Every article tag can be clicked to get a list of all articles in that category. Every article tag also has an RSS feed! You can customize an RSS feed too!
Run Lutris in namespace with restricted network
Grogan 12 Sep 2023
All this talk about Unity phoning home got me to thinking that I should just prevent network access and we'll bloody well see how standalone these GoG games are.

First of all, you CAN'T give the namespace NO network. Processes will just crash, for example a lot of Wine processes can't initialize. Also, there may be dlls that bypass network functionality, but your process will die in the ass if no network is initialized. For example GoG Galaxy isn't necessary for single player games installed with offline installers, but there may be a dll that gets hooked. It needs an interface, so I give it loopback.

Secondly, namespaces aren't a lot of fun for users, because they require privileges. CAP_SYS_ADMIN at least and while I could grant my user that with linux capabilities, that's almost as bad as running things as root.

So therefore, these are the gymnastics I settled for, in my Lutris launching command. Trial and error :-)

sudo unshare -n -- sh -c 'ip link set dev lo up; sudo -u grogan lutris'

That will prompt for your user password once (unless it's already cached from recent use in that shell already). The second sudo command will not prompt, because you're downgrading privileges from root, launching as your user in that case.

Then, games launched from lutris will not crash, but fail to connect to the internet. I tested it on the EA App, which launches but fails to log in because it has no internet connectivity.
Grogan 13 Sep 2023
So what do you do, if you want to make a desktop or menu shortcut for this?

Well, if using KDE, Gnome, XFCE or other sophisticated environment, when you create shortcuts you should have a checkbox to "run in terminal"

If not (I use a simple window manager), just use xterm -e

For example, as the command of your shortcut or menu entry

xterm -e sudo unshare -n -- sh -c 'ip link set dev lo up; sudo -u grogan lutris'

This then pops up a little xterm window for me to answer the sudo password prompt, then lutris runs.
Cyril 13 Sep 2023
Mamke me thinks: what about the native Linux GOG (or whatever) games without Lutris?
I must admit I had this idea one time and wanted to search how to do it, but in the end I never did.
Grogan 13 Sep 2023
Of course, I should say that you wouldn't want to launch Lutris like that all the time. It needs to download its json files with updated version info for runtimes, as well as check for runtime updates.

You'd only want to do this when you want to prevent network access.
Grogan 13 Sep 2023
Mamke me thinks: what about the native Linux GOG (or whatever) games without Lutris?
I must admit I had this idea one time and wanted to search how to do it, but in the end I never did.

I don't see why not (any command you want) :-)

sudo unshare -n -- sh -c 'ip link set dev lo up; sudo -u grogan /storage3/shit/Soma/start.sh'

(just tested that... Linux native game bought on GoG)
tuubi 13 Sep 2023
Wouldn't something like `firejail --noprofile --net=none` work as well?

EDIT: As "Command prefix" in your Lutris runner settings I mean, not for launching Lutris itself. Should work just fine for native and Wine games, outside of lutris as well. You'll need to install firejail first, obviously.

Last edited by tuubi on 13 Sep 2023 at 2:26 pm UTC
Ehvis 13 Sep 2023
I added a group called 'nonet' to my user and blocked all outgoing traffic for that group. Now all that I have to do is launch something in a different group to block its internet access. No special permissions required.
Grogan 13 Sep 2023
Yes, I found that solution too. Less gymnastics, but I don't have firejail and prefer to just use what I have. unshare is always there in util-linux, anywhere. I ordinarily have no use for such tomfoolery, it's just a special use case for me to see what games won't run without phoning home. I personally don't want to install a complex application filter like firejail just to do this.

Also, as I said, no network interface is an unexpected condition that will cause a lot of things to crash and abort. It would probably be OK for Linux native games (as would simply unshare -n) but I couldn't get anything off the ground because of wine services failing without bringing up at least lo

Even so, Just Cause 2 crashes and aborts after the first splash screen even with the lo interface in the network namespace. At first I thought it was "phone home or die" but I did a test with the network cable unplugged (I booted up without it too, so eth0 wouldn't even be brought up) and Just Cause 2 launches normally then, as long as its not running in that namespace. That's creepy... that's only a network namespace that's not restricting anything else, and it has an interface to bind to. It should be no different than a yanked cable.
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations: PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
Login / Register