Sandboxing games

Hello Fedora Enthusiasts! :grinning:

How to sandbox games in Linux?

I tried to use firejail, but it does not work well with games (usually games even not run). Finally I created additional user account with limited privileges, but the drawback is that I need to switch account each time I want to play a bit. Is it possible to run program with sound and graphics (particularly game) as another user using his folders and permissions?

I want to run games (Linux versions as well as Windows games run by WINE / PlayOnLinux and Lutris) and be sure these games (in case of vulnerabilities) have no access to my documents nor elevated privileges. Would be good to easily turn on/off Internet access too.

Any ideas how can I achieve it?

Enjoy the weekend! :grinning:

Added bubblewrap, flatpak, gaming, security, selinux, wine

Removed bubblewrap, flatpak, gaming, security, selinux, wine

Hey I think it is important to ditch the word “gaming” and at least include “windows” or “wine”.

Xonotic an others work fine, sandboxed as Flatpaks.

The easiest solution is to use Bottles Flatpak. You can use that together with ProtonPlus Flatpak and others.

Flatpaks are isolated with bubblewrap which is more secure than firejail for technical reasons (no suid binary)

If you want to use bubblewrap without flatpak, bubblejail is a solution.

I guess your edit was coincidental. Do you agree with the title and tags I added?

Yes, I updated one sentence in my post and then tags added by you were accidentally deleted. You can add them back. :slight_smile: Thank you! :smiley:

1 Like

Added bottles, bubblewrap, crabjail, firejail, flatpak, lutris, security, wine

I think you can achieve this with running games in WinePak/Flatpak far more easily than you would say, trying to containerize a game through other means and technologies.

I don’t think firefjail would work unless you had absolutely everything the game needs to run, including Networking and other system stuff. So firefjail/SELinux sandbox would not work without a ton of work or even be possible.

This is where I think you were on the right path here. Instead of creating an account with limited privileges, You can create a Image, and install all the tooling and configurations in it. Install the game and WINE packages and have a tool like podman, systemd-nspawn or even toolbox run the game in a container.

This is still not easy, and will require a lot of configuration, but I think it’s the most plausible solution.

1 Like

Added selinux

Why not just use Bottles Flatpak, which has no permissions apart from Pulseaudio and Network (afaik) and is a platform for ANY game you may want?

2 Likes

Because I have not used Bottles, I would need to look into it. So I have no first hand knowledge of it.


As an aside, the Container environment would be better if it were feasible? Considering you could relabel the directory the Container is in, with sandbox_web_t or container_web_t The Environment would only know the existance of the files inside the container. . .

The flatpak, might not be able to read the contents of your /home but it would be able to save files and be on the same network you are on. I could be wrong here. . .

I read a bit about Bottles and in combination with Flatpak it looks really nice. There are some drawbacks too:

  • Flatpak packages have dependencies, which can be huge (even gigabytes);
  • each application with a new runtime can consume additional few hundreds megabytes of RAM.

I am curious if it is possible to set different sandbox permissions for each game installed via Bottles (without installing Bottles many times)? I mean to grant access to Internet to selected games only.

As I understand Bubblewrap is a sandbox solution used by Flatpak, and Bubblejail is its fork which can work without Flatpak.

Summed up

  • Flatpak + Bottles for Windows games (is it possible to set different sandbox permission for each game?);
  • Bubblejail for commercial Linux games (not available from Flatpak).

Please let me know if I misunderstand something.

Yes probably, but only if the main project supports it.

Flatpaks use user namespace and seccomp filters for filesystem and syscall isolation respectively.

So a flatpak app is sandboxed, and can spawn a subprocess with flatpak-spawn with a different, more restrictive seccomp filter.

I dont think a more restrictive filesystem filter is possible, so an app in Bottles can always access the entire bottles app directory.

No bubblewrap is the sandboxing tool, bubblejail is a wrapper for that, to make it work easily.

Yes that is true.

If Disk Space is no concern, Containers would work, if you know what your doing.

@boredsquirrel, thank you for clarification regarding Bubblewrap and Bubblejail! :smiley:

@boredsquirrel and @hamrheadcorvette,
Would you mind to explain, in a simple way, how to create isolated Flatpak / Bottles processes for different applications/games? Your knowledge of this subject far exceeds mine.

BTW: Discussion is not limited to WINE games, so I updated discussion topic.

1 Like

Bottles could spawn all games using flatpak-spawn and offer an UI to have more strict permissions using seccomp filter “groups” (like “block internet”, “block device access”,…)

If the app cant do it, you cant.

But very good idea, you may open an issue on the bottles repo, linking to this thread.

But note that this guy never uses Flatpaks, so he runs Windows Software unsandboxed.

I’ve committed to some projects taking me into next week at the earliest. It would be nice to provide a way using selinux & containers to run WINE within. I think it might work. . . I’ll update this thread when I come around to it.

@boredsquirrel & @loreseeker I didn’t know about this, but it’s just in time I guess. Gaming Containers

https://games-on-whales.github.io/

2 Likes

A post was split to a new topic: WiNE games and PulseAudio issues