How to Properly Isolate a Game and Its Proton Prefix?

sceneks · 2025-09-04 08:40:02

I'm trying to isolate a Steam game and its Proton prefix using Firejail, but I keep running into issues.

Steam keeps creating the default Proton prefix (steamapps/compatdata/<gameid>) even when I try to redirect or isolate it. Inside that prefix, I noticed it still has access to my entire filesystem through the Z: drive (root /).

What I've Tried:

Running Steam or the game with Firejail using --private, --private-home, and custom profiles.

Attempting to move or bind the Proton prefix elsewhere, but Steam always recreates the original one.

Using systemd-nspawn for the root/Z: drive didn't work.

I want to:

Prevent the game and its Proton environment from accessing my root filesystem (Z: drive).

Properly isolate the game ideally using Firejail or similar sandboxing.

Is there a known and effective method to do this with Firejail?

Do I need to resort to a virtual machine to achieve this level of isolation?

Any help, especially from someone who's managed this before, would be hugely appreciated. Thanks!

Lone_Wolf · 2025-09-04 10:36:07

steam proton is a downstream fork of wine , almost everything related to sandboxing/securing wine will be valid for proton.

https://github.com/netblue30/firejail/discussions/6084 may interest you.

sceneks · 2025-09-06 13:53:33

Lone_Wolf wrote:

steam proton is a downstream fork of wine , almost everything related to sandboxing/securing wine will be valid for proton.
https://github.com/netblue30/firejail/discussions/6084 may interest you.

I’ve written a shell script that I plan to run through Steam’s game launch options. For now, I’m using --noprofile

Is this done correctly is the game and its prefix sandboxed?
when i run it in konsole i get this output:
firejail version 0.9.76

Parent pid 6915, child pid 6916
Base filesystem installed in 0.83 ms
Child process initialized in 9.63 ms
ProtonFixes[3] WARN: [CONFIG]: Parent directory "/home/sceneks/.config/protonfixes" does not exist. Abort.
ProtonFixes[3] WARN: Skipping fix execution. We are probably running an unit test.
fsync: up and running.

Parent is shutting down, bye...

-----------------------------------------

#!/bin/bash

firejail --noprofile --env=STEAM_COMPAT_DATA_PATH="$HOME/.local/share/Steam/steamapps/compatdata/218620" --env=STEAM_COMPAT_CLIENT_INSTALL_PATH="$HOME/.local/share/Steam" /usr/share/steam/compatibilitytools.d/proton-ge-custom/proton run "$HOME/.local/share/Steam/steamapps/common/PAYDAY 2/payday2_win32_release.exe"

Succulent of your garden · 2025-09-07 00:19:01

Probably in your script you will need to also link in someway the wine bottle.

The wine bottle is where all the things and the game are in so you can be able to play it. That means also installing libraries or frameworks, for example many games needs dot net in order to play it, most of the time these dependencies are downloaded through winetricks, which is the official script for downloading all these stuff in wine. Winetricks does also sometimes download some old fonts for some games, so you can play it. all of the dependencies and the game are in the wine bottle, that steam should create somewhere. So it's not just linking in some way proton, is also making you sure you grant access to windows libraries, fonts and frameworks through the wine bottle. That's is also a hard thing to do since you are in someway translating directx through vulkan [DXVK https://github.com/doitsujin/dxvk ], not sure if anyone has made something like that, also all of this is going to be more difficult if you are using flatpak version of steam. Nevertheless if you found someway to do it it would be great to know. But in someway you will need to do the dll + windows stuff in the wine bottle works with vulkan so the GPU API can be translated well and you can play your games, making vulkan working in sandboxing I'm not sure if that's possible.

But you have some options, one option is to do the virtualization as you say, and making the pci passthrough of the gpu. You will need two gpus, If I'm not wrong you can have one integrated and one discrete, but usually the two discrete gpu combo is the best approach. Doing that your host file system should be not able for your steam games, but remember that vm breakthrough is possible so it's not like 100% always the case.

Another option is to do the things like more bazzite linux does: https://docs.bazzite.gg/General/SteamOS_Comparison/
You can maybe copy the SELinux config files to your setup and see what happen. Using MAC maybe you can in someway tell the system don't allow steam to access these folders, but also you will need in someway to specify the paths of the libraries among other things so you game can works.

The VM approach is more easily to do in my honest opinion, but probably the SELinux is the more profesional one.

Edit:

SELinux does have some way to learn how your system is working, is more like a "learning" mode. that's the easiest path but that's not going to work for you, since probably steam is going to ask for / path while SELinux is learning and it's going to be recorded, you probably need to create the rules by hand so that can't happen. But maybe there is a way to do the learning thing and then just make some adjustments. I'm not so great in SELinux right now so I can't help you in detail. If I'm not wrong you will need to set SELinux to permissive mode and use audit2allow. So probably the easiest thing is just to copy the bazzite template in your computer.

Last edited by Succulent of your garden (2025-09-07 00:29:58)

Arch Linux

#1 2025-09-04 08:40:02

How to Properly Isolate a Game and Its Proton Prefix?

#2 2025-09-04 10:36:07

Re: How to Properly Isolate a Game and Its Proton Prefix?

#3 2025-09-06 13:53:33

Re: How to Properly Isolate a Game and Its Proton Prefix?

#4 2025-09-07 00:19:01

Re: How to Properly Isolate a Game and Its Proton Prefix?

Board footer