Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Faking uinput: mount additional virtual devices without breaking container isolation #88

Draft
wants to merge 2 commits into
base: stable
Choose a base branch
from
Draft

Faking uinput: mount additional virtual devices without breaking container isolation #88

wants to merge 2 commits into from

Conversation

ABeltramo
Copy link
Member

Still a draft, will update this when I've got something that works

Implements #81

@ABeltramo ABeltramo linked an issue Jul 25, 2024 that may be closed by this pull request
Fix Steam input in unprivileged containers #81
Open
@ABeltramo
Copy link
Member Author

Status

We can correctly intercept when Steam Input tries to create a virtual device, but we can't mknod the corresponding /dev/input/eventX device node from the host since we don't have enough permission when running as the default retro user.

To properly fix this I guess we could either:

  • Add mknod permissions to retro (how? See tests below..)
  • Add a simple CLI util, setcap cap_mknod+ep to it, then system("/sudo_mknod /dev/...")
  • Add a root running daemon inside the container that when pinged by our ld preloaded lib will do the mknod (+ fake_udev and whatever else will be needed)
  • Open a bidirectional socket to Wolf so that we can intercept that and do docker exec -u root mknod ...

What I've tried so far

Build libfake_uinput.so

cmake --target fake_uinput

and libfake-uinput-32.so

cmake -DFAKE_UINPUT_32BIT=ON --target fake_uinput

Change config.toml:

mounts = [
  "/tmp/libfake_uinput.so:/usr/lib/x86_64-linux-gnu/fake-uinput.so:rw",
  "/tmp/libfake-uinput-32.so:/usr/lib/i386-linux-gnu/fake-uinput.so:rw",
  "/tmp/steam-startup.sh:/etc/cont-init.d/99-steam.sh:ro"
]
env = [
  "PROTON_LOG=1",
  "RUN_SWAY=true",
  "GOW_REQUIRED_DEVICES=/dev/input/* /dev/dri/* /dev/nvidia* /dev/uinput",
  "LD_PRELOAD=/usr/$LIB/fake-uinput.so"
]
devices = ["/dev/uinput:/dev/uinput"]

/tmp/steam-startup.sh:

#!/bin/bash
set -e

# Add mknod capability for Steam
setcap 'cap_mknod=eip' /usr/games/steam

# Allow user to mknod under /dev/input
mkdir -p /dev/input
chown ${PUID}:${PGID} /dev/input
cat .steam/debian-installation/logs/console-linux.txt
...
[fake-uinput] Intercepted UI_DEV_CREATE ioctl call
[fake-uinput] Error creating device node: Operation not permitted
[fake-uinput] Error creating device node: Operation not permitted
...

I've also tried setting cap_mknod to /home/retro/.steam/debian-installation/ubuntu12_32/reaper (and steam in the same subfolder) without success. Even tried with setcap all=eip it doesn't seem to have an effect.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Fix Steam input in unprivileged containers
1 participant
@ABeltramo