diff --git a/modules/steam/steam.nix b/modules/steam/steam.nix index eca5da3a..be88fc46 100644 --- a/modules/steam/steam.nix +++ b/modules/steam/steam.nix @@ -58,6 +58,11 @@ in } }); ''; + + # Steam will run some helper tools with pkexec, which needs setuid, + # which means bubblewrap itself also needs to be setuid. + # Requires https://github.com/NixOS/nixpkgs/pull/260404. + security.bubblewrap.allowSetuid = true; } ]); } diff --git a/pkgs/jovian-steam-protocol-handler/default.nix b/pkgs/jovian-steam-protocol-handler/default.nix index 7e9f12e6..a51e35e0 100644 --- a/pkgs/jovian-steam-protocol-handler/default.nix +++ b/pkgs/jovian-steam-protocol-handler/default.nix @@ -1,9 +1,23 @@ { + buildFHSEnv, writeShellScript, - steamPackages, }: +# Just enough fhsenv to run just enough of Steam to actually send a URL to the _real_ Steam. # FIXME: this is a hack, replace with a better implementation # Investigate magic socket? -writeShellScript "jovian-steam-protocol-handler" '' - exec ${steamPackages.steam-fhsenv.run}/bin/steam-run ~/.steam/root/ubuntu12_32/steam "$@" -'' +buildFHSEnv { + name = "jovian-steam-protocol-handler"; + + multiArch = true; + multiPkgs = pkgs: with pkgs; [ + glibc + xorg.libX11 + xorg.libxcb + xorg.libXau + xorg.libXdmcp + ]; + + runScript = writeShellScript "jovian-steam-protocol-handler-impl" '' + exec ~/.steam/root/ubuntu12_32/steam "$@" + ''; +} diff --git a/pkgs/jovian-stubs/default.nix b/pkgs/jovian-stubs/default.nix index bd210376..f1e8b90a 100644 --- a/pkgs/jovian-stubs/default.nix +++ b/pkgs/jovian-stubs/default.nix @@ -3,13 +3,9 @@ stdenv.mkDerivation { name = "jovian-stubs"; buildCommand = '' - install -D -m 755 ${./jupiter-biosupdate} $out/bin/jupiter-biosupdate install -D -m 755 ${./steamos-factory-reset-config} $out/bin/steamos-factory-reset-config install -D -m 755 ${./steamos-reboot} $out/bin/steamos-reboot install -D -m 755 ${./steamos-select-branch} $out/bin/steamos-select-branch install -D -m 755 ${./steamos-update} $out/bin/steamos-update - - install -D -m 755 ${./pkexec} $out/bin/pkexec - install -D -m 755 ${./sudo} $out/bin/sudo ''; } diff --git a/pkgs/jovian-stubs/jupiter-biosupdate b/pkgs/jovian-stubs/jupiter-biosupdate deleted file mode 100644 index bf9720dd..00000000 --- a/pkgs/jovian-stubs/jupiter-biosupdate +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh ->&2 echo "[JOVIAN] $0: stub called with: $*" ->&2 echo "[JOVIAN] jupiter-biosupdate requires elevation, which is currently not available in the sandbox" ->&2 echo "[JOVIAN] Please run sudo jupiter-biosupdate from outside Steam if necessary" -exit 0 diff --git a/pkgs/jovian-stubs/pkexec b/pkgs/jovian-stubs/pkexec deleted file mode 100644 index bebaaaaf..00000000 --- a/pkgs/jovian-stubs/pkexec +++ /dev/null @@ -1,4 +0,0 @@ -#!/usr/bin/env bash ->&2 echo "[JOVIAN] $0: stub called with: $*" -args=("$@") -exec "${args[@]/--disable-internal-agent}" diff --git a/pkgs/jovian-stubs/sudo b/pkgs/jovian-stubs/sudo deleted file mode 100644 index 66082251..00000000 --- a/pkgs/jovian-stubs/sudo +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/env bash ->&2 echo "[JOVIAN] $0: stub called with: $*" - -declare -a final - -positional="" -for value in "$@"; do - if [[ -n "$positional" ]]; then - final+=("$value") - elif [[ "$value" == "-n" ]]; then - : - else - positional="y" - final+=("$value") - fi -done - -exec "${final[@]}" diff --git a/pkgs/steam-jupiter/fhsenv.nix b/pkgs/steam-jupiter/fhsenv.nix index e8eb4366..bee770f0 100644 --- a/pkgs/steam-jupiter/fhsenv.nix +++ b/pkgs/steam-jupiter/fhsenv.nix @@ -50,9 +50,7 @@ let dmidecode jovian-stubs sessionSwitcher - - # FIXME: figure out how to fix pkexec (needs SUID in fhsenv, see https://github.com/NixOS/nixpkgs/issues/69338) - # and readd steamos-polkit-helpers + steamos-polkit-helpers ]; extraProfile = (args.extraProfile or "") + '' export PATH=${jovian-stubs}/bin:$PATH