Hello!
I did some research about the topic, but I was not able to find an answer since things got a bit too technical for me, so I thought of trying to ask here.
I’m currently using Ubuntu 23.10 and to do some occasional gaming I use Steam (when I have to) and Lutris (for GoG titles) and both apps are the Flatpak ones. That way with Flatseal I can easily check and modify permissions to limit folders and internet accesses.
Now, while with Steam everything is inside Steam’s app and I’m reasonably sure that permissions set with Flatseal apply to launched games too, Lutris instead is simply a launcher. If I install a game with Lutris, will the permissions set for Lutris also apply for the games installed and launched through Lutris?
I’m asking this because I usually try to avoid games with obvious data harvesting (like Horizon Zero Dawn), but I wanted to try to add another layer of security with ones that have optional telemetry (like Pillars of Eternity) just in case, if that makes sense.
(I know I could and should make an account dedicated only for gaming, but I wanted to know if the solution above is a sort of compromise for convenience’s sake)
This is something I’ve been meaning to investigate. It, of course, seems like a great idea to sandbox the heck out of games, particularly in light of game spyware scandals like Red Shell.
My understanding is all (flatpak) steam/lutris/etc games share their parent application’s flatpak permissions. A simple way to test this would be to revoke the network permission, then see if you can connect to multiplayer.
I’ve had little success gaming under flatpak, so I intend to explore bubblewrap, flatpak’s sandbox, which can also be used without flatpak.
Sandbox your games and run them on an isolated system or virtual machine.
Isolate the system from the rest of your network.
And I’d recommend a VPN too, too many games spew your IP to other players for no reason.
If you want extra fun, have different virtual machines for different (sets or individual) games.
As evil as Sony is, their PC ports are actually pretty flawless via Proton and also work entirely offline.
@dumpster
bwrap isn’t necessarily meant to be directly used by the user and is quite limited compared to eg. firejail
The included firejail profile for Steam is stricter, but you may run into issues with Proton not working due to their vendor isolation. So I just recommend the Flatpak.
If you do use Firejail, please note I changed it to an allowlist profile like 7 years ago and so any games that save outside of the typical synced Steam savedir may be deleted on close.
@dumpster I’ve just tried that with Lutris and revoking the network permission in Flatseal seems to prevent games from connecting to Internet.
Actually, I had a small problem in the installation of Pillars of Eternity
To sumarize the only case in which I had to grant access to an external folder other than the Flatpak .var one
Lutris installer did not make the settings folder in the .config directory inside the .var one (since Lutris is installed via flatpak, so everything should be in the .var directory), but I had to grant Lutris access to the usual .config folder so that it created the settings one for PoE, as if it was a normal installation with the gog installer. After that everything worked flawlessly and it’s the only case in which I had to grant access to an external folder than the .var one.
@SkewedZeppelin Since all of my games are single player and I want to play them offline I wanted to know if keeping them in the Flatpak apps folder without internet and home folder access was a reasonable way (or compromise) to prevent data leaking/spyware while not giving up on the convenience of having everything in the same account.
Anyway, thank you very much your opinions and advice!