[Unsure if bug or not] Can't disconnect steam from home (Steam and apps always have access to whole home)

[AtFreezingPoint]

Hey, I try doing (sudo) snap disconnect steam:home and it seems to not disconnect or maybe I'm not understanding this correctly, when I do the said command and try running double-commander (file explorer) Linux and Windows in Steam I'm fully able to view and look into files in /home, also can copy, move etc. and Games like Project Zomboid also have the ability to do the same, isn't this breaking confinement of the sandbox? I got apparmor enabled and haven't tampered with the configs. I believe I had it off for a while with the same result.

Example of Zomboid folder:

To clarify: I've worked with flatpak and gotten some amazing configs set up yet stopped using it due to the dependencies being handled (in my opinion) horribly & the updates being clunky.

[AtFreezingPoint]

Adding as sidenote, I've also tried disconnecting removable-media to no luck on this... Is same resolution.

[AtFreezingPoint]

@ashuntu sorry for the ping but anything you can say about this?

[ashuntu]

Just responding to let you know I've seen this issue. We're doing some reworking of how Steam gets permissions and will let you know when I have something concrete to give you.

[AtFreezingPoint]

Just responding to let you know I've seen this issue. We're doing some reworking of how Steam gets permissions and will let you know when I have something concrete to give you.

So it’s misconfig in apparmor profile? That’s kind of scary to think it’s possible on snap which is supposed to like be used on servers

[ashuntu]

I should clarify, what you're experiencing is intentional. There is no misconfig or compromise of security or anything like that going on. Steam specifically requires some very specific permissions, so we have been reworking how that works in the Steam snap only (its apparmor profile), and I'll have more to share in the future.

I'll keep this open for discussion, but I'll turn it into a GitHub Discussion instead.

[AtFreezingPoint]

K thanks for the info. Though I’m kind of curious why handing out access to the entirety of the home directory was chosen in a misleading manner, what kind of access does steam require for that to be so?

[ashuntu]

Some games write their saves or config files to the home directory (Factorio comes to mind as an example). Depending on how the game determines the user home directory, we can't always overwrite it with a snap-friendly directory.

[AtFreezingPoint]

@ashuntu I think the reply doesn't give notification :) Could you please clarify ty

[AtFreezingPoint]

@ashuntu as reply to the reply, why is it (just using fake root & home directory etc.) not possible to do with snap whilst it is possible with something like flatpak with barely any difference on the overhead? I know snap is designed to be more leaning towards using resources from the system but isn't apparmor and the built in snap stuff not enough to do something similar?

Also, I might sound a bit too conservative but in the end games that run under steam etc. are just foreign programs that may or may not be doing some spooky stuff in the background or are 100% secure against any other spooky stuff that may come to mind... How can anybody know & prove that some game (indie or big studio) isn't datamining in the background? Especially considering some sensitive stuff like CV's and contact lists may just be housed under the same computer.

[ashuntu]

Steam is essentially a sandbox environment where any (vetted by Valve) program can run inside. There are a lot of ways to determine library and home directories, and not all of them are as easy to spoof as others. As far as datamining goes, Valve does already vet new games every time one is uploaded, though of course nothing is foolproof.

The Steam snap will improve over time with the introduction of permissions prompting and hopefully offer the kind of control you're looking for that previously was not possible.

[AtFreezingPoint]

a sandbox environment

hmmm... Well, I can only certainly hope that Snap somehow revolutionizes the way we know sandboxing in Unix-like systems today by I guess continued updates. Doing lots of work on android, I think Snap could work more like Android apk files in the future, which would also allow much better for immutable system development & just the user experience in general.