VR/en: Difference between revisions

Line 54:

For further information about available environment variables and tweaks, read the [https://lvra.gitlab.io/docs/fossvr/monado/ Linux VR Adventures wiki] and the [https://monado.freedesktop.org/getting-started.html#environment-variables Monado documentation about environment variables]

== OpenComposite ==

Line 157:

Line 156:

On initial setup, SteamVR will ask for elevated permissions, to set up a file capability for one of its binaries. This is needed to allow asynchronous reprojection to work. Clients need the <code>CAP_SYS_NICE</code> capability to acquire a high-priority context, which is a requirement for asynchronous reprojection.

{{Note|Steam is run in a bubblewrap-based FHS environment. This environment runs Steam in a user namespace, which prevents it from using any capabilities or setuid binaries. This means that asynchronous reprojection can not be used on NixOS, without patching the kernel to remove these restrictions completely. See this [https://github.com/NixOS/nixpkgs/issues/217119 Nixpkgs issue]}}

{{Note|Steam is run in a bubblewrap-based FHS environment. This environment runs Steam in a user namespace, which prevents it from using any capabilities or setuid binaries. This means that asynchronous reprojection can not be used on NixOS, without patching the kernel to remove these restrictions completely, or modifying the bubblewrap binary used for running Steam to remove these capability protections. Both of these workarounds come with their own security tradeoffs. See this [https://github.com/NixOS/nixpkgs/issues/217119 Nixpkgs issue]}}

=== Patching AMDGPU to allow high priority queues ===

Line 182:

Line 181:

It is also possible to just patch amdgpu and build it as an out-of-tree module, as described in [[Linux_kernel#Patching_a_single_In-tree_kernel_module]]

=== Patching bubblewrap to allow capabilities ===

By modifying the bubblewrap binary used for running Steam, you can allow processes in that FHS environment to acquire capabilities. This removes the need for patching the kernel directly.

{{Warning|This circumvents an intended security mechanism in bubblewrap, and allows all other software launched by steam, or running via steam-run to acquire these capabilities as well.}}

{{file|/etc/nixos/configuration.nix|nix|3=programs.steam = let

patchedBwrap = pkgs.bubblewrap.overrideAttrs (o: {

patches = (o.patches or []) ++ [

./bwrap.patch

];

});

in {

enable = true;

package = pkgs.steam.override {

buildFHSEnv = (args: ((pkgs.buildFHSEnv.override {

bubblewrap = patchedBwrap;

}) (args // {

extraBwrapArgs = (args.extraBwrapArgs or []) ++ [ "--cap-add ALL" ];

})));

};

}}

{{file|/etc/nixos/bwrap.patch|diff|3=diff --git a/bubblewrap.c b/bubblewrap.c

index 8322ea0..4e20262 100644

--- a/bubblewrap.c

+++ b/bubblewrap.c

@@ -868,13 +868,6 @@ acquire_privs (void)

/* Keep only the required capabilities for setup */

set_required_caps ();

}

- else if (real_uid != 0 && has_caps ())

- {

- /* We have some capabilities in the non-setuid case, which should not happen.

- Probably caused by the binary being setcap instead of setuid which we

- don't support anymore */

- die ("Unexpected capabilities but not setuid, old file caps config?");

- }

else if (real_uid == 0)

{

/* If our uid is 0, default to inheriting all caps; the caller

}}

as an additional change, you may also need to replace Steam's own bwrap binary with a symbolic link to this modified bwrap binary, found at <code>~/.local/share/Steam/ubuntu12_32/steam-runtime/usr/libexec/steam-runtime-tools-0/srt-bwrap</code>.

Steam will periodically replace this modification with its own binary when steam-runtime updates, so you may need to re-apply this change if it breaks.

== wlx-overlay-s ==

Line 189:

Line 235:

==== SteamVR autostart ====

When launching wlx-overlay-s in SteamVR (or any OpenVR compositor) it will register an autostart manifest. Currently, this manifest will reference a Nix store path of wlx-overlay-s, which might get garbage collected after rebuilds of your NixOS/Nix profile. A workaround is to regularly run the following command to update the manifest's store path:{{Commands|

When launching wlx-overlay-s in SteamVR (or any OpenVR compositor) it will register an autostart manifest. Currently, this manifest will reference a Nix store path of wlx-overlay-s, which might get garbage collected after rebuilds of your NixOS/Nix profile. A workaround is to regularly run the following command to update the manifest's store path:

{{Commands|

# Run wlx-overlay-s and replace any running instance

$ wlx-overlay-s --replace}}

Line 196:

Line 244:

* [https://lvra.gitlab.io Linux VR Adventures Wiki]

[[Category:Video]]

[[Category:Hardware]]

[[Category:Desktop]]

[[Category:Gaming]]

