as.gentoo
Guru
Joined: 07 Aug 2004
Posts: 319
|
 Posted: Mon Apr 17, 2017 4:59 pm Post subject: get audio/video from a game running in a LXC container |
 |
|
Hello,
I made an unprivileged lxc container for playing games via wine.
I mainly want to make the hosts filesystem inaccessible, hide what processes run there, prevent the use of sudo et cetera. Okay, the latter can be achieved by simply have another user for gaming.
Generally everything I can "manually" do as a user can be done by a program that I started - inclusive read what I type, removal of a random or specific files as well as parsing sensivive files, sending emails, downloading and execution of (more) malware and so on withough me knowing, right? That would apply to the closed source (Windows) game I want to play as well.
I was successful setting up the container having network access - emerging wine finished too. I need help with the "last step" which is "streaming" audio and video to the hosts xorg-server. Maybe the guest is capable of accessing the VGA so that streaming isn't needed at all. But I think it's not. Is that correct?
I do not want to use 'xhost +LOCAL:' command because I read that that creates security gaps. Or maybe it doesn't? I am the only person using the box and I'm almost never logging in remotely. Sshd is only started when I know I need it and only for as long as needed.
Some search resulted in a few promising packages for streaming. virtualGL needs the 'xhost +LOCAL:' command to be executed on the host. There is xpra and a VNC client/server solution. As I can see both can be used with virtualGL which could have a lot of benefits.
Does anybody know how to get the games video to be sent to the screen in as much FPS as the game/wine supplies in a secure way (same for audio)? Is there any experience using the tools above ore something else?
Thanks in advance!
-----
A general question, will the guest be able to read the keyboard when I'm working on the host or is that segregated too? What about the clipboard? What about reading the screen? I wouldn't want that the guest can "see" the screens content (e.g. a very personal email I am writing on the host) - in the contrary reading the position of the mouse pointer is needed.
When I am logged in into the container, is there a way to hide that it's a sandboxed environment? | Code: | [client]$> cat /proc/self/mountinfo | grep sda
55 97 0:6 /mike/.local/share/lxc/yoo/rootfs / rw,noatime - ext4 /dev/sda5 rw,data=ordered |
That makes quite clear that this is a lxc client. It does as well reveal the username of the containers owner on the host. Is it possible to make the host present the containers "/" as /dev/sda1 inside the container?
I guess there are probably more ways to become suspicious or even show that this is a lxc guest..
What about setting something like a disk quota for the guest? If some logging goes mad in the client I wouldn't want to leave the hosts /home with only a megabyte of free space.
[edit: some minor rephrasings and added examples] |
|
Gamers & Players
