It's a good idea to sandbox steam.
Many online games offer no protection against multiplayer and content, meaning a server can easily inject malicious assets into a client. It's also the case that most games use unencrypted and unauthenticated connections between the client and server, as it would increase latency, but nonetheless leave the connection vulnerable to malicious injections by a man-in-the-middle. Without encryption, the software itself is entirely responsible with resisting malicious attack (how many game developers have time to worry about that?).
Some games also run their own installers, which fail to authenticate what they download and install.
For windows users, Steam has resisted allowing itself to be installed or run in popular sandboxing solutions like Sandboxie, limiting windows users to creating a separate user account in order to properly isolate steam from more essential software and files.
GNU/Linux users are in luck, however, since solutions like Firejail are easy to apply with little overhead and are available in the repositories of most distributions. This will allow the steam to run in an environment that restricts its ability to read and write to existing files used by other software or the OS' kernel, as well as its ability to execute code outside of its sandbox.
Keep that proprietary crap out of my $HOME!
Firejail has a preinstalled steam.profile found in /etc/firejail/ which applies some restrictions to the steam client and the software it runs. But it should be made more restrictive through the application of a private $HOME directory. I will show you how to install and apply the firejail with this modification.
It should be noted that a private Home directory will mean that currently installed games will have to be moved into that directory in order for steam to find them. This ultimately keeps all of steam and its related software and files together in one folder making system management and hygiene easier.
I am also assuming you know how to install steam or have it already installed, and that you know how to open a terminal and traverse directories comfortably.
There is also an older blog post on how to do this by Joris van Rantwijk, but it appears out of date and includes unnecessary steps such as extracting steam.deb then running ./steam inside the private directory under firejail. You do not need to do this, as you can download the steam installer normally from your repository, and steam will install itself inside a sandbox if you have the profile applied. If you run steam and allow it to update and configure itself before applying the modified firejail profile you will only be creating unneeded files in your actual Home directory.
You can apply these steps in nearly any distro, but I am running in Debian.
Lets begin by installing firejail:
sudo apt install firejail
Let's read a little about firejail. Please read the whole summary in the man page if firejail is new to you.
Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applica tions using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.
The firecfg command is also now available as part of firejail. When it is run, it will apply firejail rules to all compatible software firejail has profiles for.
... run 'sudo firecfg' after installing Firejail software.
The same command should also be run after installing new programs. If
the program is supported by Firejail, the symbolic link in
/usr/local/bin will be created. For a full list of programs supported
by default run 'cat /usr/lib/firejail/firecfg.config'.
If you do not want some piece of software to run under firejail, you can either change the name of its profile in "/etc/firejail/$SOFTWARE.profile" or comment the software out in "/usr/lib/firejail/firecfg.config". If you only want steam to run firejail, comment out or delete all other applications in firecfg.cfg (again, # prevents firecfg from reading the remainder of that line).
You should take a look at the firejail profile that firecfg will apply to steam (and your other applications):
You will notice that there are optional settings commented out in this profile (the # stops firejail from reading the line). You can play with these later, but for now we will focus on the private home directory.
Let's first run firecfg and apply firejail system wide:
Firejail will now be applied to steam and all other software. Firecfg will list what profiles were applied when the command is run.
If firecfg fails to find a program you know has a .profile available, you can employ a number of simple hacks to get the software to run under firejail: such as creating desktop launchers that include "firejail $arbitraryProgram", or by adding your own symbolic links.
To make it impossible for steam and your games to see your Home directory and its contents, you will want to designate an arbitrary folder as its Home directory in firejail.
You can name it what you like, but I will call it steamJail from now on. You may put this directory wherever you like, and steam or any games installed by and running out of steam will be placed here without the ability to traverse upwards in the directory from this folder, making your personal files safer.
The following command will create a directory/folder in the working/current directory. Make sure to run this where you want the steamJail folder to exist:
Let's do a test run of steam with "firejail --private=/parentDirectories/steamJail steam" in the command. Remember that "/parentDirectories/" is a placeholder for the where your version of steamJail is. You can use the "pwd" command from with steamJail to find your directory chain for this command.
It should being updating itself in that new Home directory, steam is generating and populating a .steam directory hidden inside your home directory. If you have run steam before you should already have one generated in your original home directory (you can move that original .steam directory to your private ./steamJail so steam will not have to do everything over again). As far as the steam executable knows, your user account has never ran steam before since it finds no evidence of an earlier configuration.
firejail —private=/parentDirectories/steamJail steam
Note that you can technically have two separate applications share a single private directory if you'd like.
You can check if a program is running in firejail with:
You can also use the separate firejail-tools to get access to a gui that can visualize what is going on in your sandboxes. This can be useful if you want reassurance that your steam games are running in the same sandbox as Steam.
Go ahead and test the private Home directory setting by right clicking on a game you have installed and looking at its local files (steam throws an error about not finding it, before finding it). Or, you can go into Settings -> Downloads -> STEAM LIBRARY FOLDERS -> Add Library Folder then taking a look at what steam can see.
Be aware that the steam.profile mounts folders such as /dev/ and /etc/ as readonly so steam can run properly without risking root file system writes. You may set these as private as well by editing steam.profile and removing the commenting # by the respective command, but this could cause errors with some of the games you are trying play.
If you want steam to run within this directory permanently, which is likely the case if you are reading this tutorial, you will have to edit the steam.profile and make this command run as part of its profile.
You can use whatever command line editor you want, but I'll run nano for those who have less experience.
sudo nano /etc/firejail/steam.profile
Below the following line in steam.profile:
Add a modified version of your previous firejail command (recall that "/parentDirectories/" is a placeholder in this example):
From now on, steam will run within this private folder with its processes contained by firejail. You can see into this directory from the outside normally, but steam is limited in its ability to see beyond it.
If you already have games installed outside this directory, you can scavenge the files together and move them yourself. Or you can simply delete them for a reinstall and hope steam cloud saves is holding on to your save files.
You may also delete all remnants of steam from your actual Home directory, this includes hidden files such as /home/user/.steam or anything a game may have added. You should also consider applying this sandboxing method to other software, like your browser or email client.