Native games that use QtWebEngineProcess crash without the network-control interface connected. We’d like to request auto-connect for network-control in the steam snap.
network-control seems a bit heavy-handed for something like steam IMO - I wonder if instead network or network-observe or similar should be updated for whatever is causing this crash.
Any chance you can provide more details on the crash since I expect this would affect similar Qt based applications? Thanks.
This is the denial:
= Seccomp = Time: Mar 10 13:19:59 Log: auid=1001 uid=1001 gid=1001 ses=6 subj=? pid=131116 comm=“QtWebEngineProc” exe=2F686F6D652F6B656E2F736E61702F737465616D2F636F6D6D6F6E2F2E6C6F63616C2F73686172652F537465616D2F737465616D617070732F636F6D6D6F6E2F536964204D65696572277320436976696C697A6174696F6E2056492F47616D6547756964652F6C6962657865632F5174576562456E67696E6550726F63657373 sig=0 arch=c000003e 272(unshare) compat=0 ip=0x7fd8c32f6a3d code=0x50000 Syscall: unshare Suggestion:
- add ‘network-control’ to ‘plugs’
This feels more appropriate IMO - do you know what argument is being used with unshare since ideally we would scope it to just that (I am guessing it is CLONE_NEWNET but it would be useful to keep this as strict as possible).
Can you strace this @kenvandine to find out what parameters are being passed to unshare()? I can’t reproduce it locally just by running the steam snap with a few games - or is there a free game which shows this?
@alexmurray Here’s all references to unshare from the strace:
85836 unshare(CLONE_NEWNS) = 0
86455 unlinkat(24, "unshare", 0 <unfinished ...>
86455 unlinkat(22, "unshare", 0) = 0
86455 openat(25, "unshare", O_RDONLY|O_NOCTTY|O_NOFOLLOW|O_CLOEXEC) = -1 ENOENT (No such file or directory)
86455 linkat(22, "./bin/unshare", 25, "unshare", 0) = 0
86455 openat(25, "unshare", O_RDONLY|O_NOCTTY|O_NOFOLLOW|O_CLOEXEC) = 24
86455 openat(28, "unshare", O_RDONLY|O_NOCTTY|O_NOFOLLOW|O_CLOEXEC) = -1 ENOENT (No such file or directory)
86455 openat(28, "unshare", O_RDONLY|O_NOCTTY|O_NOFOLLOW|O_CLOEXEC) = 24
The game I’ve been reproducing it with is Civ 6, but not free.
Ok so this is a bit more privileged than I thought (as per man unshare(2))
Use of CLONE_NEWNS requires the CAP_SYS_ADMIN capability
But the steam interface is already quite privileged so I think this seems reasonable to me. So if it can wait for a new snapd release then my preference would be to add something like the following to snapd:
diff --git a/interfaces/builtin/steam_support.go b/interfaces/builtin/steam_support.go
index 5428942114..dd5dfb9087 100644
--- a/interfaces/builtin/steam_support.go
+++ b/interfaces/builtin/steam_support.go
@@ -216,6 +216,10 @@ const steamSupportConnectedPlugSecComp = `
mount
umount2
pivot_root
+
+# Native games using QtWebEngineProcess -
+# https://forum.snapcraft.io/t/autoconnect-request-steam-network-control/34267
+unshare CLONE_NEWNS
`
const steamSupportSteamInputUDevRules = `
@kenvandine you could test this by doing something like the following:
echo unshare CLONE_NEWNS | sudo tee -a /var/lib/snapd/seccomp/bpf/snap.steam.steam.src
sudo /usr/lib/snapd/snap-seccomp compile /var/lib/snapd/seccomp/bpf/snap.steam.steam.src /var/lib/snapd/seccomp/bpf/snap.steam.steam.bin
And then try rerunning steam to see if it fixes the issue? If so then we can look at adding this to snapd.
@kenvandine hey,
Did you have time to explore @alexmurray’s suggestion? As far as I can see unshare has not been added to the steam_support interface yet.
Hey @kenvandine - ping again, just wanted to gently remind that this request is currently blocked. Were you able to proceed and consider the suggestions made by @alexmurray? Thanks.
Friendly ping to @kenvandine for status update 
. Let us know if we @reviewers can help somehow since it’s been almost 5 months since you first requested this auto-connection.