>If so, you don't need any fancy custom syscall rules, just the ability to pass file descriptors to sandboxed processes (so the MMORPG either starts with DRI access before dropping privileges, or starts with a Unix-domain socket over which it can request it from another user-space process).
Won't work. MMORPG also needs to read assets, so it must have access to a part of the filesystem. Also, it might need write access to local preferences storage.
OpenGL drivers also might need to have read access.