What are the best ways to run a game on sandboxed mode with only game HDD shared to it. There should not be network access for the game and there should be GPU (intel integrated) pass-through.
I have tried Gnome boxes, but GPU pass through is not working and checked distrobox, but that too shares HOME folder.
You can do this using Lutris.
- Install it from Flathub
- Open Lutris and have it install the tools it needs (wine, dxvk, etc)
- Close Lutris
- Use Flatseal to limit its permissions; remove network, filesystem access, etc
- Open Lutris and run the game
Note that this isn’t a perfect sandbox. For example, the game can still send a link to your browser to open. Theoretically it could do something malicious with that. Though you could probably work around that issue by changing your default browser to a flatpak version and disable network access there. There might be other small sandbox breaks, but nothing I can think of.
Can the same be say with bottle?
Yes
You can try Firejail
Fitejail is a large SETUID binary which weakens security and can aid in privilege escalation. Use Bubblewrap (preinstalled on most Linux systems cus of Flatpak) which runs unpriveleged. Bubblejail is a program that makes it easier to make sandboxes profiles for apps.
Oof, I didn’t know that about firejail. I’d heard of it, but I’d never used it. Like, c’mon folks! If you need privilege escalation, either require launching as root (if appropriate), or delegate the responsibility to a small, well-audited tool designed explicitly for the purpose and spawn a new privileged pid. Don’t use SUID. You will fuck it up. If you reach the point where setuid is your only option, then you’ve hopefully learned enough to rearchitect to not need it, or to give up, or use it if you’re, say, someone who maintains a libc or something.
EDIT: this is overly dramatic, but also it’s not. I personally feel like using SUID is kinda like rolling your own crypto in terms of required competence.
I got some answers to a similar question here https://lemm.ee/post/45993313
There are systemd nspawn Containers, you could install debian, or whatever you fancy inside, they provode simmillar isolation to docker containers and you can even integrate them with gui.
Containerized apps will then only see the container folder
Keep in mind that non-hardenized containers only protect you from bugs, they don’t protect you from sophisticated malware. If you suspect the software you are trying to run might be a virus, don’t run it, or run it in a virtual machine.
I would recommend using containers only if you absolutely understand how to make them secure AND you have no reason to suspect the software you are running might contain nefarious code. In any other case use a virtual machine.
true enough, video acceleration is a bit harder / more expensive with an extra gpu, thats why i shyed away from suggesting vms
Yeah, I realize that and that’s a nuisance for a videogame… If the game is small enough, OP might be able to give it a virtual GPU with VirtualBox, I did it in the past to play with friends on a single computer. I don’t know if the usual KVM-based VMs support it as well.
im not on arch but the explanation is still valuable: https://wiki.archlinux.org/title/Systemd-nspawn
Don’t.
