buildFHSEnv, steam: isolate steam's /tmp from host

Works around steam's misbehavior: https://github.com/ValveSoftware/steam-for-linux/issues/9121

2 files changed, 21 insertions, 6 deletions

diff --git a/pkgs/build-support/build-fhsenv-bubblewrap/default.nix b/pkgs/build-support/build-fhsenv-bubblewrap/default.nix
index ba28c68c3de3d..b6b5f13bba978 100644
--- a/pkgs/build-support/build-fhsenv-bubblewrap/default.nix
+++ b/pkgs/build-support/build-fhsenv-bubblewrap/default.nix
@@ -16,6 +16,7 @@
 , extraInstallCommands ? ""
 , meta ? {}
 , passthru ? {}
+, extraPreBwrapCmds ? ""
 , extraBwrapArgs ? []
 , unshareUser ? false
 , unshareIpc ? false
@@ -23,6 +24,7 @@
 , unshareNet ? false
 , unshareUts ? false
 , unshareCgroup ? false
+, privateTmp ? false
 , dieWithParent ? true
 , ...
 } @ args:
@@ -38,8 +40,8 @@ let
   buildFHSEnv = callPackage ./buildFHSEnv.nix { };
 
   fhsenv = buildFHSEnv (removeAttrs (args // { inherit name; }) [
-    "runScript" "extraInstallCommands" "meta" "passthru" "extraBwrapArgs" "dieWithParent"
-    "unshareUser" "unshareCgroup" "unshareUts" "unshareNet" "unsharePid" "unshareIpc"
+    "runScript" "extraInstallCommands" "meta" "passthru" "extraPreBwrapCmds" "extraBwrapArgs" "dieWithParent"
+    "unshareUser" "unshareCgroup" "unshareUts" "unshareNet" "unsharePid" "unshareIpc" "privateTmp"
     "pname" "version"
   ]);
 
@@ -116,7 +118,8 @@ let
 
   indentLines = str: lib.concatLines (map (s: "  " + s) (filter (s: s != "") (lib.splitString "\n" str)));
   bwrapCmd = { initArgs ? "" }: ''
-    ignored=(/nix /dev /proc /etc)
+    ${extraPreBwrapCmds}
+    ignored=(/nix /dev /proc /etc ${lib.optionalString privateTmp "/tmp"})
     ro_mounts=()
     symlinks=()
     etc_ignored=()
@@ -191,6 +194,7 @@ let
       ${lib.optionalString dieWithParent "--die-with-parent"}
       --ro-bind /nix /nix
       --ro-bind /etc /.host-etc
+      ${lib.optionalString privateTmp "--tmpfs /tmp"}
       # Our glibc will look for the cache in its own path in `/nix/store`.
       # As such, we need a cache to exist there, because pressure-vessel
       # depends on the existence of an ld cache. However, adding one
diff --git a/pkgs/games/steam/fhsenv.nix b/pkgs/games/steam/fhsenv.nix
index 8ba5087ef7fe7..0e4b5f3a8b29d 100644
--- a/pkgs/games/steam/fhsenv.nix
+++ b/pkgs/games/steam/fhsenv.nix
@@ -3,11 +3,12 @@
 , extraPkgs ? pkgs: [ ] # extra packages to add to targetPkgs
 , extraLibraries ? pkgs: [ ] # extra packages to add to multiPkgs
 , extraProfile ? "" # string to append to profile
-, extraBwrapArgs ? [ ] # extra arguments to pass to bubblewrap
+, extraPreBwrapCmds ? "" # extra commands to run before calling bubblewrap (real default is at usage site)
+, extraBwrapArgs ? [ ] # extra arguments to pass to bubblewrap (real default is at usage site)
 , extraArgs ? "" # arguments to always pass to steam
 , extraEnv ? { } # Environment variables to pass to Steam
 , withGameSpecificLibraries ? true # include game specific libraries
-}:
+}@args:
 
 let
   commonTargetPkgs = pkgs: with pkgs; [
@@ -279,7 +280,17 @@ in buildFHSEnv rec {
     exec steam ${extraArgs} "$@"
   '';
 
-  inherit extraBwrapArgs;
+  # steamwebhelper deletes unrelated electron programs' singleton cookies from /tmp on startup:
+  # https://github.com/ValveSoftware/steam-for-linux/issues/9121
+  privateTmp = true;
+
+  extraPreBwrapCmds = ''
+    install -m 1777 -d /tmp/dumps
+  '' + args.extraPreBwrapCmds or "";
+
+  extraBwrapArgs = [
+    "--bind-try /tmp/dumps /tmp/dumps"
+  ] ++ args.extraBwrapArgs or [];
 
   meta =
     if steam != null