Lutris 5.17 need new permission and syscalls
nutta-git opened this issue · comments
Description
Lutris 5.17 is a Major update with more than 540 commits. New features include the new umu wine-launcher package.
This requires new file / syscall permissions to run games (tested with uplay).
I won't follow the traditional reporting style since it's a lot of work.
Yes, I tested it without the firejail profile and lutris 5.17-1 did run fine.
Steps to Reproduce
Steps to reproduce the behavior
- Download and install the following: Lutris 5.17-1 and firejail-git (lutirs 5.17-2 wont work for some reason, not releated to firejail as far as I know)
- ln -s /usr/bin/firejail /usr/local/bin/lutris
- cp /etc/firejail/lutris.profile ~/.config/firejail/lutris.profile
- firecfg --fix
- Launch Lutris
- Start Ubisoft Connect [WINE- Latest Version]
New File permission
noblacklist ${HOME}/.local/share/Steam
noblacklist ${HOME}/.local/share/umu
whitelist ${HOME}/.local/share/Steam
whitelist ${HOME}/.local/share/umu
*whitlisting .local/share/Steam/Compatabliltytools.d will not work, lutris now need access to the whole /Steam folder (as far as i can see)
New syscall permission
!clone,!mount,!pivot_root,!umount2
Other permission
remove restrict-namespaces
Copy of my current lutris.profile:
# Firejail profile for lutris
# Description: Multi-library game handler with special support for Wine
# This file is overwritten after every install/update
# Persistent local customizations
include lutris.local
# Persistent global definitions
include globals.local
noblacklist ${PATH}/llvm*
noblacklist ${HOME}/Games
noblacklist ${HOME}/.cache/lutris
noblacklist ${HOME}/.cache/wine
noblacklist ${HOME}/.cache/winetricks
noblacklist ${HOME}/.config/lutris
noblacklist ${HOME}/.config/MangoHud
noblacklist ${HOME}/.local/share/lutris
noblacklist ${HOME}/.local/share/Steam
noblacklist ${HOME}/.local/share/umu
# noblacklist ${HOME}/.wine
noblacklist /tmp/.wine-*
# Don't block access to /sbin and /usr/sbin to allow using ldconfig. Otherwise
# Lutris won't even start.
noblacklist /sbin
noblacklist /usr/sbin
ignore noexec ${HOME}
# Allow python (blacklisted by disable-interpreters.inc)
include allow-python2.inc
include allow-python3.inc
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-xdg.inc
mkdir ${HOME}/Games
mkdir ${HOME}/.cache/lutris
mkdir ${HOME}/.cache/wine
mkdir ${HOME}/.cache/winetricks
mkdir ${HOME}/.config/lutris
mkdir ${HOME}/.local/share/lutris
# mkdir ${HOME}/.wine
whitelist ${DOWNLOADS}
whitelist ${HOME}/Games
whitelist ${HOME}/.cache/lutris
whitelist ${HOME}/.cache/wine
whitelist ${HOME}/.cache/winetricks
whitelist ${HOME}/.config/lutris
whitelist ${HOME}/.config/MangoHud
whitelist ${HOME}/.local/share/lutris
whitelist ${HOME}/.local/share/Steam
whitelist ${HOME}/.local/share/umu
# whitelist ${HOME}/.wine
whitelist /usr/share/lutris
whitelist /usr/share/wine
include whitelist-common.inc
include whitelist-usr-share-common.inc
include whitelist-runuser-common.inc
include whitelist-var-common.inc
# allow-debuggers
# apparmor
caps.drop all
ipc-namespace
ignore netfilter
nodvd
nogroups
nonewprivs
#noroot
notv
nou2f
protocol unix,inet,inet6,netlink
seccomp !modify_ldt,!clone3,!ptrace,!process_vm_readv,!clone,!mount,!pivot_root,!umount2
seccomp.32 !modify_ldt,!process_vm_readv
# Add the next line to your lutris.local if you do not need controller support.
#private-dev
#private-tmp
dbus-user filter
dbus-user.own net.lutris.Lutris
dbus-user.talk com.feralinteractive.GameMode
dbus-system none
#restrict-namespaces
Once this is tested, I can make a pull request.
ignore netfilter
ignore looks odd here. It's supposed to override an option that get's included later (in either the same foo.profile or in a redirect). Is netfilter causing breakage?
When I included a copy of my lutris.profile it wasn't meant to be used a reference implementation for this issue, but
It was meant to show a visual of how the new rules are added.
Please "ignore" that.
I think I added that because i was already using a firewall and/or was testing around stuff.
Thanks for clearing that up!
Lutris 5.17 wasn't working for me too. I like restrictive sandboxes, so I tried seeing the minimum possible permissions to make it work, and all I really needed was seccomp !modify_ldt,!ptrace,!process_vm_readv.
Without those I get this on repeat until it gives up after I think 8 tries:
[0504/110919.095:WARNING:gpu_process_host.cc(1338)] The GPU process has crashed 1 time(s)
[0504/110919.279:ERROR:gpu_process_host.cc(985)] GPU process launch failed: error_code=43
[0504/110919.279:WARNING:gpu_process_host.cc(1338)] The GPU process has crashed 2 time(s)
I'm on the latest version of Firejail and Lutris from the Fedora repo, and I tested this with Steam for Windows.
I haven't tried the new features though, so I don't know what works with those. I used the default wine runner for testing so different runners might need more permissions as @nutta-git mentioned
This has already been fixed with #6067
Lutris 5.17 wasn't working for me too. I like restrictive sandboxes, so I
tried seeing the minimum possible permissions to make it work, and all I
really needed wasseccomp !modify_ldt,!ptrace,!process_vm_readv.
This was already done in #6067.
Does it work with firejail-git?
Lutris 5.17 wasn't working for me too. I like restrictive sandboxes, so I
tried seeing the minimum possible permissions to make it work, and all I
really needed wasseccomp !modify_ldt,!ptrace,!process_vm_readv.This was already done in #6067.
Does it work with firejail-git?
I'm using the Fedora 40 package which is Firejail 0.9.72. That is the latest release, but it was released on Jan 16, 2023 which is before #6067. I should've checked if there was other issues on this in hindsight, thanks for mentioning the pull request