diff --git a/apparmor.d/abstractions/common/steam-game b/apparmor.d/abstractions/common/steam-game index 9c1df7d5..c6a7aff7 100644 --- a/apparmor.d/abstractions/common/steam-game +++ b/apparmor.d/abstractions/common/steam-game @@ -16,7 +16,6 @@ @{bin}/env r, - @{app_dirs}/ r, @{lib_dirs}/ r, @{lib}/ r, / r, @@ -42,6 +41,9 @@ owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, + owner @{app_dirs}/ r, + owner @{app_dirs}/[^S]*/** rwlk, # No access to "SteamLinuxRuntime_sniper" + owner @{share_dirs}/ r, owner @{share_dirs}/* r, owner @{share_dirs}/appcache/** rk, @@ -51,8 +53,7 @@ owner @{share_dirs}/logs/* rwk, owner @{share_dirs}/shader_cache_temp_dir_*/fozpipelinesv@{int}/{,**} rw, owner @{share_dirs}/steamapps/ r, - owner @{share_dirs}/steamapps/common/ r, - owner @{share_dirs}/steamapps/common/[^S]*/** rwlk, + owner @{share_dirs}/steamapps/appmanifest_* rw, owner @{share_dirs}/steamapps/shadercache/{,**} rwk, @{tmp}/ r, diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index 8de447bf..ecd8d743 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -45,8 +45,8 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { capability sys_ptrace, network inet dgram, - network inet6 dgram, network inet stream, + network inet6 dgram, network inet6 stream, network netlink raw, network unix, @@ -65,6 +65,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sh_path} rix, @{coreutils_path} rix, + @{open_path} rPx -> child-open, @{bin}/getopt rix, @{bin}/journalctl rPx -> systemctl, @{bin}/ldconfig rix, @@ -72,37 +73,46 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsof rix, @{bin}/lspci rCx -> lspci, + @{bin}/tar rix, @{bin}/which{,.debianutils} rix, @{bin}/xdg-icon-resource rPx, @{bin}/xdg-user-dir rix, + @{bin}/xz rix, + @{bin}/zenity rix, @{lib}/@{multiarch}/ld-*.so* rix, @{lib}/ld-linux.so* rix, - @{open_path} rPx -> child-open, - @{lib_dirs}/** mr, - @{lib_dirs}/*driverquery rix, - @{lib_dirs}/fossilize_replay rpx, - @{lib_dirs}/gameoverlayui rpx, - @{lib_dirs}/reaper rpx, # steam-runtime - @{lib_dirs}/steam* rix, + @{lib_dirs}/** mr, + @{lib_dirs}/*driverquery rix, + @{lib_dirs}/fossilize_replay rpx, + @{lib_dirs}/gameoverlayui rpx, + @{lib_dirs}/reaper rpx, # steam-runtime + @{lib_dirs}/steam* rix, @{app_dirs}/@{runtime}/*entry-point rpx -> steam-runtime, @{share_dirs}/linux{32,64}/steamerrorreporter rpx, - @{runtime_dirs}/@{arch}/@{bin}/srt-logger rix, - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements rcx -> check, - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-identify-library-abi rix, - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-service rpx, - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-supervisor rix, - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-system-info rix, - @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, - @{runtime_dirs}/*entry-point rix, - @{runtime_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix, - @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, - @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rcx -> web, - @{runtime_dirs}/run{,.sh} rix, - @{runtime_dirs}/setup.sh rix, + @{runtime_dirs}/*entry-point rix, + @{runtime_dirs}/@{arch}/@{bin}/srt-logger rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements rcx -> check, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-dialog{,-ui} rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-identify-library-abi rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-input-monitor rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launch-* rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-interface-@{int} rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-service rpx, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-libcurl-* rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-supervisor rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-system-info rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-urlopen rix, + @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, + @{runtime_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix, + @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, + @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rcx -> web, + @{runtime_dirs}/run{,.sh} rix, + @{runtime_dirs}/setup.sh rix, @{lib}/os-release rk, @@ -111,16 +121,22 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { /etc/lsb-release r, /etc/machine-id r, /etc/timezone r, + /var/lib/dbus/machine-id r, + / r, + @{bin}/ r, @{lib}/ r, - / r, + /etc/ r, + /home/ r, + /usr/ r, /usr/local/ r, /usr/local/lib/ r, + /var/ r, /var/tmp/ r, @@ -131,7 +147,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{HOME}/.steampid rw, owner @{share_dirs}/ rw, - owner @{share_dirs}/** rwkl -> @{share_dirs}/**, + owner @{share_dirs}/** rwlk -> @{share_dirs}/**, owner @{user_games_dirs}/ rw, owner @{user_games_dirs}/** rwlk -> @{user_games_dirs}/**, @@ -141,7 +157,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/autostart/ r, owner @{user_config_dirs}/cef_user_data/{,**} r, owner @{user_config_dirs}/cef_user_data/Dictionaries/* rw, - owner @{user_config_dirs}/cef_user_data/WidevineCdm/** rwm, + owner @{user_config_dirs}/cef_user_data/WidevineCdm/** mrw, owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, @@ -150,17 +166,17 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/vulkan/implicit_layer.d/steam*.json rwk, @{tmp}/ r, + owner @{tmp}/#@{int} rw, owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw, owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, - owner @{tmp}/#@{int} rw, owner @{tmp}/dumps/ rw, owner @{tmp}/dumps/** rwk, owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, owner @{tmp}/glx-icds-@{rand6}/{,**} rw, owner @{tmp}/runtime-info.txt.