You are not logged in.
I want to use bubblewrap to sandbox Wine games. It seems easier than managing wine prefixes, and more secure than potentially letting the game access my entire filesystem.
I'm thinking I can come up with a one-size-fits-all bwrap invocation that I can use to run all games, and adjust as I discover new corner case. I started with one game (appears to be 2D) and narrowed it down from the permissive "bwrap --dev-bind / /" form. I ended up with the following.
bwrap \
--unshare-user-try \
--unshare-ipc \
--unshare-pid \
--unshare-uts \
--unshare-cgroup-try \
--ro-bind /usr /usr \
--symlink /usr/bin /bin \
--symlink /usr/lib /lib \
--symlink /usr/lib /lib64 \
--symlink /usr/bin /sbin \
--dir /tmp \
--dir /var \
--clearenv --setenv PATH /usr/local/sbin:/usr/local/bin:/usr/bin --setenv HOME ~ --setenv WINEDEBUG -all \
--dev-bind /dev/nvidia0 /dev/nvidia0 \
--dev-bind /dev/nvidiactl /dev/nvidiactl \
--dev-bind /sys/devices/system/cpu /sys/devices/system/cpu \
--proc /proc \
--setenv XDG_RUNTIME_DIR '/run/user/1000' --dev-bind /run/user/1000/pulse /run/user/1000/pulse \
--setenv DISPLAY ':0' --setenv XAUTHORITY '/home/lfitzgerald/.Xauthority' --bind ~/.Xauthority ~/.Xauthority \
--bind foo/wine ~/.wine --bind foo/game ~/.wine/drive_c/game --bind foo/data /data --chdir ~/.wine/drive_c/game \
wine game.exeThis is able to run my game with working graphics and sound. However, there are some telltale issues that make me suspect it's not exactly "as good as" running the game without bwrap (or just with the permissive form):
* When I first launch the game, for about half a second, the screen is filled with garbled pixels (I'm guessing uninitialized video memory or something like that)
* There seems to be slightly more stuttering than usual
* The game freezes on rare occasion (I can't say for sure if it's more often than without sandbox)
I'm not asking about troubleshooting this game specifically, but about improving my general bwrap invocation. If anyone has experience with Wine games, are there any obvious paths I'm missing (especially under /dev, /run or /sys) that Wine games would typically need access to? For example, in the past I had other games (Civ5) complain about no access to /dev/dri/, but this one doesn't complain in any obvious way (maybe because it's not 3D).
I also tried looking at strace. Doing "strace bwrap ..." seemed to catch a lot of spurious stuff, so I instead do "bwrap ... strace wine game.exe". This reveals a lot of interesting stuff. However, when I grep through the trace to look for files, I see a lot of confusing things:
* There are many strings like "\N\0\0\0\0\0..." where the whole string is escape sequences
* There's a lot of stuff to do with fonts, both under /etc and ~ but even though those are sandboxed the game seems to run anyway
* Stuff like "/sys/devices/system/cpu" - which doesn't break the game even if I don't bind it
* During trial and error, I've encountered many cases where the game won't start up if I don't bind some path, but that path never appears in the trace (even after binding). For example, the /dev/nvidia ones.
The terminal messages I get from wine and the game are not very useful - they don't mention any specific file names or general errors, a lot of it seems to be implementation details.
Offline
I think I've found why the freezing happens in this case: I have two monitors, and when I run the game in the default configuration, it's fine. If I disable the second monitor with xrandr and leave only one, and also switch the game to full screen, it freezes. One monitor and windowed seems fine though, as is two monitors and full screen.
Not sure what's going on there, but sounds like something Xorg-related.
Offline