lutris: Lutris 5.17 uses new paths and syscalls

[nutta-git]

Description

Lutris 5.17 is a Major update with more than 540 commits. New features include the new umu wine-launcher package.
This requires new file / syscall permissions to run games (tested with uplay).
I won't follow the traditional reporting style since it's a lot of work.
Yes, I tested it without the firejail profile and lutris 5.17-1 did run fine.

Steps to Reproduce

Steps to reproduce the behavior

1. Download and install the following: Lutris 5.17-1 and firejail-git (lutirs 5.17-2 wont work for some reason, not releated to firejail as far as I know)
2. ln -s /usr/bin/firejail /usr/local/bin/lutris
3. cp /etc/firejail/lutris.profile ~/.config/firejail/lutris.profile
4. firecfg --fix
5. Launch Lutris
6. Start Ubisoft Connect [WINE- Latest Version]
   

New File permission

noblacklist ${HOME}/.local/share/Steam
noblacklist ${HOME}/.local/share/umu
whitelist ${HOME}/.local/share/Steam
whitelist ${HOME}/.local/share/umu

*whitlisting .local/share/Steam/Compatabliltytools.d will not work, lutris now need access to the whole /Steam folder (as far as i can see)

New syscall permission

!clone,!mount,!pivot_root,!umount2

Other permission

remove restrict-namespaces

Copy of my current lutris.profile:

# Firejail profile for lutris
# Description: Multi-library game handler with special support for Wine
# This file is overwritten after every install/update
# Persistent local customizations
include lutris.local
# Persistent global definitions
include globals.local

noblacklist ${PATH}/llvm*
noblacklist ${HOME}/Games
noblacklist ${HOME}/.cache/lutris
noblacklist ${HOME}/.cache/wine
noblacklist ${HOME}/.cache/winetricks
noblacklist ${HOME}/.config/lutris
noblacklist ${HOME}/.config/MangoHud
noblacklist ${HOME}/.local/share/lutris
noblacklist ${HOME}/.local/share/Steam
noblacklist ${HOME}/.local/share/umu
# noblacklist ${HOME}/.wine
noblacklist /tmp/.wine-*
# Don't block access to /sbin and /usr/sbin to allow using ldconfig. Otherwise
# Lutris won't even start.
noblacklist /sbin
noblacklist /usr/sbin

ignore noexec ${HOME}

# Allow python (blacklisted by disable-interpreters.inc)
include allow-python2.inc
include allow-python3.inc

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-xdg.inc

mkdir ${HOME}/Games
mkdir ${HOME}/.cache/lutris
mkdir ${HOME}/.cache/wine
mkdir ${HOME}/.cache/winetricks
mkdir ${HOME}/.config/lutris
mkdir ${HOME}/.local/share/lutris
# mkdir ${HOME}/.wine
whitelist ${DOWNLOADS}
whitelist ${HOME}/Games
whitelist ${HOME}/.cache/lutris
whitelist ${HOME}/.cache/wine
whitelist ${HOME}/.cache/winetricks
whitelist ${HOME}/.config/lutris
whitelist ${HOME}/.config/MangoHud
whitelist ${HOME}/.local/share/lutris
whitelist ${HOME}/.local/share/Steam
whitelist ${HOME}/.local/share/umu
# whitelist ${HOME}/.wine
whitelist /usr/share/lutris
whitelist /usr/share/wine
include whitelist-common.inc
include whitelist-usr-share-common.inc
include whitelist-runuser-common.inc
include whitelist-var-common.inc

# allow-debuggers
# apparmor
caps.drop all
ipc-namespace
ignore netfilter
nodvd
nogroups
nonewprivs
#noroot
notv
nou2f
protocol unix,inet,inet6,netlink
seccomp !modify_ldt,!clone3,!ptrace,!process_vm_readv,!clone,!mount,!pivot_root,!umount2
seccomp.32 !modify_ldt,!process_vm_readv
# Add the next line to your lutris.local if you do not need controller support.
#private-dev
#private-tmp

dbus-user filter
dbus-user.own net.lutris.Lutris
dbus-user.talk com.feralinteractive.GameMode
dbus-system none

#restrict-namespaces

[nutta-git]

Once this is tested, I can make a pull request.

[glitsj16]

ignore netfilter

ignore looks odd here. It's supposed to override an option that get's included later (in either the same foo.profile or in a redirect). Is netfilter causing breakage?

[nutta-git]

When I included a copy of my lutris.profile it wasn't meant to be used a reference implementation for this issue, but
It was meant to show a visual of how the new rules are added.

Please "ignore" that.
I think I added that because i was already using a firewall and/or was testing around stuff.

[glitsj16]

Thanks for clearing that up!

[OwlInSpace]

Lutris 5.17 wasn't working for me too. I like restrictive sandboxes, so I tried seeing the minimum possible permissions to make it work, and all I really needed was seccomp !modify_ldt,!ptrace,!process_vm_readv.

Without those I get this on repeat until it gives up after I think 8 tries:

[0504/110919.095:WARNING:gpu_process_host.cc(1338)] The GPU process has crashed 1 time(s)
[0504/110919.279:ERROR:gpu_process_host.cc(985)] GPU process launch failed: error_code=43
[0504/110919.279:WARNING:gpu_process_host.cc(1338)] The GPU process has crashed 2 time(s)

I'm on the latest version of Firejail and Lutris from the Fedora repo, and I tested this with Steam for Windows.

I haven't tried the new features though, so I don't know what works with those. I used the default wine runner for testing so different runners might need more permissions as @nutta-git mentioned

This has already been fixed with #6067

[kmk3]

Lutris 5.17 wasn't working for me too. I like restrictive sandboxes, so I
tried seeing the minimum possible permissions to make it work, and all I
really needed was seccomp !modify_ldt,!ptrace,!process_vm_readv.

This was already done in #6067.

Does it work with firejail-git?

[OwlInSpace]

Lutris 5.17 wasn't working for me too. I like restrictive sandboxes, so I
tried seeing the minimum possible permissions to make it work, and all I
really needed was seccomp !modify_ldt,!ptrace,!process_vm_readv.

This was already done in #6067.

Does it work with firejail-git?

I'm using the Fedora 40 package which is Firejail 0.9.72. That is the latest release, but it was released on Jan 16, 2023 which is before #6067. I should've checked if there was other issues on this in hindsight, thanks for mentioning the pull request