@{rand6} rwk, - owner @{tmp}/steam@{rand6}/{,**} rw, owner @{tmp}/steam/ rw, owner @{tmp}/steam/** rwk, + owner @{tmp}/steam@{rand6}/{,**} rw, owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, owner /dev/shm/fossilize-*-@{int}-@{int} rw, @@ -174,7 +190,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/c13:@{int} r, # for /dev/input/* + @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/n@{int} r, @{sys}/ r, @@ -185,15 +201,15 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/class/net/ r, @{sys}/class/power_supply/ r, @{sys}/devices/ r, - @{sys}/devices/@{pci}/boot_vga r, - @{sys}/devices/@{pci}/sound/card@{int}/input@{int}/properties r, - @{sys}/devices/**/input@{int}/ r, - @{sys}/devices/**/input@{int}/capabilities/* r, @{sys}/devices/**/input/input@{int}/ r, @{sys}/devices/**/input/input@{int}/properties r, + @{sys}/devices/**/input@{int}/ r, + @{sys}/devices/**/input@{int}/capabilities/* r, @{sys}/devices/**/power_supply/{AC,BAT@{int},hidpp_battery_@{int}}/{,*} r, @{sys}/devices/**/report_descriptor r, @{sys}/devices/**/uevent r, + @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/sound/card@{int}/input@{int}/properties r, @{sys}/devices/system/ r, @{sys}/devices/system/cpu/cpu@{int}/ r, @{sys}/devices/virtual/dmi/id/bios_vendor r, @@ -209,7 +225,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pid}/net/* r, @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/stat r, @{PROC}/1/cgroup r, @{PROC}/locks r, @{PROC}/sys/kernel/sched_autogroup_enabled r, @@ -242,13 +257,14 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include capability dac_read_search, capability sys_chroot, network inet dgram, - network inet6 dgram, network inet stream, + network inet6 dgram, network inet6 stream, network netlink raw, @@ -258,19 +274,19 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { unix receive type=stream, - @{bin}/ldconfig rix, @{bin}/getopt rix, @{bin}/gzip rix, - @{bin}/true rix, + @{bin}/ldconfig rix, @{bin}/localedef rix, @{bin}/readlink rix, + @{bin}/true rix, - @{lib_dirs}/** mr, - @{lib_dirs}/steamwebhelper rix, - @{lib_dirs}/steamwebhelper_sniper_wrap.sh rix, + @{lib_dirs}/** mr, + @{lib_dirs}/steamwebhelper rix, + @{lib_dirs}/steamwebhelper_sniper_wrap.sh rix, - @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap mr, - @{runtime_dirs}/pressure-vessel/@{bin}/steam-runtime-launcher-interface-@{int} rix, + @{runtime_dirs}/pressure-vessel/@{bin}/steam-runtime-launcher-interface-@{int} rix, + @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap mr, @{lib}/pressure-vessel/from-host/** rix, @{run}/host/@{bin}/* rix, @@ -295,23 +311,23 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{HOME}/.pki/ rw, owner @{HOME}/.pki/nssdb/ rw, - owner @{HOME}/.pki/nssdb/pkcs11.txt rw, owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + owner @{HOME}/.pki/nssdb/pkcs11.txt rw, owner @{lib_dirs}/.cef-* wk, owner @{share_dirs}/{,**} r, + owner @{share_dirs}/clientui/** k, owner @{share_dirs}/config/** rwk, owner @{share_dirs}/logs/** rwk, - owner @{share_dirs}/clientui/** k, owner @{share_dirs}/public/** k, @{tmp}/ r, owner @{tmp}/#@{int} rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, owner @{tmp}/dumps/ rw, owner @{tmp}/dumps/** rwk, - owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, owner @{tmp}/pressure-vessel-*-@{rand6}/ rw, owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**, owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw, @@ -327,7 +343,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{run}/pressure-vessel/** r, - @{run}/udev/data/c13:@{int} r, # for /dev/input/* + @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{sys}/bus/ r, @{sys}/bus/*/devices/ r, @@ -366,9 +382,9 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/true rix, - @{lib_dirs}/** mr, - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements mr, - @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rix, + @{lib_dirs}/** mr, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements mr, + @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rix, / r, diff --git a/apparmor.d/profiles-s-z/steam-runtime b/apparmor.d/profiles-s-z/steam-runtime index 5d6d0f85..a8ff7874 100644 --- a/apparmor.d/profiles-s-z/steam-runtime +++ b/apparmor.d/profiles-s-z/steam-runtime @@ -26,7 +26,7 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sh_path} r, + @{sh_path} rix, @{bin}/getopt rix, @{bin}/readlink rix, @@ -34,7 +34,7 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/steam-launch-wrapper rix, # Native linux games (steam-game-native) - @{app_dirs}/[^S]*/** rpx -> steam-game-native, + @{app_dirs}/[^S]*/** rpx -> steam-game-native, # Only for @{app_dirs}/@{runtime}/** # Proton games, sandboxed (steam-game-proton) @{app_dirs}/@{runtime}/*entry-point rmix, @@ -54,7 +54,7 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.steam/steam.pipe r, owner @{app_dirs}/*/ r, - owner @{app_dirs}/config/config.vdf rw, + owner @{app_dirs}/config/config.vdf{,.*} rw, owner @{app_dirs}/@{runtime}/** r, owner @{app_dirs}/@{runtime}/pressure-vessel/** rwk, owner @{app_dirs}/@{runtime}/sniper_platform_*/** rwk, @@ -62,6 +62,9 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) { owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/pressure-vessel/**, owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/sniper_platform_*/**, + owner @{share_dirs}/config/config.vdf{,.*} rw, + owner @{share_dirs}/steamapps/appmanifest_* rw, + owner @{tmp}/ r, owner @{tmp}/#@{int} rw, owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,