- Mar 8, 2017
- 97
- 357
Hey all, given the recent security issues with games I've wrote a small shell script that uses
This code is modified from the steam example here:
You must be registered to see the links
to sandbox any renpy game executable, cutting off access to your computer and the network. I've only tested this on my machine and so far so good, it only allows the game to modify it's own directory and the renpy save directory. Just put it somewhere on your $PATH and run with safe-rp game.sh.This code is modified from the steam example here:
You must be registered to see the links
Bash:
#!/usr/bin/bash
set -e
if [ -z "$1" ]; then
echo "Usage: $0 <game-script>"
exit 1
fi
GAME_SCRIPT=$(realpath "$1")
RENPY_SAVE_DIR="${HOME}/.renpy"
GAME_DIR=$(dirname "$GAME_SCRIPT")
GAME_NAME=$(basename "$GAME_SCRIPT")
_bind() {
_bind_arg=$1
shift
for _path in "$@"; do
args+=("$_bind_arg" "$_path" "$_path")
done
}
bind() {
_bind --bind-try "$@"
}
robind() {
_bind --ro-bind-try "$@"
}
devbind() {
_bind --dev-bind-try "$@"
}
args=(
--tmpfs /tmp
--proc /proc
--dev /dev
--dir /etc
--dir /var
--dir "$RUN_USER"
--bind ~/.renpy ~/.renpy
--bind "$GAME_DIR" "$GAME_DIR"
--dir "$XDG_CONFIG_HOME"
--dir "$XDG_CACHE_HOME"
--dir "$XDG_DATA_HOME"
--dir "$XDG_STATE_HOME"
--symlink /usr/lib /lib
--symlink /usr/lib /lib64
--symlink /usr/bin /bin
--symlink /usr/bin /sbin
--symlink /run /var/run
--setenv XAUTHORITY "$XAUTHORITY"
--unshare-all
)
robind \
/usr \
/etc \
/opt \
/sys \
/var/empty \
/var/lib/alsa \
/var/lib/dbus \
/run/user/"$(id -u)"/pipewire-0 \
/etc/alsa \
/etc/pipewire \
/etc/pulse \
"$XDG_RUNTIME_DIR/pulse"
devbind \
/dev/dri \
/dev/nvidia* \
/dev/input \
/dev/uinput \
/dev/snd
bind \
"$XAUTHORITY" \
"$RUN_USER"/.mutter-X* \
"$RUN_USER"/ICE* \
"$RUN_USER"/dbus* \
"$RUN_USER"/gnome* \
"$RUN_USER"/pipewire* \
"$RUN_USER"/pulse* \
"$RUN_USER"/wayland* \
"$RUN_USER/at-spi" \
"$RUN_USER/bus" \
"$RUN_USER/dconf" \
/tmp/.ICE-unix \
/tmp/.X11-unix
exec bwrap "${args[@]}" "$GAME_SCRIPT"