Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Q&A

How do you troubleshoot bwrap/wine sandboxes for Windows games?

+4
−0

I use Wine to play Windows games. As is well known:

  • Wine is not a sandbox
  • Windows games are proprietary blobs and can contain malware
  • Windows malware can potentially harm Linux through Wine

I don't want malware having free reign on my Linux machine so I sandbox it with bwrap. For the less-informed, bwrap is the low-level tool used for flatpak, which is used by Wine Bottles, a popular Wine tool. In practice I see that attempting to set up sandboxes with Flatpak or Bottles (what it calls "dedicated sandbox") results in very similar behavior to the CLI command bwrap wine foo.exe.

I noticed that as I try to restrict a game with bwrap, there are often files that it requires access to, and fails without. For example, many games need access to /sys/devices/system/cpu and /dev/nvidia0 (not surprising). The problem is to find all such possible path when the game is failing.

As a general approach I can always:

  1. Confirm the game runs with all paths permitted
  2. Confirm the game fails with only some paths permitted
  3. Keep adding a few paths from 1 to 2 until it works

This sort of works, but of course it's not very practical. Is there some direct way to see what files the game is trying to access inside the bwrap wine, and failing?

History
Why does this post require attention from curators or moderators?
You might want to add some details to your flag.
Why should this post be closed?

0 comment threads

1 answer

+3
−0

I've done this exact thing with these same tools, as recently as this morning.

I use strace to measure file access sometimes; trouble is, a lot of programs/libraries will attempt to look for a lot of files that don't need to exist, so combing through the strace logs can be a long slog too. In theory, I could have written a script that would correlate those logs with paths that actually exist in my host filesystem. In practice, generally I do the same 1-2-3 dance you describe and only supplement that with strace when I'm stumped.

History
Why does this post require attention from curators or moderators?
You might want to add some details to your flag.

0 comment threads

Sign up to answer this question »