How and why can the discord snap detect what game I am playing?

bert · December 12, 2020, 8:15pm

The discord app is able to detect what game or games are running on my system. This surprises me since I have tried to limit the connections available to discord, and thought the sandboxing would prevent that kind of “snooping”.

Here are the connections:

~$ snap connections discord
Interface                 Plug                            Slot                             Notes
browser-support           discord:browser-support         :browser-support                 manual
camera                    discord:camera                  -                                -
content[gnome-3-28-1804]  discord:gnome-3-28-1804         gnome-3-28-1804:gnome-3-28-1804  -
content[gtk-3-themes]     discord:gtk-3-themes            gtk-common-themes:gtk-3-themes   -
content[icon-themes]      discord:icon-themes             gtk-common-themes:icon-themes    -
content[sound-themes]     discord:sound-themes            gtk-common-themes:sound-themes   -
desktop                   discord:desktop                 :desktop                         -
desktop-legacy            discord:desktop-legacy          :desktop-legacy                  -
gsettings                 discord:gsettings               :gsettings                       manual
home                      discord:home                    -                                -
mount-observe             discord:mount-observe           -                                -
network                   discord:network                 :network                         -
network-observe           discord:network-observe         -                                -
opengl                    discord:opengl                  :opengl                          -
process-control           discord:process-control         -                                -
pulseaudio                discord:pulseaudio              :pulseaudio                      -
removable-media           discord:removable-media         -                                -
screen-inhibit-control    discord:screen-inhibit-control  :screen-inhibit-control          -
system-observe            discord:system-observe          -                                -
unity7                    discord:unity7                  :unity7                          -
wayland                   discord:wayland                 :wayland                         -
x11                       discord:x11                     :x11                             -

In particular, I had assumed removing the “system-observe” would prevent discord from knowing what processes are running. (edit: formatting)

ogra · December 12, 2020, 10:24pm

that would actually be the process-control interface.
system-observe allows to read your hostname, disk stats, memory info and information about loaded modules and the like.

discord can definitely always query the x server (via the x11 interface) to see what gui apps are running, the x11 protocol is not particulary safe against such “snooping”

lucyllewy · December 13, 2020, 12:07am

What does snap debug confinement report?

bert · December 13, 2020, 8:22am

Interesting! I tried disconnecting the discord:x11 plug, and discord can still figure out when I start a game. I experimented a bit, here is what seems to be the minimum of plugs that need to be connected for discord to start:

~$ snap connections discord
Interface                 Plug                            Slot                             Notes
browser-support           discord:browser-support         :browser-support                 manual
camera                    discord:camera                  -                                -
content[gnome-3-28-1804]  discord:gnome-3-28-1804         gnome-3-28-1804:gnome-3-28-1804      manual
content                   discord:gtk-3-themes            -                                -
content                   discord:icon-themes             -                                -
content                   discord:sound-themes            -                                -
desktop                   discord:desktop                 -                                -
desktop-legacy            discord:desktop-legacy          -                                -
gsettings                 discord:gsettings               :gsettings                       manual
home                      discord:home                    -                                -
mount-observe             discord:mount-observe           -                                -
network                   discord:network                 :network                         manual
network-observe           discord:network-observe         -                                -
opengl                    discord:opengl                  -                                -
process-control           discord:process-control         -                                -
pulseaudio                discord:pulseaudio              -                                -
removable-media           discord:removable-media         -                                -
screen-inhibit-control    discord:screen-inhibit-control  -                                -
system-observe            discord:system-observe          -                                -
unity7                    discord:unity7                  :unity7                          manual
wayland                   discord:wayland                 -                                -
x11                       discord:x11                     -                                -

And it is still able to figure out when I start a game…

bert · December 13, 2020, 8:25am

~$ snap debug confinement
strict

and for good measure:

~$ snap info --verbose discord
...
  confinement:       strict
...

James-Carroll · December 13, 2020, 8:39am

Depending on the games, there’s a chance it’s the games communicating to Discord that it’s running rather than Discord probing them itself. Discord opens up two sockets, one Unix socket that doesn’t work properly in snaps but a second TCP socket that should work absolutely fine; opening a TCP port is allowed under the network interface so there’s not an easy way to stop them at the interface level but maybe someone could chime in with how to do it at the firewall level instead.

Edit: Try block ports 6463 to 6472, according to the information at https://discord.com/developers/docs/topics/rpc

bert · December 13, 2020, 10:03am

This never crossed my mind - that the game itself reports to Discord. I tried to block the port, but Discord is still able to detect the game.

Some details: The games I’ve been testing with are Factorio (started through Steam) and Lutris (which is not even a game but a game launcher thing).

I’m not sure how to block ports, so what I did was to use “sudo ncat -l portno” to start listening to the port myself before starting Discord. By doing “ss -pl | grep Discord” I can see that once I listen to all ports 6463-6472, Discord is blocked from listening. There are probably more elegant ways, but as a test that should do the trick I believe.

ogra · December 13, 2020, 11:54am

well, it looks like if you opted into their “rich presence” system (which you seem to do at the first start of the app), things are actually being sent by the games (or by your central gaming account, i.e. steam or playstation accounts), i’d expect this to just happen generally over the already established network conection to the discord server …

https://discord.com/developers/docs/rich-presence/how-to