mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 00:48:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): ensure steam can update itself.

Browse source
This commit is contained in:
Alexandre Pujol 2024-06-23 11:16:23 +01:00
parent 228d3b653c
commit 2710fd3484
Failed to generate hash of commit
3 changed files with 73 additions and 53 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
apparmor.d/abstractions/common/steam-game
View file

@ -16,7 +16,6 @@
@{bin}/env r, @{bin}/env r,
@{app_dirs}/ r,
@{lib_dirs}/ r, @{lib_dirs}/ r,
@{lib}/ r, @{lib}/ r,
/ r, / r,
@ -42,6 +41,9 @@
owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
owner @{app_dirs}/ r,
owner @{app_dirs}/[^S]*/** rwlk, # No access to "SteamLinuxRuntime_sniper"
owner @{share_dirs}/ r, owner @{share_dirs}/ r,
owner @{share_dirs}/* r, owner @{share_dirs}/* r,
owner @{share_dirs}/appcache/** rk, owner @{share_dirs}/appcache/** rk,
@ -51,8 +53,7 @@
owner @{share_dirs}/logs/* rwk, owner @{share_dirs}/logs/* rwk,
owner @{share_dirs}/shader_cache_temp_dir_*/fozpipelinesv@{int}/{,**} rw, owner @{share_dirs}/shader_cache_temp_dir_*/fozpipelinesv@{int}/{,**} rw,
owner @{share_dirs}/steamapps/ r, owner @{share_dirs}/steamapps/ r,
owner @{share_dirs}/steamapps/common/ r, owner @{share_dirs}/steamapps/appmanifest_* rw,
owner @{share_dirs}/steamapps/common/[^S]*/** rwlk,
owner @{share_dirs}/steamapps/shadercache/{,**} rwk, owner @{share_dirs}/steamapps/shadercache/{,**} rwk,
@{tmp}/ r, @{tmp}/ r,

