How do you troubleshoot bwrap/wine sandboxes for Windows games?
I use Wine to play Windows games. As is well known:
- Wine is not a sandbox
- Windows games are proprietary blobs and can contain malware
- Windows malware can potentially harm Linux through Wine
I don't want malware having free reign on my Linux machine so I sandbox it with bwrap. For the less-informed, bwrap is the low-level tool used for flatpak, which is used by Wine Bottles, a popular Wine tool. In practice I see that attempting to set up sandboxes with Flatpak or Bottles (what it calls "dedicated sandbox") results in very similar behavior to the CLI command
bwrap wine foo.exe.
I noticed that as I try to restrict a game with
bwrap, there are often files that it requires access to, and fails without. For example, many games need access to
/dev/nvidia0 (not surprising). The problem is to find all such possible path when the game is failing.
As a general approach I can always:
- Confirm the game runs with all paths permitted
- Confirm the game fails with only some paths permitted
- Keep adding a few paths from 1 to 2 until it works
This sort of works, but of course it's not very practical. Is there some direct way to see what files the game is trying to access inside the
bwrap wine, and failing?