VR: Difference between revisions - Official NixOS Wiki

Line 215:

By modifying the bubblewrap binary used for running Steam, you can allow processes in that FHS environment to acquire capabilities. This removes the need for patching the kernel directly.

By modifying the bubblewrap binary used for running Steam, you can allow processes in that FHS environment to acquire capabilities. This removes the need for patching the kernel directly. This may become unnecessary if [https://github.com/containers/bubblewrap/issues/653 bubblewrap #653] is merged and the flag is added to Steam's tooling.

'''As of 2026-05, this no longer seems viable:''' Steam now aggressively restores its own pressure vessel srt-bwrap on startup.

</translate>

Line 237:

Line 239:

};

}}

{{file~~|/etc/nixos/bwrap.patch|diff~~|3=diff --git a/bubblewrap.c b/bubblewrap.c

{{file|3=diff --git a/bubblewrap.c b/bubblewrap.c

index ~~e05f697~~..~~504512a~~ 100644

index f8728c7..42cfe2e 100644

--- a/bubblewrap.c

+++ b/bubblewrap.c

@@ -~~791~~,13 +~~791~~,6 @@ acquire_privs (void)

@@ -876,13 +876,6 @@ acquire_privs (void)

/* ~~Historically we supported this, but now we~~ only ~~do user namespaces~~ */

/* Keep only the required capabilities for setup */

~~die~~ (~~"setuid use of bubblewrap is not supported"~~);

set_required_caps ();

}

- else if (real_uid != 0 && has_caps ())

Line 255:

Line 257:

{

/* If our uid is 0, default to inheriting all caps; the caller

|name=|lang=}}

|name=bwrap.patch|lang=diff}}

@@ Line 215: / Line 215: @@
 <!--T:44-->
-By modifying the bubblewrap binary used for running Steam, you can allow processes in that FHS environment to acquire capabilities. This removes the need for patching the kernel directly.
+By modifying the bubblewrap binary used for running Steam, you can allow processes in that FHS environment to acquire capabilities. This removes the need for patching the kernel directly. This may become unnecessary if [https://github.com/containers/bubblewrap/issues/653 bubblewrap #653] is merged and the flag is added to Steam's tooling.
+'''As of 2026-05, this no longer seems viable:''' Steam now aggressively restores its own pressure vessel srt-bwrap on startup.
 </translate>
@@ Line 237: / Line 239: @@
 };
 }}
-{{file|/etc/nixos/bwrap.patch|diff|3=diff --git a/bubblewrap.c b/bubblewrap.c
+{{file|3=diff --git a/bubblewrap.c b/bubblewrap.c
-index e05f697..504512a 100644
+index f8728c7..42cfe2e 100644
 --- a/bubblewrap.c
 +++ b/bubblewrap.c
-@@ -791,13 +791,6 @@ acquire_privs (void)
+@@ -876,13 +876,6 @@ acquire_privs (void)
-        /* Historically we supported this, but now we only do user namespaces */
+        /* Keep only the required capabilities for setup */
-        die ("setuid use of bubblewrap is not supported");
+        set_required_caps ();
       }
 -  else if (real_uid != 0 && has_caps ())
@@ Line 255: / Line 257: @@
       {
         /* If our uid is 0, default to inheriting all caps; the caller
-|name=|lang=}}
+|name=bwrap.patch|lang=diff}}
 <translate>