How do you get access to DRI/DRM, though? I assume (I don't know) that it's by opening a device file and using the file descriptor.
If so, you don't need any fancy custom syscall rules, just the ability to pass file descriptors to sandboxed processes (so the MMORPG either starts with DRI access before dropping privileges, or starts with a Unix-domain socket over which it can request it from another user-space process).
It seems to me that the only calls we really need to block are the ones that operate on global namespaces rather than on descriptors (e.g. open, connect, kill).