I use Wine to play Windows games. As is well known: Wine is not a sandbox Windows games are proprietary blobs and can contain malware Windows malware can potentially harm Linux through Wine ...
#1: Initial revision copy link
How do you troubleshoot bwrap/wine sandboxes for Windows games?
I use Wine to play Windows games. As is well known: * Wine is not a sandbox * Windows games are proprietary blobs and can contain malware * Windows malware can potentially harm Linux through Wine I don't want malware having free reign on my Linux machine so I sandbox it with bwrap. For the less-informed, bwrap is the low-level tool used for flatpak, which is used by Wine Bottles, a popular Wine tool. In practice I see that attempting to set up sandboxes with Flatpak or Bottles (what it calls "dedicated sandbox") results in very similar behavior to the CLI command `bwrap wine foo.exe`. I noticed that as I try to restrict a game with `bwrap`, there are often files that it requires access to, and fails without. For example, many games need access to `/sys/devices/system/cpu` and `/dev/nvidia0` (not surprising). The problem is to find *all* such possible path when the game is failing. As a general approach I can always: 1. Confirm the game runs with all paths permitted 2. Confirm the game fails with only some paths permitted 3. Keep adding a few paths from 1 to 2 until it works This sort of works, but of course it's not very practical. Is there some direct way to *see* what files the game is trying to access inside the `bwrap wine`, and failing?