diff --git a/apparmor.d/profiles-g-l/gamemoded b/apparmor.d/profiles-g-l/gamemoded new file mode 100644 index 00000000..64b0e8f8 --- /dev/null +++ b/apparmor.d/profiles-g-l/gamemoded @@ -0,0 +1,81 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/gamemoded +profile gamemoded @{exec_path} flags=(attach_disconnected) { + include + + capability sys_ptrace, + + ptrace read, + + @{exec_path} mr, + + @{bin}/pkexec Cx -> pkexec, + @{lib}/gamemode/gpuclockctl Cx -> pkexec, + + /etc/gamemode.ini r, + + owner @{user_config_dirs}/ r, + + @{sys}/devices/@{pci}/vendor r, + @{sys}/devices/@{pci}/power_dpm_force_performance_level r, + @{sys}/devices/system/cpu/{,**} r, + @{sys}/devices/virtual/powercap/{,**} r, + + @{PROC}/sys/kernel/split_lock_mitigate r, + owner @{PROC}/@{pid}/ r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/environ r, + owner @{PROC}/@{pid}/fdinfo/ r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, + owner @{PROC}/@{pid}/task/ r, + + profile pkexec { + include + include + include + + capability audit_write, + capability mknod, + capability setgid, + capability sys_ptrace, + + ptrace read peer=gamemoded, + + network netlink raw, + + @{bin}/pkexec mr, + + @{lib}/gamemode/{,**} r, + @{lib}/gamemode/cpugovctl ix, + @{lib}/gamemode/gpuclockctl ix, + @{lib}/gamemode/procsysctl ix, + + /etc/security/limits.d/ r, + /etc/security/limits.d/@{int}-gamemode.conf r, + /etc/shells r, + + @{sys}/devices/@{pci}/power_dpm_force_performance_level rw, + @{sys}/devices/@{pci}/vendor r, + @{sys}/devices/system/cpu/ r, + @{sys}/devices/system/cpu/cpu@{int}/cpufreq r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor rw, + + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/loginuid r, + @{PROC}/@{pid}/stat r, + @{PROC}/sys/kernel/split_lock_mitigate rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor