Is there a consensus on how to run Steam and games isolated from the main system? I’ve seen Flatpak mentioned in some Reddit post but I’m not sure how good the separation is. Everything about Flatpak sounds like an early work in progress, but I can be convinced otherwise.
I don’t trust Steam or the closed source games at all. Currently I’ve got a second disk with a separate system for gaming, but I very rarely have the motivation to reboot. I want to game more (and spend less time on social media) but compromising my main OS is out of the question. Stuff in the home directory should be isolated from the games. Ideally no network access too, but Steam will not work in that case.
If someone has seen a ready made guide I’d be happy to read it. Any tips would be nice too.
Gaming on the GNU/Linux operating system.
Recommended news sources:
Related chat:
Related Communities:
Please be nice to other members. Anyone not being nice will be banned. Keep it fun, respectful and just be awesome to each other.
This is a topic I would like to do something about. I’m not comfortable running games with full access to my home directory.
I hope someone with firejail or bubblewrap setup can share their thoughts.
I’d have 4 main solutions I can think of, and that can be used together if needed:
Intermediate route: pass through your GPU to a virtual machine running Windows or Linux+Proton. This is the strongest isolation aside from dual boot or using a second device, and runs almost as well as native. There are a lot of tutorials online but the archlinux wiki is a good place to start. This usually means you need a second GPU for your main system (an iGPU works if your CPU has it), or you can use janky scripts to switch the GPU between your main system and the VM. You also might need a KVM switch to switch your monitor and keyboard between your main system and the VM.
Expensive route: if you have two PCs you can set up one for game streaming using Sunshine, and stream games to your primary PC. Benefit of this approach is you can also stream to your tablet or android TV.
That is an interesting idea, I was about to buy a GPU for AI, right now I have one whose primary feature is not using a lot od energy. Am I going to need a dedicated monitor for games if I set it up this way?
I did the vfio passthrough years ago, rocking two monitors like I always have.
Top monitor was Linux only via Display Port. Bottom was Linux via HDMI, and Windows via DP. Small cheap AMD GPU for all the Linux, and big boy AMD GPU was only for Windows VM.
I would turn on the VM, and then toggle my bottom monitor from HDMI to DP to game, and then the reverse when finished. Could be done all the same without the top monitor.
A neat trick I figured out, was the Windows VM was actually a bare metal Windows install on a separate SSD that could be booted into normally, but also passed through to the VM when using Linux.
Yes/no. The KVM solves that. When I did it I just connected my monitor’s second input to the second video card.
KVM switch is the easiest way, you just plug both GPUs into your monitor, and switch between the two depending on if you want to see your main system or your VM. The Archlinux wiki also talks about “Looking Glass” which passes through the VM’s display to the main system. I haven’t tried this so YMMV. Alternatively you can run Sunshine inside the VM and stream to the main system. Maybe overkill if you are only using a single PC, but if you’ve got other devices you can stream to those too.
As a veteran to VFIO and GPU passthrough, I would recommend the KVM option first. It’s often worth buying cheap workarounds to start with, before diving into complicated software and networking setups like Looking Glass or Sunshine.
Sunshine sounds pretty decent but yeah, one step at a time. Thank you.
Sunshine in general sounds very tempting, I don’t play AAA games so an old laptop may be sufficient for most games, and the desktop clients are free.
Sunshine is actually pretty easy to set up. Just install it on the PC, and connect from a Moonlight client on the same LAN. The complicated part is if you want to get fancy with the networking, for example if you want to access it securely from outside the home, or if you run Sunshine inside of a VM and want to access it from outside the host. But if your laptop can handle the games you want to play, turning it into a game streaming server should only take an hour tops. Definitely easier than messing with passthrough and virtualization.
Flatpak’s security and sandbox has gotten much better in recent years. I’ve been using Steam via Flatpak for a while now and haven’t run into any issues yet, other than not being able to make desktop shortcuts of my games.
I use Flatseal (another Flatpak application) to further restrict my Flatpak’s permissions) The default Flatpak permissions for Steam aren’t bad IMO (at least when compared to other Flatpaks) but you can tweak it to your liking using Flatseal.
If you want to take it a step further, I would recommend using Goldberg’s Steam Emulator, which is FOSS, and it will allow you to bypass Steamworks DRM (which is Valve’s very weak DRM) for games which solely use Steamworks DRM.
I find that the overwhelming majority of my games just use the Steamworks DRM if any, but YMMV. Using Goldberg’s Steam Emulator is also a good way of preserving your library if, in the unfortunate case, Valve decides to remove a title from your library for whatever stupid licensing reason they come up with.
After freeing your games using Goldberg’s Steam Emulator you then could use the Flatpak of Lutris and disable network access for Lutris/further restrict permissions it has to the rest of your system using Flatseal.
Amazing, this way I could restrict network access with normal tools like firejail instead of fiddling with Flatpak. I’ve never heard of this tool before: https://mr_goldberg.gitlab.io/goldberg_emulator/
Since games don’t have to run with more than user privileges and steam runs in flatpak, you could run them as a different user account with very limited permissions.
That said, flatpak should be pretty secure as far as I’m aware if you make sure that permissions for the apps running are restricted appropriately. I’m not sure how restricted you can make steam and still have it work though
You can use offline mode for steam if you’re okay with steam having internet but not games. But there’s no way to use steam entirely offline. Internet access is a fundamental part of the system they have.
There’s also a question of what your threat model is. Like are you trying to prevent causal access of your files by games, or like a sophisticated attempt to compromise the system conveyed through a game. For the former flatpak seems sufficient. For the latter you probably need a dedicated machine. And there’s varying levels in between
I doubt the potentially malicious games will have code sophisticated enough to bypass a sandbox, just because majority of users don’t have a sandbox for them, and I’m not paranoid enough to fear targeted attacks. Other than that, the game shouldn’t have access to my home directory or network.
People are right about flatpak - it will generally keep stuff out of your actual root/home directory. But like you implied, the steam flatpak is unofficial so you may run into issues. With that said, I’ve used it and know many people who use it without any problems.
And depending on the game, you might be able to run it directly with steam offline, or even straight from the executable without steam open at all.
Of course this isn’t airtight, but there are ways to check the permissions granted to flatpak applications. And IMO it works well enough for games. Ofc this depends on how paranoid you are and your reasons for wanting this (fear of a game being a virus, not wanting clutter in home, wanting protection from a bug that would delete data, etc.).