Log In  

If you are on linux you can use firejail to launch PICO-8 sandboxed. That way PICO-8 cannot access all your files, only those in its directory and its configuration directory.

I assume that you have the PICO-8 binaries in ~/pico-8 and that you are using the default config directory ~/.lexaloffle

I also assume that you are saving screenshots in the ~/pico-8 directory and not on your Desktop. To do that you need to edit the "desktop_path" line in your ~/.lexaloffle/pico-8/config.txt to be like this:

desktop_path /home/username/pico-8/screenshots/

Replace "username" with your actual Linux username for the rest of this post.

Now, install firejail from your repositories (sudo apt install firejail) or download a newer version from their website (up to you)

Create a file called pico8.profile in ~/.config/firejail

Put the following in this file:

include default.local

include globals.local

noblacklist ${HOME}/.lexaloffle
noblacklist ${HOME}/pico-8

include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
include disable-programs.inc

whitelist ${HOME}/.lexaloffle
whitelist ${HOME}/pico-8

include whitelist-common.inc
include whitelist-var-common.inc

apparmor
caps.keep sys_chroot,sys_admin
netfilter
nodbus
nodvd
nogroups
notv
?BROWSER_DISABLE_U2F: nou2f
shell none

disable-mnt
private-dev
private-tmp

#noexec ${HOME}
noexec /tmp

Then you can lunch pico like this from its directory:

firejail pico8

Or, assuming you use MATE, you can create a file in /home/username/.local/share/applications/ with any filename (as long as the extension is ".desktop" I suppose) and these contents:

#!/usr/bin/env xdg-open

[Desktop Entry]
Version=1.0
Type=Application
Terminal=false
Icon=/home/username/pico-8/lexaloffle-pico8.png
Icon[en_US]=/home/username/pico-8/lexaloffle-pico8.png
Name[en_US]=PICO-8
Exec=firejail /home/username/pico-8/pico8
Name=PICO-8

and now you will have a menu shortcut to start

The desktop file may work with other desktop environments. If not you can always use the menu editor that comes with your distro. The important part is making sure that you are executing firejail with the full path to pico8 as an argument.

To verify that you are running pico8 in the proper sandbox you can open a console and try to start it up by running

firejail /home/username/pico-8/pico8

You should see something like:

Reading profile /home/username/.config/firejail/pico8.profile

I will try to make the sandbox even tighter in the future.

P#65219 2019-06-15 11:53 ( Edited 2019-06-15 11:53)


[Please log in to post a comment]

Follow Lexaloffle:          
Generated 2024-03-19 07:56:51 | 0.005s | Q:5