log networking status when running in sandbox

Author: leafo

README.md

@@ -36,7 +36,7 @@ Sandbox backends:
 
 1. **Flatpak-spawn** — uses `flatpak-spawn --sandbox` to create a sub-sandbox within the Flatpak container. Supports environment variable forwarding (`--env`), working directory (`--directory`), and optional network isolation via `SandboxConfig.NoNetwork` (`--no-network`). The `--watch-bus` flag ties the sandboxed process lifetime to the caller's session bus.
 
-2. **Bubblewrap** — uses [bubblewrap](https://github.com/containers/bubblewrap) to create a lightweight user-namespace sandbox. Mounts system directories read-only, bind-mounts the game's install folder read-write, and forwards display/audio sockets (X11, Wayland, PulseAudio, PipeWire). Namespace isolation covers user, PID, and UTS; IPC stays shared for X11 MIT-SHM compatibility. Network access is shared by default, with optional isolation via `SandboxConfig.NoNetwork`.
+2. **Bubblewrap** — uses [bubblewrap](https://github.com/containers/bubblewrap) to create a lightweight user-namespace sandbox. Mounts system directories read-only, bind-mounts the game's install folder read-write, and forwards display/audio sockets (X11, Wayland, PulseAudio, PipeWire). The in-sandbox `HOME` path is backed by a per-game persistent directory at `{InstallFolder}/.itch/home`, so game saves written under home survive across launches. Namespace isolation covers user, PID, and UTS; IPC stays shared for X11 MIT-SHM compatibility. Network access is shared by default, with optional isolation via `SandboxConfig.NoNetwork`.
 
 3. **Firejail** — uses [firejail](https://firejail.wordpress.com/) with a generated profile at `{InstallFolder}/.itch/isolate-app.profile` that blacklists sensitive directories and whitelists the game's install folder and temp directory. Environment forwarding follows the same allowlist baseline as bubblewrap (including itch launch vars and temp vars), supports additional passthrough via `SandboxConfig.AllowEnv`, and network access can be disabled with `SandboxConfig.NoNetwork`. Per-game local overrides can be placed in `/etc/firejail/` (e.g. `itch_game_{name}.local`), and a global override file `itch_games_globals.local` is also included if present.
 

runner/bubblewrap_linux.go

@@ -38,7 +38,11 @@ func (br *bubblewrapRunner) Run() error {
 	consumer := params.Consumer
 
 	bwrapPath := params.BubblewrapParams.BinaryPath
-	consumer.Opf("Running (%s) through bubblewrap", params.FullTargetPath)
+	msg := fmt.Sprintf("Running (%s) through bubblewrap", params.FullTargetPath)
+	if params.SandboxConfig.NoNetwork {
+		msg += " (networking disabled)"
+	}
+	consumer.Opf("%s", msg)
 
 	var args []string
 

runner/firejail_linux.go

@@ -64,7 +64,11 @@ func (fr *firejailRunner) Run() error {
 		return fmt.Errorf("%w", err)
 	}
 
-	consumer.Opf("Running (%s) through firejail", params.FullTargetPath)
+	msg := fmt.Sprintf("Running (%s) through firejail", params.FullTargetPath)
+	if params.SandboxConfig.NoNetwork {
+		msg += " (networking disabled)"
+	}
+	consumer.Opf("%s", msg)
 
 	var args []string
 	args = append(args, fmt.Sprintf("--profile=%s", sandboxProfilePath))

runner/flatpakspawn_linux.go

@@ -42,7 +42,11 @@ func (fr *flatpakSpawnRunner) Run() error {
 	params := fr.params
 	consumer := params.Consumer
 
-	consumer.Opf("Running (%s) through flatpak-spawn --sandbox", params.FullTargetPath)
+	msg := fmt.Sprintf("Running (%s) through flatpak-spawn --sandbox", params.FullTargetPath)
+	if params.SandboxConfig.NoNetwork {
+		msg += " (networking disabled)"
+	}
+	consumer.Opf("%s", msg)
 
 	var args []string
 	args = append(args, "--sandbox")