Add functionality to run commands in a sandbox #72
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Only mount the runtime system paths, WINE prefix, game, proton and winetricks cache directory. The winetricks and its descendent processes should have no reason to see anything else
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently, winetricks and its descendent processes are not under a subreaper, so when the user force quits the program execution (e.g., keyboard interrupt via ctrl+c, closing a launcher window) they will not be reaped. As a result, the user has to manually kill the winetricks background processes.
This pull request makes it so winetricks and its descendents processes will be sandboxed and killed automatically when the user forcibly quits by running the command via bubblewrap provided by the Steam runtime platform. Additionally, only the entire file hierarchy except Wine prefix, Proton, winetricks cache and game directory will be mounted read-only and only the host's network namespace will be shared to provide some security.