VR: Difference between revisions - Official NixOS Wiki

Line 206:

{{Note|Steam is run in a bubblewrap-based FHS environment. This environment runs Steam in a user namespace, which prevents it from using any capabilities or setuid binaries. This means that asynchronous reprojection can not be used on NixOS, without patching the kernel to remove these restrictions completely. See this [https://github.com/NixOS/nixpkgs/issues/217119 Nixpkgs issue]}}

{{Note|Steam is run in a bubblewrap-based FHS environment. This environment runs Steam in a user namespace, which prevents it from using any capabilities or setuid binaries. This means that asynchronous reprojection can not be used on NixOS, without patching the kernel to remove these restrictions completely, or modifying the bubblewrap binary used for running Steam to remove these capability protections. Both of these workarounds come with their own security tradeoffs. See this [https://github.com/NixOS/nixpkgs/issues/217119 Nixpkgs issue]}}

</translate>

Line 244:

=== Patching bubblewrap to allow capabilities ===

By modifying the bubblewrap binary used for running Steam, you can allow processes in that FHS environment to acquire capabilities. This removes the need for patching the kernel directly.

{{Warning|This circumvents an intended security mechanism in bubblewrap, and allows all other software launched by steam, or running via steam-run to acquire these capabilities as well.}}

{{file|/etc/nixos/configuration.nix|nix|3=programs.steam = let

patchedBwrap = pkgs.bubblewrap.overrideAttrs (o: {

patches = (o.patches or []) ++ [

./bwrap.patch

];

});

in {

enable = true;

package = pkgs.steam.override {

buildFHSEnv = (args: ((pkgs.buildFHSEnv.override {

bubblewrap = patchedBwrap;

}) (args // {

extraBwrapArgs = (args.extraBwrapArgs or []) ++ [ "--cap-add ALL" ];

})));

};

}

}}

{{file|/etc/nixos/bwrap.patch|diff|3=diff --git a/bubblewrap.c b/bubblewrap.c

index 8322ea0..4e20262 100644

--- a/bubblewrap.c

+++ b/bubblewrap.c

@@ -868,13 +868,6 @@ acquire_privs (void)

/* Keep only the required capabilities for setup */

set_required_caps ();

}

- else if (real_uid != 0 && has_caps ())

- {

- /* We have some capabilities in the non-setuid case, which should not happen.

- Probably caused by the binary being setcap instead of setuid which we

- don't support anymore */

- die ("Unexpected capabilities but not setuid, old file caps config?");

- }

else if (real_uid == 0)

{

/* If our uid is 0, default to inheriting all caps; the caller

}}

as an additional change, you may also need to replace Steam's own bwrap binary with a symbolic link to this modified bwrap binary, found at <code>~/.local/share/Steam/ubuntu12_32/steam-runtime/usr/libexec/steam-runtime-tools-0/srt-bwrap</code>.

Steam will periodically replace this modification with its own binary when steam-runtime updates, so you may need to re-apply this change if it breaks.

</translate>

== wlx-overlay-s ==

@@ Line 206: / Line 206: @@
 <!--T:24-->
-{{Note|Steam is run in a bubblewrap-based FHS environment. This environment runs Steam in a user namespace, which prevents it from using any capabilities or setuid binaries. This means that asynchronous reprojection can not be used on NixOS, without patching the kernel to remove these restrictions completely. See this [https://github.com/NixOS/nixpkgs/issues/217119 Nixpkgs issue]}}
+{{Note|Steam is run in a bubblewrap-based FHS environment. This environment runs Steam in a user namespace, which prevents it from using any capabilities or setuid binaries. This means that asynchronous reprojection can not be used on NixOS, without patching the kernel to remove these restrictions completely, or modifying the bubblewrap binary used for running Steam to remove these capability protections. Both of these workarounds come with their own security tradeoffs. See this [https://github.com/NixOS/nixpkgs/issues/217119 Nixpkgs issue]}}
 </translate>
@@ Line 244: / Line 244: @@
 <translate>
+=== Patching bubblewrap to allow capabilities ===
+By modifying the bubblewrap binary used for running Steam, you can allow processes in that FHS environment to acquire capabilities. This removes the need for patching the kernel directly.
+{{Warning|This circumvents an intended security mechanism in bubblewrap, and allows all other software launched by steam, or running via steam-run to acquire these capabilities as well.}}
+{{file|/etc/nixos/configuration.nix|nix|3=programs.steam = let
+  patchedBwrap = pkgs.bubblewrap.overrideAttrs (o: {
+    patches = (o.patches or []) ++ [
+      ./bwrap.patch
+    ];
+  });
+in {
+    enable = true;
+    package = pkgs.steam.override {
+      buildFHSEnv = (args: ((pkgs.buildFHSEnv.override {
+        bubblewrap = patchedBwrap;
+      }) (args // {
+        extraBwrapArgs = (args.extraBwrapArgs or []) ++ [ "--cap-add ALL" ];
+      })));
+    };
+  };
+}
+}}
+{{file|/etc/nixos/bwrap.patch|diff|3=diff --git a/bubblewrap.c b/bubblewrap.c
+index 8322ea0..4e20262 100644
+--- a/bubblewrap.c
++++ b/bubblewrap.c
+@@ -868,13 +868,6 @@ acquire_privs (void)
+       /* Keep only the required capabilities for setup */
+       set_required_caps ();
+     }
+-  else if (real_uid != 0 && has_caps ())
+-    {
+-      /* We have some capabilities in the non-setuid case, which should not happen.
+-         Probably caused by the binary being setcap instead of setuid which we
+-         don't support anymore */
+-      die ("Unexpected capabilities but not setuid, old file caps config?");
+-    }
+   else if (real_uid == 0)
+     {
+       /* If our uid is 0, default to inheriting all caps; the caller
+}}
+as an additional change, you may also need to replace Steam's own bwrap binary with a symbolic link to this modified bwrap binary, found at <code>~/.local/share/Steam/ubuntu12_32/steam-runtime/usr/libexec/steam-runtime-tools-0/srt-bwrap</code>.
+Steam will periodically replace this modification with its own binary when steam-runtime updates, so you may need to re-apply this change if it breaks.
+</translate>
+<translate>
 == wlx-overlay-s == <!--T:31-->