@@ Line 54: / Line 54: @@
 For further information about available environment variables and tweaks, read the [https://lvra.gitlab.io/docs/fossvr/monado/ Linux VR Adventures wiki] and the [https://monado.freedesktop.org/getting-started.html#environment-variables Monado documentation about environment variables]
 == OpenComposite ==
@@ Line 157: / Line 156: @@
 On initial setup, SteamVR will ask for elevated permissions, to set up a file capability for one of its binaries. This is needed to allow asynchronous reprojection to work. Clients need the <code>CAP_SYS_NICE</code> capability to acquire a high-priority context, which is a requirement for asynchronous reprojection.
-{{Note|Steam is run in a bubblewrap-based FHS environment. This environment runs Steam in a user namespace, which prevents it from using any capabilities or setuid binaries. This means that asynchronous reprojection can not be used on NixOS, without patching the kernel to remove these restrictions completely. See this [https://github.com/NixOS/nixpkgs/issues/217119 Nixpkgs issue]}}
+{{Note|Steam is run in a bubblewrap-based FHS environment. This environment runs Steam in a user namespace, which prevents it from using any capabilities or setuid binaries. This means that asynchronous reprojection can not be used on NixOS, without patching the kernel to remove these restrictions completely, or modifying the bubblewrap binary used for running Steam to remove these capability protections. Both of these workarounds come with their own security tradeoffs. See this [https://github.com/NixOS/nixpkgs/issues/217119 Nixpkgs issue]}}
 === Patching AMDGPU to allow high priority queues ===
@@ Line 182: / Line 181: @@
 It is also possible to just patch amdgpu and build it as an out-of-tree module, as described in [[Linux_kernel#Patching_a_single_In-tree_kernel_module]]
+=== Patching bubblewrap to allow capabilities ===
+By modifying the bubblewrap binary used for running Steam, you can allow processes in that FHS environment to acquire capabilities. This removes the need for patching the kernel directly.
+{{Warning|This circumvents an intended security mechanism in bubblewrap, and allows all other software launched by steam, or running via steam-run to acquire these capabilities as well.}}
+{{file|/etc/nixos/configuration.nix|nix|3=programs.steam = let
+  patchedBwrap = pkgs.bubblewrap.overrideAttrs (o: {
+    patches = (o.patches or []) ++ [
+      ./bwrap.patch
+    ];
+  });
+in {
+  enable = true;
+  package = pkgs.steam.override {
+    buildFHSEnv = (args: ((pkgs.buildFHSEnv.override {
+      bubblewrap = patchedBwrap;
+    }) (args // {
+      extraBwrapArgs = (args.extraBwrapArgs or []) ++ [ "--cap-add ALL" ];
+    })));
+  };
+};
+}}
+{{file|/etc/nixos/bwrap.patch|diff|3=diff --git a/bubblewrap.c b/bubblewrap.c
+index 8322ea0..4e20262 100644
+--- a/bubblewrap.c
++++ b/bubblewrap.c
+@@ -868,13 +868,6 @@ acquire_privs (void)
+       /* Keep only the required capabilities for setup */
+       set_required_caps ();
+     }
+-  else if (real_uid != 0 && has_caps ())
+-    {
+-      /* We have some capabilities in the non-setuid case, which should not happen.
+-         Probably caused by the binary being setcap instead of setuid which we
+-         don't support anymore */
+-      die ("Unexpected capabilities but not setuid, old file caps config?");
+-    }
+   else if (real_uid == 0)
+     {
+       /* If our uid is 0, default to inheriting all caps; the caller
+}}
+as an additional change, you may also need to replace Steam's own bwrap binary with a symbolic link to this modified bwrap binary, found at <code>~/.local/share/Steam/ubuntu12_32/steam-runtime/usr/libexec/steam-runtime-tools-0/srt-bwrap</code>.
+Steam will periodically replace this modification with its own binary when steam-runtime updates, so you may need to re-apply this change if it breaks.
 == wlx-overlay-s ==
@@ Line 189: / Line 235: @@
 ==== SteamVR autostart ====
-When launching wlx-overlay-s in SteamVR (or any OpenVR compositor) it will register an autostart manifest. Currently, this manifest will reference a Nix store path of wlx-overlay-s, which might get garbage collected after rebuilds of your NixOS/Nix profile. A workaround is to regularly run the following command to update the manifest's store path:{{Commands|
+When launching wlx-overlay-s in SteamVR (or any OpenVR compositor) it will register an autostart manifest. Currently, this manifest will reference a Nix store path of wlx-overlay-s, which might get garbage collected after rebuilds of your NixOS/Nix profile. A workaround is to regularly run the following command to update the manifest's store path:
+{{Commands|
 # Run wlx-overlay-s and replace any running instance
 $ wlx-overlay-s --replace}}
@@ Line 196: / Line 244: @@
 * [https://lvra.gitlab.io Linux VR Adventures Wiki]
 [[Category:Video]]
 [[Category:Hardware]]
 [[Category:Desktop]]
 [[Category:Gaming]]