Has anyone tried Dungeon Rats with Wine? Is the WineHQ entry correct which reports that the game has minor graphical glitches, but is well playable otherwise?

offtop (cuz Im still unable to create threads by my own): does anybody there use bubblewrap with wine/native games as an alternative way to lock permissions (will it be access to third party files, processes or network)? If yes - can you, please, share some examples to use as reference?

You can try using Flatpak, it's designed for lightweight sandboxing.

flatpak itself is nowhere to be light - amount of dependencies is insane...

And if you've meant firejail - iirc it actually uses bubblewrap for sandboxing purposes

Well, it's more lightweight than SELinux.

Aye, I looked at a few programs some days ago. Instead of 50 MB or something, it ended up at 2 GB. Totally nuts.

Game: House Flipper
Wine Version: 4.12.1
Graphics Driver/Adapter: R7 240+Mesa.
Kernel Version: 5.1.19
WineHQ AppDB Link: Here.
Distro: Fedora 30.
Technical Guff: bdd5d212e366a962063c9dc8a6fc2cbf


Results: Inconclusive. Music plays, no display aside from cursor.

Still want to know about Bloodstained.

my question regarding bubblewrap is still valid tho. Archwiki has a good guide, but I still didnt figure out, how to make games work without mounting whole root partition as read-only.
If anybody else uses it - would be glad to see working examples of configs

Often it's easiest to simply run the application as another user or group with restricted permissions.

For example, when I don't want games to "phone home" I use sg to run them as my current user but with a specified "nonet" primary group (of which my user is already a member). I simply set up an iptables rule to disallow internet access to the "nonet" group -- something like this

From scratch, assuming my user name is "xixas" and the game is Mirror's Edge:

# sudo groupadd nonet
# sudo usermod -a -G nonet xixas
# sudo iptables -A OUTPUT -m owner --gid-owner nonet -j REJECT
# sg nonet 'wine /home/xixas/Games/mirrors-edge/drive_c/GOG Games/Mirror's Edge/Binaries/MirrorsEdge.exe'

Of course, you'd want to save your firewall rules somewhere with iptables-save. And note that it's better to REJECT than to DROP, otherwise some applications will freeze waiting on a response.

Going a similar route, you could alternately use setuid or setgid on the executable to maintain the user or group state -- or if you're using wine you set aside a dedicated wine binary for gaming.

A lot of the time people turn to tools like chroot/bubblewrap/firejail/docker to sandbox things far beyond what is required.

Would newgrp not work as an alternative to sg?
I do the opposite I only allow programs to access the net that are run with a specific group.

I thought about it, but since Im not that skilled and will probably miss something (for example - networkmanager) - I've ended up with said setup

Sure, and it's definitely easier if you need to run multiple commands. I use sg for desktop menu shortcuts and the like, as it's a simple inline for the specified run -- and you can easily make shortcuts for both "with" and "without" networking that way.

It's particularly handy to edit Lutris-generated menu items that way -- e.g. sg nonet 'lutris lutris:rungameid/1' -- as there's no need for Lutris to have the option of phoning home at game runtime either.

Lutris has been be pretty hit-and-miss when it comes to the GOG installer, so I perform installs manually, but it makes for an easy options manager. Would be nice if they'd add a runner option for switching user/group.

Good server default -- but it can be a little painful on multi-user day-to-day desktops.
I'm guessing most of us spend enough time playing tech support already ;)

yes, it works in wine. as well as first game from this developer. I tried steam versions but I guess it won't bring different results for gog version. Haven't noticed any glitches. ProtonDB also says it works nicely
https://www.protondb.com/app/531930