/usr/bin/nvme
 END
 
 FROM build AS rootfs-base-arm64
@@ -874,10 +870,6 @@ RUN <<END
     ln -s /etc/ssl /rootfs/usr/share/ca-certificates
     ln -s /etc/ssl /rootfs/usr/local/share/ca-certificates
     ln -s /etc/ssl /rootfs/etc/ca-certificates
-    ln -s /usr/local/bin/nvidia-smi /rootfs/usr/bin/nvidia-smi
-    ln -s /usr/local/bin/nvidia-ctk /rootfs/usr/bin/nvidia-ctk
-    ln -s /usr/local/bin/nvidia-cdi-hook /rootfs/usr/bin/nvidia-cdi-hook
-    ln -s /usr/local/sbin/nvme /rootfs/usr/bin/nvme
 END
 
 FROM build-go AS build-sbom

pkg/machinery/extensions/extensions.go

@@ -17,10 +17,15 @@ var AllowedPaths = []string{
 	// and /lib/ld-linux-aarch64.so.1 on aarch64.
 	"/usr/lib/ld-linux-x86-64.so.2",
 	"/usr/lib/ld-linux-aarch64.so.1",
-	// /sbin/ldconfig is required by the nvidia container toolkit.
 	"/usr/bin/ldconfig",
 	"/etc/ld.so.conf",
 	"/etc/ld.so.cache",
+	"/usr/bin/nvidia-modprobe",
+	"/usr/bin/nvidia-pcc",
+	"/usr/bin/nvidia-smi",
+	"/usr/bin/nvidia-ctk",
+	"/usr/bin/nvidia-cdi-hook",
+	"/usr/bin/nvme",
 	"/usr/lib/udev/rules.d",
 	"/usr/local",
 	// glvnd, egl and vulkan are needed for OpenGL/Vulkan.