search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.73k stars 561 forks source link

firejail with wine and optirun #1658

Open silvervellum opened 6 years ago

silvervellum commented 6 years ago

Hello!

I would like to use firejail with wine and optirun (to use a dedicated Nvidia graphics card) but I didn't find a case such this documented.

I tried a bit to work with this setup and I would like to share my notes and have a confirmation that my approach is correct. I am using firejail 9.50 on Debian Testing.

Firejail can be used with wine as everything else: firejail wine <path/to/application>

In this way the wine.profile is loaded and the application should be jailed as expected.

To run the application with a dedicated Nvidia graphics card one has to use optirun: optirun <options> wine <path/to/application>

How to use firejail whit this? Given that I have to jail wine, I tried at first with this syntax (somewhere else on the Internet I found another user doing the same): optirun <options> firejail wine <path/to/application>

In this way I expected to see all the commands following optirun to run on the dedicated graphics card. Instead, despite that optirun ran and firejail loaded the wine.profile, the application launched with wine used the integrated graphics card. I didn't look at the documentation but at first it seems counterintuitive.

Then I changed the order of the commands and it worked, sort of: firejail optirun <options> wine <path/to/application>

In fact firejail tried to load a profile for the first command it saw, in this case optirun, but given that there were no optirun profile it loaded the generic default one. Therefore I manually chose the correct profile: firejail --profile=/etc/firejail/wine.profile optirun <options> wine <path/to/application>

To verify that everything works I made a simple test: firejail --profile=/etc/firejail/wine.profile --private optirun wine notepad

and notepad was exposed to the fake home directory.

Therefore in this way everything seems to work as expected, but is it the correct way to do it? Thank you!

SkewedZeppelin commented 6 years ago

firejail optirun [program] is probably the right way. I haven't used Bumblebee in a while, but afaik opti/primusrun was like LD_PRELOAD and you can't LD_PRELOAD on suid binaries.

Maybe someone can add an '--optirun' option to allow running with optirun instead of having to firejail --profile=realprogram optirun program

Edit: closed by accident.

rusty-snake commented 3 years ago

Can we close here?