I tried to use firejail, but it does not work well with games (usually games even not run). Finally I created additional user account with limited privileges, but the drawback is that I need to switch account each time I want to play a bit. Is it possible to run program with sound and graphics (particularly game) as another user using his folders and permissions?
I want to run games (Linux versions as well as Windows games run by WINE / PlayOnLinux and Lutris) and be sure these games (in case of vulnerabilities) have no access to my documents nor elevated privileges. Would be good to easily turn on/off Internet access too.
I think you can achieve this with running games in WinePak/Flatpak far more easily than you would say, trying to containerize a game through other means and technologies.
I donât think firefjail would work unless you had absolutely everything the game needs to run, including Networking and other system stuff. So firefjail/SELinux sandbox would not work without a ton of work or even be possible.
This is where I think you were on the right path here. Instead of creating an account with limited privileges, You can create a Image, and install all the tooling and configurations in it. Install the game and WINE packages and have a tool like podman, systemd-nspawn or even toolbox run the game in a container.
This is still not easy, and will require a lot of configuration, but I think itâs the most plausible solution.
Because I have not used Bottles, I would need to look into it. So I have no first hand knowledge of it.
As an aside, the Container environment would be better if it were feasible? Considering you could relabel the directory the Container is in, with sandbox_web_t or container_web_t The Environment would only know the existance of the files inside the container. . .
The flatpak, might not be able to read the contents of your /home but it would be able to save files and be on the same network you are on. I could be wrong here. . .
I read a bit about Bottles and in combination with Flatpak it looks really nice. There are some drawbacks too:
Flatpak packages have dependencies, which can be huge (even gigabytes);
each application with a new runtime can consume additional few hundreds megabytes of RAM.
I am curious if it is possible to set different sandbox permissions for each game installed via Bottles (without installing Bottles many times)? I mean to grant access to Internet to selected games only.
As I understand Bubblewrap is a sandbox solution used by Flatpak, and Bubblejail is its fork which can work without Flatpak.
Summed up
Flatpak + Bottles for Windows games (is it possible to set different sandbox permission for each game?);
Bubblejail for commercial Linux games (not available from Flatpak).
@boredsquirrel, thank you for clarification regarding Bubblewrap and Bubblejail!
@boredsquirrel and @hamrheadcorvette,
Would you mind to explain, in a simple way, how to create isolated Flatpak / Bottles processes for different applications/games? Your knowledge of this subject far exceeds mine.
BTW: Discussion is not limited to WINE games, so I updated discussion topic.
Bottles could spawn all games using flatpak-spawn and offer an UI to have more strict permissions using seccomp filter âgroupsâ (like âblock internetâ, âblock device accessâ,âŚ)
If the app cant do it, you cant.
But very good idea, you may open an issue on the bottles repo, linking to this thread.
Iâve committed to some projects taking me into next week at the earliest. It would be nice to provide a way using selinux & containers to run WINE within. I think it might work. . . Iâll update this thread when I come around to it.