Best practices for running games on Linux with Nvidia

[adminx01]

Hi, I'm trying to achieve some security by limiting games to only have read permission of my system.

Here is what I ended up with using after going through a few suggestions found online:

--ro-bind /usr /usr --symlink usr/bin /bin --symlink usr/bin /sbin --symlink usr/lib /lib --symlink usr/lib /lib64 --ro-bind /opt /opt --dev /dev --tmpfs /var --tmpfs /tmp --tmpfs /run --dir /run/user/$UID --ro-bind /etc /etc --proc /proc --ro-bind $HOME/.Xauthority $HOME/.Xauthority --unshare-all --setenv PATH /usr/bin:/bin:/usr/local/sbin:/usr/local/bin:/usr/lib/jvm/default/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl --bind "$(pwd)/" "$(pwd)/" --ro-bind-try "${XDG_RUNTIME_DIR}"/"${wayland_socket}" "${XDG_RUNTIME_DIR}"/"${wayland_socket}"

I am using Wayland but I'd like it to have it work on Xorg too ideally.

I am getting an error at the moment with the diplay device not being found by using these settings.

SDL_Init(SDL_INIT_VIDEO) failed: No available video device

Thanks to any suggestions!

[rusty-snake]

Add this somewhere after --dev /dev.

--dev-bind /dev/dri /dev/dri

This works for Intel GPU and systemd (logind). If you use NVIDIA you will need some more /dev/nvidiasomething. You can look at the sourcecode of firejail/bubbeljail to discover them.

Also note that you might need some sysfs files.

--bind /sys /sys

You can look at the source code of bubblejail for hardening of the sysfs mounts.

Last but not least you should keep in mind that X11 needs a socket too as Wayland does. Either via TCP (blocked by --unshare-all) or UNIX (usually /tmp/.X11-unix).

[adminx01]

Thanks for the suggestions! They helped a lot. I figured out that the SDL issue was caused by using unshare-net.

Using --ro-bind /tmp/.X11-unix /tmp/.X11-unix and this fixes it on xorg and xwayland.

However, I dont really understand what the workaround is for wayland. I think I could really use some specific examples :D

[smcv]

bubblewrap is a low-level tool for building sandbox environments and assumes/requires relatively extensive knowledge.

Because bubblewrap is setuid root in some configurations, every line of code is a potential security vulnerability, so bubblewrap is not the right place to put "quality of life" conveniences, like a shortcut for "make X11 work": that's a job for higher-level frameworks like Flatpak.

For a high-level framework built around bubblewrap, please check how something like Flatpak builds up a bubblewrap command-line. (Yes, it's a lot of code, and it needs to be: providing everything that is expected by arbitrary games and other desktop applications is complicated.)

Sorry, the maintainers of bubblewrap are responsible for many other projects and do not have the necessary time available to write detailed tutorials, or higher-level frameworks other than the ones we are already responsible for (some of the bubblewrap maintainers are also Flatpak maintainers).

[rusty-snake]

Some more system info could be usefull.

Did you made sure your Wayland socket mount works? Because from my expireance Wayland is often easier than x11.

[adminx01]

Nevermind that error, I figure it out. However I'd like to ask for any help from wondering readers if they know how to handle the nvidia proprietary driver within bubblewrap. It seems like a really annoying thing to achieve so far.

I keep getting this error:

X Error of failed request: BadValue (integer parameter out of range for operation)
Major opcode of failed request: 152 (GLX)
Minor opcode of failed request: 3 (X_GLXCreateContext)
Value in failed request: 0x0

I am attaching the script with the settings I use for bubblewrap.

script.txt

[MarkusTieger]

You also should add every device in /dev which starts with "nvidia". That means /dev/nvidia0, /dev/nvidiactl and /dev/nvidia-modeset.