You are not logged in.
- Topics: Active | Unanswered
#1 2024-05-25 14:48:45
- magnicu
- Member
- Registered: 2024-05-25
- Posts: 18
[SOLVED] Restricting access by folder(?) for an app/game
I'm playing a WarThunder game and I was wondering if there's a way to restrict access for the game and in general for any app to a folder/s?
Is that even a thing?
Last edited by magnicu (2024-05-29 08:22:00)
Offline
#2 2024-05-25 15:20:37
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 30,456
- Website
Re: [SOLVED] Restricting access by folder(?) for an app/game
Yes it's possible. And there are multiple approaches. What is your goal / reason for wanting this? How regularly (i.e., for how many programs) will you want to do this?
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
#3 2024-05-25 15:47:19
- magnicu
- Member
- Registered: 2024-05-25
- Posts: 18
Re: [SOLVED] Restricting access by folder(?) for an app/game
Glad to hear that.
Well, I want to protect myself from unwanted telemetry/spying/etc.
I can use firewall to restrict i-net access, but I can't know what data some apps/game may collect.
For example, WarThunder game is sitting in my /home/user/games/warthunder directory with executable file that starts the whole game, but it also uses folders like /home/user/.config for writing data to it. Ideally, I would like to fully take control of what it can and can't do: write-and-read access to /home/user/.config/warthunder, read-only access for /home/user/some-folder and no-access for the rest.
What are the approaches?
Offline
#4 2024-05-25 16:17:44
- seth
- Member
- From: Don't DM me only for attention
- Registered: 2012-09-03
- Posts: 74,265
Re: [SOLVED] Restricting access by folder(?) for an app/game
https://wiki.archlinux.org/title/fireja … m_profiles
If you don't expect the game to be malicious you can perhaps also just steer it w/ https://wiki.archlinux.org/title/XDG_Base_Directory
I can't know what data some apps/game may collect.
Offline
#5 2024-05-25 16:20:35
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 30,456
- Website
Re: [SOLVED] Restricting access by folder(?) for an app/game
The old fashioned approach as just setting file / directory permissions as desired (and running the program as a dedicated user). It seems Access Control Lists are the new way of doing this. But you may also want AppArmor or some other sandboxing approach which (I believe) would simplify all the settings for a given app (including filesystem access, network restrictions, etc). I don't have experience myself with any of these but the first - but each have good wiki articles to get you started.
EDIT: I may have mixed up AppArmor with FireJail, and the latter is probably the more relevant - sorry, as noted, I've not used any of these myself.
Last edited by Trilby (2024-05-25 16:21:59)
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
#6 2024-05-25 18:11:26
- magnicu
- Member
- Registered: 2024-05-25
- Posts: 18
Re: [SOLVED] Restricting access by folder(?) for an app/game
I didn't know about audit framework, it's similar to journalctl, just for the entire system and not only systemd?
I'm going to read more about XDG, but as you said, it's only if I can trust the app to respect these specifications, so it's more a convention than a restriction?
Sandboxing is something I considered, but it's not preferable as there are ways for an application inside a sandboxed environment to find out it's sandboxed.
The user-restricted access means I can create an entirely new user(for higher isolation) and grand only for that user the right to execute the game file, so the game will write and do whatever it needs in user-isolated space only? Or will it have some other option to escape?
Last edited by magnicu (2024-05-25 18:16:18)
Offline
#7 2024-05-25 18:33:36
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 30,456
- Website
Re: [SOLVED] Restricting access by folder(?) for an app/game
I was not thinking of creating and actual user as in one that can log in and have their own home directory, rather a system user as is done for a wide range of services (e.g., the http user for most web servers). You'd then grant read or read/write access for that user just to the files / directories that the game needs, then launch the game as that user (e.g. `sudo -u gamer WarThunder`). However, if this is a graphical game, that will likely be much harder than it sounds as you'd then need to either run an entire nested display server just for that user or work out all the kinks in that other user being able to communicate with the display server - I suspect this would be so impractical as to effectively be impossible: in the end this would be a DIY sandboxing anyways - it'd be far more work, far more overhead, and far more error prone than using a good quality existing sandboxing system.
What's wrong with a program finding out it's sandboxed? There is no way you can restrict a programs access to files without it knowing it doesn't have access to those files. Okay, theoretically you could create a whole virtual OS for it to run in and "spoof" everything so it thinks it's reading files while the spoofed OS is feeding it fake file content, and it could think it was writing to files but the spoofed OS would just discard the writes ... but what if the program wrote to a file then read back to check? Your spoofing OS would have to cache every write to later feed back to the program. At that point it's no longer really a spoofed OS, but a real OS running as a virtual machine (which is now yet far more complex than an previous options).
Now creating an actual separate login user would be simpler than the craziness above - but that'd have downsides too. You'd then be running it in a completely separate display server likely on a different TTY and you'd just be switching between that and your regular session. That is a possibility, but I doubt that's what you'd want. It really sounds like sandboxing with something like firejail is what you need.
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
#8 2024-05-25 19:18:46
- AaAaAAaaAAaARCH
- Member
- Registered: 2024-02-29
- Posts: 42
Re: [SOLVED] Restricting access by folder(?) for an app/game
Install it through flatpak, then reduce the permissions as you like through flatsteal. That would be the most simple way to go about it.
https://flathub.org/apps/net.gaijin.WarThunder (https://github.com/flathub/net.gaijin.WarThunder)
By default this flatpak does not have any file system access at all (apart from the chroot the flatpak runs in, i.e. it can only access the data stored in ~/.var/app/flatpak-name and readonly access to its package + dependencies stored in /var/lib/flatpak/)
https://flathub.org/apps/com.github.tchx84.Flatseal
Last edited by AaAaAAaaAAaARCH (2024-05-25 19:29:43)
Offline
#9 2024-05-25 21:15:34
- magnicu
- Member
- Registered: 2024-05-25
- Posts: 18
Re: [SOLVED] Restricting access by folder(?) for an app/game
Trilby, yeah, I didn't get it right the first time. I didn't even know this type of users exist.
Look what I found
https://askubuntu.com/questions/893528/ … ess-to-gpu
Does the answer there makes sense to you or is it may cause issues etc?
I read that many apps/games that use these kind of things(telemetry etc) check for if they are inside sandbox and if they find out, they block access etc.
With War thunder for example I tried to use Virtual machine and different sandboxing techniques on windows and it didn't let me install the game. But I am going to try sandboxing with firejail and see if it let me launch it. As far as I got it, I only start the app/game with sandboxed firejail, it makes it easier to use.
AaAaAAaaAAaARCH, this is crazy. I'm surprised there's a flatpak version of War thunder. I'm going try that.
Thank you guys for help
AaAaAAaaAAaARCH, I didn't know War thunder have flatpak. That's such a surprise for me.
Offline