On Linux, the itch app uses firejail
to sandbox applications. It's similar to macOS's
a simple policy file, based on seccomp-bpf, will work on any Linux kernel >3.x,
doesn't rely on SELinux/AppArmor
Instead of running as a different user, firejail intercepts syscalls and even has advanced functionality like exposing a virtual filesystem so that changes can be recorded and later committed or discarded (this way, the sandboxed application won't fail, the worst case scenario is: some things won't persist across app restarts).
Due to the way firejail works, its binary needs to be SUID root - which means that, when executed by any user, it'll be as if it was run by root. Sandboxed applications however do NOT have root privilege.
To make the firejail binary SUID, the following commands have to be run:
sudo chown root:root ~/.config/itch/bin/firejail sudo chmod u+s ~/.config/itch/bin/firejail
These commands have to be run as root, and that's why the itch app warns you that
a password prompt (powered by
pkexec) is coming. If you want to do
those operations by hand, simply dismiss the prompt, and chown/chmod
the binary yourself. You can find it in
You can verify that the one-time setup went well by running:
~/.config/itch/bin/firejail whoami && echo "All good!"
...and checking that the output include "All good!". An incorrectly setup firejail will result in the following output:
$ ~/.config/itch/bin/firejail whoami Warning: cannot switch euid to root Warning: cannot switch euid to root Warning: cannot switch euid to root Error: the sandbox is not setuid root
If your game is broken by the itch.io sandbox on Linux, we recommend taking
a look at the app's output when launching a game. Simply exit the itch app,
and start it again from a terminal, using the
firejail should print a message whenever a permission is denied, which should help you pinpoint what it is that your game is doing that isn't allowed by the sandbox.
Here's the policy template the itch app uses:
The default sandbox policy should be more than enough to get most games running, but if you run into an issue that you need help resolving, feel free to open an issue on our Issue Tracker
Frequently Asked Questions
Why use firejail and not SELinux/AppArmor/run as another user/etc. ?
All other solutions have one of the following defects:
Are not shipped with all our target Linux distributions
- (Fedora, Ubuntu, Debian, ArchLinux, Gentoo)
Lack features compared to firejail
- Require superuser rights to launch a sandboxed application
- Are hard to configure (and thus easy to mess up)
- Lack support for things like:
GNU/Linux users love to argue and we love you for that, but trust us on this one, we've done the research. Maybe someday a better solution than firejail will come and we'll consider switching then!