Open nutta-git opened 6 months ago
Once this is tested, I can make a pull request.
ignore netfilter
ignore
looks odd here. It's supposed to override an option that get's included later (in either the same foo.profile or in a redirect). Is netfilter
causing breakage?
When I included a copy of my lutris.profile it wasn't meant to be used a reference implementation for this issue, but It was meant to show a visual of how the new rules are added.
Please "ignore" that. I think I added that because i was already using a firewall and/or was testing around stuff.
Thanks for clearing that up!
Lutris 5.17 wasn't working for me too. I like restrictive sandboxes, so I tried seeing the minimum possible permissions to make it work, and all I really needed was seccomp !modify_ldt,!ptrace,!process_vm_readv
.
Without those I get this on repeat until it gives up after I think 8 tries:
[0504/110919.095:WARNING:gpu_process_host.cc(1338)] The GPU process has crashed 1 time(s)
[0504/110919.279:ERROR:gpu_process_host.cc(985)] GPU process launch failed: error_code=43
[0504/110919.279:WARNING:gpu_process_host.cc(1338)] The GPU process has crashed 2 time(s)
I'm on the latest version of Firejail and Lutris from the Fedora repo, and I tested this with Steam for Windows.
I haven't tried the new features though, so I don't know what works with those. I used the default wine runner for testing so different runners might need more permissions as @nutta-git mentioned
This has already been fixed with #6067
Lutris 5.17 wasn't working for me too. I like restrictive sandboxes, so I tried seeing the minimum possible permissions to make it work, and all I really needed was
seccomp !modify_ldt,!ptrace,!process_vm_readv
.
This was already done in #6067.
Does it work with firejail-git?
Lutris 5.17 wasn't working for me too. I like restrictive sandboxes, so I tried seeing the minimum possible permissions to make it work, and all I really needed was
seccomp !modify_ldt,!ptrace,!process_vm_readv
.This was already done in #6067.
Does it work with firejail-git?
I'm using the Fedora 40 package which is Firejail 0.9.72. That is the latest release, but it was released on Jan 16, 2023 which is before #6067. I should've checked if there was other issues on this in hindsight, thanks for mentioning the pull request
Description
Lutris 5.17 is a Major update with more than 540 commits. New features include the new umu wine-launcher package. This requires new file / syscall permissions to run games (tested with uplay). I won't follow the traditional reporting style since it's a lot of work. Yes, I tested it without the firejail profile and lutris 5.17-1 did run fine.
Steps to Reproduce
Steps to reproduce the behavior
New File permission
*whitlisting .local/share/Steam/Compatabliltytools.d will not work, lutris now need access to the whole /Steam folder (as far as i can see)
New syscall permission
!clone,!mount,!pivot_root,!umount2
Other permission
remove
restrict-namespaces
Copy of my current lutris.profile: