Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

steam: use setuid bubblewrap #181

Closed
wants to merge 2 commits into from
Closed

steam: use setuid bubblewrap #181

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7dd743d
steam: use setuid bubblewrap
K900 Oct 11, 2023
443af9a
jovian-steam-protocol-handler: replace with its own fhsenv
K900 Oct 11, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions modules/steam/steam.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,11 @@ in
}
});
'';

# Steam will run some helper tools with pkexec, which needs setuid,
# which means bubblewrap itself also needs to be setuid.
# Requires https://github.com/NixOS/nixpkgs/pull/260404.
security.bubblewrap.allowSetuid = true;
}
]);
}
22 changes: 18 additions & 4 deletions pkgs/jovian-steam-protocol-handler/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,23 @@
{
buildFHSEnv,
writeShellScript,
steamPackages,
}:
# Just enough fhsenv to run just enough of Steam to actually send a URL to the _real_ Steam.
# FIXME: this is a hack, replace with a better implementation
# Investigate magic socket?
writeShellScript "jovian-steam-protocol-handler" ''
exec ${steamPackages.steam-fhsenv.run}/bin/steam-run ~/.steam/root/ubuntu12_32/steam "$@"
''
buildFHSEnv {
name = "jovian-steam-protocol-handler";

multiArch = true;
multiPkgs = pkgs: with pkgs; [
glibc
xorg.libX11
xorg.libxcb
xorg.libXau
xorg.libXdmcp
];

runScript = writeShellScript "jovian-steam-protocol-handler-impl" ''
exec ~/.steam/root/ubuntu12_32/steam "$@"
'';
}
4 changes: 0 additions & 4 deletions pkgs/jovian-stubs/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,9 @@ stdenv.mkDerivation {
name = "jovian-stubs";

buildCommand = ''
install -D -m 755 ${./jupiter-biosupdate} $out/bin/jupiter-biosupdate
install -D -m 755 ${./steamos-factory-reset-config} $out/bin/steamos-factory-reset-config
install -D -m 755 ${./steamos-reboot} $out/bin/steamos-reboot
install -D -m 755 ${./steamos-select-branch} $out/bin/steamos-select-branch
install -D -m 755 ${./steamos-update} $out/bin/steamos-update

install -D -m 755 ${./pkexec} $out/bin/pkexec
install -D -m 755 ${./sudo} $out/bin/sudo
'';
}
5 changes: 0 additions & 5 deletions pkgs/jovian-stubs/jupiter-biosupdate
View file
Open in desktop

This file was deleted.

4 changes: 0 additions & 4 deletions pkgs/jovian-stubs/pkexec
View file
Open in desktop

This file was deleted.

18 changes: 0 additions & 18 deletions pkgs/jovian-stubs/sudo
View file
Open in desktop

This file was deleted.

4 changes: 1 addition & 3 deletions pkgs/steam-jupiter/fhsenv.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,9 +50,7 @@ let
dmidecode
jovian-stubs
sessionSwitcher

# FIXME: figure out how to fix pkexec (needs SUID in fhsenv, see https://github.com/NixOS/nixpkgs/issues/69338)
# and readd steamos-polkit-helpers
steamos-polkit-helpers
];
extraProfile = (args.extraProfile or "") + ''
export PATH=${jovian-stubs}/bin:$PATH
Expand Down
Loading