[AdmiralAsshat]

Just built a new Gaming Linux PC which is intended to replace my aging Dell XPS 13 as my daily driver. Decided to go all-in on flatpaks, as I've been trying to stay away from rpm-fusion.

The Steam Flatpak has been an adventure, to say the least. I added a second SSD just for games that gets automatically mounted on boot, and I gather that having the games installed somewhere outside of steam's /home/ directory was not jiving with flatpak's security model. It took some non-trivial editing (thanks, flatseal) to finally let the Steam flatpak be able to write outside of its own directory and install the games.

I still get occasional weirdness, especially on older games. I wasn't hearing any sound effects on Team Fortress 2, which I eventually discovered was tied to an selinux alert. At last check in, I still can't launch CS:Go, because of some backend problem while trying to play the opening movie...

[hedora]

Fine fine-grained permissions systems like selinux end up introducing bizarre error conditions that are outside of upstream's test suite. Those error conditions are often exploitable.

They also assume that having distributions and end users produce a multi-MB security policy written in an arcane, poorly-documented policy language will somehow lead to a correctly configured sandbox.

I greatly prefer the OpenBSD approach, where the upstream application developer builds calls to things like pledge(2) into their program, and then tests that it behaves correctly before releasing it:

https://man.openbsd.org/pledge.2

[iotku]

>I gather that having the games installed somewhere outside of steam's /home/ directory was not jiving with flatpak's security model. It took some non-trivial editing (thanks, flatseal) to finally let the Steam flatpak be able to write outside of its own directory and install the games.

I think flatpak could use a built in notification method of some sort to add exceptions to paths it's allowing access to, though I imagine it would still require effort on the application's part which maybe would never happen (especially with steam using its own custom file browser)

>At last check in, I still can't launch CS:Go, because of some backend problem while trying to play the opening movie

I've had no such issue (and it's worth noting the -novid launch option), but regardless valve still treats Linux as a second class platform despite the steam deck which is fairly disappointing.

The issue I do have is that the new overlay will crash cs:go in openGL mode and Vulkan mode has massive stutters.

I'm optimistic CS2 will be better, but to be determined.

[nine_k]

I would just bind-mount the appropriate part of the second disk as /home/steam, or whatever. I don't see why one should persuade a program to follow a complicated setup when the setup can just be made straightforward with OS tools.

[jwells89]

Problems like this seem like a natural consequence of trying to mash together distribution and sandboxing, rather than leaving the sandboxing to the OS. It’s so much easier to build something that “just works” if you’re concerned only with distribution (really, it’s as simple as macOS style app bundles. Yes it takes a bit more space but the UX improvement is worth it).

Following this, it seems like there should be an XDG standard for sandboxing which distros are free to implement whichever way they feel is best. With that, Linux app packaging solutions need only worry about playing nice with that spec.

[PurpleRamen]

I had similar problems with Lutris, but never came around to fully solve them. Now I'm using the native debian-package, and never had any problem again. Flatpaks overall are working fine, I use them for portable apps on my mobile SSD. But the security can be a hassle on a hacking friendly-system which is doing too much outside the expected. So one should be aware that Flatpaks might be a tad different from native packages.

[post-it]

It's insane that flatseal isn't a native part of flatpak. Problems like you encountered mean that the packaging system is incomplete by default.

[larry-_-]

If you are still having problems with launching CSGO try adding a launch option to disable it.

https://totalcsgo.com/launch-options