Autoconnect request steam:network-control

Native games that use QtWebEngineProcess crash without the network-control interface connected. We’d like to request auto-connect for network-control in the steam snap.

network-control seems a bit heavy-handed for something like steam IMO - I wonder if instead network or network-observe or similar should be updated for whatever is causing this crash.

Any chance you can provide more details on the crash since I expect this would affect similar Qt based applications? Thanks.

This is the denial:

= Seccomp = Time: Mar 10 13:19:59 Log: auid=1001 uid=1001 gid=1001 ses=6 subj=? pid=131116 comm=“QtWebEngineProc” exe=2F686F6D652F6B656E2F736E61702F737465616D2F636F6D6D6F6E2F2E6C6F63616C2F73686172652F537465616D2F737465616D617070732F636F6D6D6F6E2F536964204D65696572277320436976696C697A6174696F6E2056492F47616D6547756964652F6C6962657865632F5174576562456E67696E6550726F63657373 sig=0 arch=c000003e 272(unshare) compat=0 ip=0x7fd8c32f6a3d code=0x50000 Syscall: unshare Suggestion:

  • add ‘network-control’ to ‘plugs’

@alexmurray how would you feel about us adding unshare syscall to the steam-support interface?

This feels more appropriate IMO - do you know what argument is being used with unshare since ideally we would scope it to just that (I am guessing it is CLONE_NEWNET but it would be useful to keep this as strict as possible).

Can you strace this @kenvandine to find out what parameters are being passed to unshare()? I can’t reproduce it locally just by running the steam snap with a few games - or is there a free game which shows this?

@alexmurray Here’s all references to unshare from the strace:

85836 unshare(CLONE_NEWNS)              = 0
86455 unlinkat(24, "unshare", 0 <unfinished ...>
86455 unlinkat(22, "unshare", 0)        = 0
86455 openat(25, "unshare", O_RDONLY|O_NOCTTY|O_NOFOLLOW|O_CLOEXEC) = -1 ENOENT (No such file or directory)
86455 linkat(22, "./bin/unshare", 25, "unshare", 0) = 0
86455 openat(25, "unshare", O_RDONLY|O_NOCTTY|O_NOFOLLOW|O_CLOEXEC) = 24
86455 openat(28, "unshare", O_RDONLY|O_NOCTTY|O_NOFOLLOW|O_CLOEXEC) = -1 ENOENT (No such file or directory)
86455 openat(28, "unshare", O_RDONLY|O_NOCTTY|O_NOFOLLOW|O_CLOEXEC) = 24

The game I’ve been reproducing it with is Civ 6, but not free.

Ok so this is a bit more privileged than I thought (as per man unshare(2))

Use of CLONE_NEWNS requires the CAP_SYS_ADMIN capability

But the steam interface is already quite privileged so I think this seems reasonable to me. So if it can wait for a new snapd release then my preference would be to add something like the following to snapd:

diff --git a/interfaces/builtin/steam_support.go b/interfaces/builtin/steam_support.go
index 5428942114..dd5dfb9087 100644
--- a/interfaces/builtin/steam_support.go
+++ b/interfaces/builtin/steam_support.go
@@ -216,6 +216,10 @@ const steamSupportConnectedPlugSecComp = `
+# Native games using QtWebEngineProcess -
+unshare CLONE_NEWNS
 const steamSupportSteamInputUDevRules = `

@kenvandine you could test this by doing something like the following:

echo unshare CLONE_NEWNS | sudo tee -a /var/lib/snapd/seccomp/bpf/snap.steam.steam.src
sudo /usr/lib/snapd/snap-seccomp compile  /var/lib/snapd/seccomp/bpf/snap.steam.steam.src /var/lib/snapd/seccomp/bpf/snap.steam.steam.bin

And then try rerunning steam to see if it fixes the issue? If so then we can look at adding this to snapd.

@kenvandine hey,

Did you have time to explore @alexmurray’s suggestion? As far as I can see unshare has not been added to the steam_support interface yet.

Hey @kenvandine - ping again, just wanted to gently remind that this request is currently blocked. Were you able to proceed and consider the suggestions made by @alexmurray? Thanks.

Friendly ping to @kenvandine for status update :slight_smile: . Let us know if we @reviewers can help somehow since it’s been almost 5 months since you first requested this auto-connection.

@emitorino sorry, we’ll get on that!

1 Like

This was added into Snapd with this PR:

1 Like