在 Firejail 中运行 Steam
前言
意义
Steam 会在用户目录下产生一些文件,比如 ~/.steam/ 、 ~/.local/share/Steam/。更糟糕的是,从 Steam 商店下载的程序与游戏会随意地在用户目录下产生文件夹,例如 ~/.local/share/Paradox Interactive/、~/.paradoxinteractive/。这些零散的文件显然会给管理带来麻烦。
另一方面,显然 Steam 是个闭源程序,下载的程序与游戏也多半是。程序可以随意的驻留后台、扫描磁盘、修改一些配置或者上传用户隐私,用户对这些软件的行为鞭长莫及。无论这种需要是精神上的洁癖,抑或哪天 Steam 上架了间谍软件,或者单纯的对所谓 steamchina 感到担忧,将程序关到笼子里依然是必要的。
Firejail 与 systemd-nspawn 这种容器不同,Firejail 的首要用途是沙箱,即隔离程序所做的更改。这就导致了一下几点区别:
- Firejail 内的程序可以直接使用宿主的动态链接库,而 systemd-nspawn 基本不能。
- 使用 Firejail 你可以至少节省 500MB 的空间。
- Firejail 不需要 root 权限或者 policykit 授权。
目的
综上,需要达成的目的有三个:
- 隐私:Steam 不能读取
~/目录下原有的文件; - 性能:游戏必须能够以正常性能运行;
- 管理:Steam 不能在常规的
~/目录下产生文件,而是被重定向到其他地方。
懒人方式
这是我能得到的最简单的方式。如果你不介意在电脑上安装一个 Steam 软件包以及一堆 32bit 库(总计需要 300MB 额外空间),那么这个方法最适合。同时 openSUSE 官方的 Steam 包含了一些额外 udev 规则与配置,这样出现的疑难杂症会更少。
准备
创建一个目录,作为 Steam 能看见的 ~/ 目录。本例中取 ~/Steam_Jail 为例。
mkdir ~/Steam_Jail
安装 Steam 与 Firejail:
sudo zypper in steam firejail
添加用户到 Firejail 组:
adduser [username] firejial
自定义配置
Firejail 内置了对 Steam 的配置,但并不完全符合我的目的。
基于 Firejail 官方修改:
配置文件
# Firejail profile for steam
# Description: Valve's Steam digital software delivery system
# This file is overwritten after every install/update
# Persistent local customizations
include steam.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.killingfloor
noblacklist ${HOME}/.local/share/3909/PapersPlease
noblacklist ${HOME}/.local/share/aspyr-media
noblacklist ${HOME}/.local/share/bohemiainteractive
noblacklist ${HOME}/.local/share/cdprojektred
noblacklist ${HOME}/.local/share/FasterThanLight
noblacklist ${HOME}/.local/share/feral-interactive
noblacklist ${HOME}/.local/share/IntoTheBreach
noblacklist ${HOME}/.local/share/Paradox Interactive
noblacklist ${HOME}/.local/share/Steam
noblacklist ${HOME}/.local/share/SuperHexagon
noblacklist ${HOME}/.local/share/Terraria
noblacklist ${HOME}/.local/share/vpltd
noblacklist ${HOME}/.local/share/vulkan
noblacklist ${HOME}/.mbwarband
noblacklist ${HOME}/.paradoxinteractive
noblacklist ${HOME}/.steam
noblacklist ${HOME}/.steampath
noblacklist ${HOME}/.steampid
noblacklist ${HOME}/.local/share/themes/
noblacklist ${HOME}/.local/share/icons/
noblacklist ${HOME}/.local/share/fonts/
# needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work
noblacklist /sbin
noblacklist /usr/sbin
# Allow java (blacklisted by disable-devel.inc)
include allow-java.inc
# Allow python (blacklisted by disable-interpreters.inc)
include allow-python2.inc
include allow-python3.inc
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include whitelist-common.inc
include whitelist-var-common.inc
caps.drop all
#ipc-namespace
netfilter
nodvd
# nVidia users may need to comment / ignore nogroups and noroot
nogroups
nonewprivs
noroot
notv
nou2f
# novideo should be commented for VR
novideo
protocol unix,inet,inet6,netlink
# seccomp sometimes causes issues (see #2951, #3267),
# comment it or add 'ignore seccomp' to steam.local if so.
seccomp ! ptrace
shell none
# tracelog breaks integrated browser
#tracelog
# private-bin is disabled while in testing, but has been tested working with multiple games
#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity
# extra programs are available which might be needed for select games
#private-bin java,java-config,mono
# picture viewers are needed for viewing screenshots
#private-bin eog,eom,gthumb,pix,viewnior,xviewer
# comment the following line if you need controller support
private-dev
# private-etc breaks a small selection of games on some systems, comment to support those
private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl
private-tmp
# breaks appindicator support
# dbus-user none
# dbus-system none
运行 Steam
直接运行:
firejail --profile=steam-jail.profile --private=~/Steam_Jail steam
记住,不要直接运行 Steam,一定要在 Firejail 里运行,不然功夫就白费。可以自己写个 .desktop 文件替换原来的 Steam 菜单项。
字体
Source 引擎与大多数桌面环境默认的 Noto Sans 八字不合。需要对配置进行调整。
安装文泉驿字体:
sudo zypper in wqy-zenhei-fonts
修改内部的 fontconfig:
~/Steam_Jail/.config/fontconfig/fonts.conf
------------------------------------------
<?xml version="1.0"?>
<! DOCTYPE fontconfig SYSTEM "fonts.dtd">
<fontconfig>
<alias>
<family>sans-serif</family>
<prefer>
<family>文泉驿正黑</family>
</prefer>
</alias>
</fontconfig>
