Post History

How do you troubleshoot bwrap/wine sandboxes for Windows games?

I use Wine to play Windows games. As is well known:

* Wine is not a sandbox
* Windows games are proprietary blobs and can contain malware
* Windows malware can potentially harm Linux through Wine

I don't want malware having free reign on my Linux machine so I sandbox it with bwrap. For the less-informed, bwrap is the low-level tool used for flatpak, which is used by Wine Bottles, a popular Wine tool. In practice I see that attempting to set up sandboxes with Flatpak or Bottles (what it calls "dedicated sandbox") results in very similar behavior to the CLI command `bwrap wine foo.exe`.

I noticed that as I try to restrict a game with `bwrap`, there are often files that it requires access to, and fails without. For example, many games need access to `/sys/devices/system/cpu` and `/dev/nvidia0` (not surprising). The problem is to find *all* such possible path when the game is failing.

As a general approach I can always:

1. Confirm the game runs with all paths permitted
2. Confirm the game fails with only some paths permitted
3. Keep adding a few paths from 1 to 2 until it works

This sort of works, but of course it's not very practical. Is there some direct way to *see* what files the game is trying to access inside the `bwrap wine`, and failing?