Has anyone tried Dungeon Rats with Wine? Is the WineHQ entry correct which reports that the game has minor graphical glitches, but is well playable otherwise?

offtop (cuz Im still unable to create threads by my own): does anybody there use bubblewrap with wine/native games as an alternative way to lock permissions (will it be access to third party files, processes or network)? If yes - can you, please, share some examples to use as reference?

You can try using Flatpak, it's designed for lightweight sandboxing.

flatpak itself is nowhere to be light - amount of dependencies is insane...

And if you've meant firejail - iirc it actually uses bubblewrap for sandboxing purposes

Well, it's more lightweight than SELinux.

Game: House Flipper
Wine Version: 4.12.1
Graphics Driver/Adapter: R7 240+Mesa.
Kernel Version: 5.1.19
WineHQ AppDB Link: Here.
Distro: Fedora 30.
Technical Guff: bdd5d212e366a962063c9dc8a6fc2cbf


Results: Inconclusive. Music plays, no display aside from cursor.

Still want to know about Bloodstained.

my question regarding bubblewrap is still valid tho. Archwiki has a good guide, but I still didnt figure out, how to make games work without mounting whole root partition as read-only.
If anybody else uses it - would be glad to see working examples of configs

Often it's easiest to simply run the application as another user or group with restricted permissions.

For example, when I don't want games to "phone home" I use sg to run them as my current user but with a specified "nonet" primary group (of which my user is already a member). I simply set up an iptables rule to disallow internet access to the "nonet" group -- something like this

From scratch, assuming my user name is "xixas" and the game is Mirror's Edge:

# sudo groupadd nonet
# sudo usermod -a -G nonet xixas
# sudo iptables -A OUTPUT -m owner --gid-owner nonet -j REJECT
# sg nonet 'wine /home/xixas/Games/mirrors-edge/drive_c/GOG Games/Mirror's Edge/Binaries/MirrorsEdge.exe'

Of course, you'd want to save your firewall rules somewhere with iptables-save. And note that it's better to REJECT than to DROP, otherwise some applications will freeze waiting on a response.

Going a similar route, you could alternately use setuid or setgid on the executable to maintain the user or group state -- or if you're using wine you set aside a dedicated wine binary for gaming.

A lot of the time people turn to tools like chroot/bubblewrap/firejail/docker to sandbox things far beyond what is required.

Im already doing so for about 2 years... (btw - in general, its better to also whitelist localhost) The thing is - if possible, I'd also restrict games from reading anything else than necessary to work folders (libraries, etc) and writing into anything else than their config/savefile locations. And it probably will be a bit more clean to achieve with special software, rather than bloating the list of groups by making separate ones for each new game added (I think, thats how 'play.it' works?).

And yeah - there is a major flaw with using sg. By default, you can only execute one program with it. E.g you cant just make It wont work.
Instead, you need to write it like And if you have a really long list of options and configs, and some of them already have spaces in them (so you already need to use "'s to prevent escaping) - it turns into real hell

Would newgrp not work as an alternative to sg?
I do the opposite I only allow programs to access the net that are run with a specific group.

I thought about it, but since Im not that skilled and will probably miss something (for example - networkmanager) - I've ended up with said setup

Sure, and it's definitely easier if you need to run multiple commands. I use sg for desktop menu shortcuts and the like, as it's a simple inline for the specified run -- and you can easily make shortcuts for both "with" and "without" networking that way.

It's particularly handy to edit Lutris-generated menu items that way -- e.g. sg nonet 'lutris lutris:rungameid/1' -- as there's no need for Lutris to have the option of phoning home at game runtime either.

Lutris has been be pretty hit-and-miss when it comes to the GOG installer, so I perform installs manually, but it makes for an easy options manager. Would be nice if they'd add a runner option for switching user/group.

Good server default -- but it can be a little painful on multi-user day-to-day desktops.
I'm guessing most of us spend enough time playing tech support already ;)

yes, it works in wine. as well as first game from this developer. I tried steam versions but I guess it won't bring different results for gog version. Haven't noticed any glitches. ProtonDB also says it works nicely
https://www.protondb.com/app/531930