56
apparmor.d/profiles-s-z/steam
View file

@ -45,8 +45,8 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
capability sys_ptrace, capability sys_ptrace,
network inet dgram, network inet dgram,
network inet6 dgram,
network inet stream, network inet stream,
network inet6 dgram,
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
network unix, network unix,
@ -65,6 +65,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{sh_path} rix, @{sh_path} rix,
@{coreutils_path} rix, @{coreutils_path} rix,
@{open_path} rPx -> child-open,
@{bin}/getopt rix, @{bin}/getopt rix,
@{bin}/journalctl rPx -> systemctl, @{bin}/journalctl rPx -> systemctl,
@{bin}/ldconfig rix, @{bin}/ldconfig rix,
@ -72,12 +73,14 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{bin}/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsof rix, @{bin}/lsof rix,
@{bin}/lspci rCx -> lspci, @{bin}/lspci rCx -> lspci,
@{bin}/tar rix,
@{bin}/which{,.debianutils} rix, @{bin}/which{,.debianutils} rix,
@{bin}/xdg-icon-resource rPx, @{bin}/xdg-icon-resource rPx,
@{bin}/xdg-user-dir rix, @{bin}/xdg-user-dir rix,
@{bin}/xz rix,
@{bin}/zenity rix,
@{lib}/@{multiarch}/ld-*.so* rix, @{lib}/@{multiarch}/ld-*.so* rix,
@{lib}/ld-linux.so* rix, @{lib}/ld-linux.so* rix,
@{open_path} rPx -> child-open,
@{lib_dirs}/** mr, @{lib_dirs}/** mr,
@{lib_dirs}/*driverquery rix, @{lib_dirs}/*driverquery rix,
@ -90,14 +93,21 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{share_dirs}/linux{32,64}/steamerrorreporter rpx, @{share_dirs}/linux{32,64}/steamerrorreporter rpx,
@{runtime_dirs}/*entry-point rix,
@{runtime_dirs}/@{arch}/@{bin}/srt-logger rix, @{runtime_dirs}/@{arch}/@{bin}/srt-logger rix,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements rcx -> check, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements rcx -> check,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-dialog{,-ui} rix,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-identify-library-abi rix, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-identify-library-abi rix,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-input-monitor rix,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launch-* rix,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-interface-@{int} rix,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-service rpx, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-service rpx,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-libcurl-* rix,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote rix,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-supervisor rix, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-supervisor rix,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-system-info rix, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-system-info rix,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-urlopen rix,
@{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix,
@{runtime_dirs}/*entry-point rix,
@{runtime_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix, @{runtime_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix,
@{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix,
@{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rcx -> web, @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rcx -> web,
@ -111,16 +121,22 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
/etc/lsb-release r, /etc/lsb-release r,
/etc/machine-id r, /etc/machine-id r,
/etc/timezone r, /etc/timezone r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
/ r,
@{bin}/ r, @{bin}/ r,
@{lib}/ r, @{lib}/ r,
/ r,
/etc/ r, /etc/ r,
/home/ r, /home/ r,
/usr/ r, /usr/ r,
/usr/local/ r, /usr/local/ r,
/usr/local/lib/ r, /usr/local/lib/ r,
/var/ r, /var/ r,
/var/tmp/ r, /var/tmp/ r,
@ -131,7 +147,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{HOME}/.steampid rw, owner @{HOME}/.steampid rw,
owner @{share_dirs}/ rw, owner @{share_dirs}/ rw,
owner @{share_dirs}/** rwkl -> @{share_dirs}/**, owner @{share_dirs}/** rwlk -> @{share_dirs}/**,
owner @{user_games_dirs}/ rw, owner @{user_games_dirs}/ rw,
owner @{user_games_dirs}/** rwlk -> @{user_games_dirs}/**, owner @{user_games_dirs}/** rwlk -> @{user_games_dirs}/**,
@ -141,7 +157,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{user_config_dirs}/autostart/ r, owner @{user_config_dirs}/autostart/ r,
owner @{user_config_dirs}/cef_user_data/{,**} r, owner @{user_config_dirs}/cef_user_data/{,**} r,
owner @{user_config_dirs}/cef_user_data/Dictionaries/* rw, owner @{user_config_dirs}/cef_user_data/Dictionaries/* rw,
owner @{user_config_dirs}/cef_user_data/WidevineCdm/** rwm, owner @{user_config_dirs}/cef_user_data/WidevineCdm/** mrw,
owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
@ -150,17 +166,17 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{user_share_dirs}/vulkan/implicit_layer.d/steam*.json rwk, owner @{user_share_dirs}/vulkan/implicit_layer.d/steam*.json rwk,
@{tmp}/ r, @{tmp}/ r,
owner @{tmp}/#@{int} rw,
owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw, owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw,
owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
owner @{tmp}/#@{int} rw,
owner @{tmp}/dumps/ rw, owner @{tmp}/dumps/ rw,
owner @{tmp}/dumps/** rwk, owner @{tmp}/dumps/** rwk,
owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw,
owner @{tmp}/glx-icds-@{rand6}/{,**} rw, owner @{tmp}/glx-icds-@{rand6}/{,**} rw,
owner @{tmp}/runtime-info.txt.@{rand6} rwk, owner @{tmp}/runtime-info.txt.@{rand6} rwk,
owner @{tmp}/steam@{rand6}/{,**} rw,
owner @{tmp}/steam/ rw, owner @{tmp}/steam/ rw,
owner @{tmp}/steam/** rwk, owner @{tmp}/steam/** rwk,
owner @{tmp}/steam@{rand6}/{,**} rw,
owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,
owner /dev/shm/fossilize-*-@{int}-@{int} rw, owner /dev/shm/fossilize-*-@{int}-@{int} rw,
@ -185,15 +201,15 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{sys}/class/net/ r, @{sys}/class/net/ r,
@{sys}/class/power_supply/ r, @{sys}/class/power_supply/ r,
@{sys}/devices/ r, @{sys}/devices/ r,
@{sys}/devices/@{pci}/boot_vga r,
@{sys}/devices/@{pci}/sound/card@{int}/input@{int}/properties r,
@{sys}/devices/**/input@{int}/ r,
@{sys}/devices/**/input@{int}/capabilities/* r,
@{sys}/devices/**/input/input@{int}/ r, @{sys}/devices/**/input/input@{int}/ r,
@{sys}/devices/**/input/input@{int}/properties r, @{sys}/devices/**/input/input@{int}/properties r,
@{sys}/devices/**/input@{int}/ r,
@{sys}/devices/**/input@{int}/capabilities/* r,
@{sys}/devices/**/power_supply/{AC,BAT@{int},hidpp_battery_@{int}}/{,*} r, @{sys}/devices/**/power_supply/{AC,BAT@{int},hidpp_battery_@{int}}/{,*} r,
@{sys}/devices/**/report_descriptor r, @{sys}/devices/**/report_descriptor r,
@{sys}/devices/**/uevent r, @{sys}/devices/**/uevent r,
@{sys}/devices/@{pci}/boot_vga r,
@{sys}/devices/@{pci}/sound/card@{int}/input@{int}/properties r,
@{sys}/devices/system/ r, @{sys}/devices/system/ r,
@{sys}/devices/system/cpu/cpu@{int}/ r, @{sys}/devices/system/cpu/cpu@{int}/ r,
@{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/devices/virtual/dmi/id/bios_vendor r,
@ -209,7 +225,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pid}/fdinfo/@{int} r,
@{PROC}/@{pid}/net/* r, @{PROC}/@{pid}/net/* r,
@{PROC}/@{pid}/stat r, @{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/stat r,
@{PROC}/1/cgroup r, @{PROC}/1/cgroup r,
@{PROC}/locks r, @{PROC}/locks r,
@{PROC}/sys/kernel/sched_autogroup_enabled r, @{PROC}/sys/kernel/sched_autogroup_enabled r,
@ -242,13 +257,14 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include <abstractions/fontconfig-cache-write> include <abstractions/fontconfig-cache-write>
include <abstractions/graphics> include <abstractions/graphics>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/video>
capability dac_read_search, capability dac_read_search,
capability sys_chroot, capability sys_chroot,
network inet dgram, network inet dgram,
network inet6 dgram,
network inet stream, network inet stream,
network inet6 dgram,
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
@ -258,19 +274,19 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
unix receive type=stream, unix receive type=stream,
@{bin}/ldconfig rix,
@{bin}/getopt rix, @{bin}/getopt rix,
@{bin}/gzip rix, @{bin}/gzip rix,
@{bin}/true rix, @{bin}/ldconfig rix,
@{bin}/localedef rix, @{bin}/localedef rix,
@{bin}/readlink rix, @{bin}/readlink rix,
@{bin}/true rix,
@{lib_dirs}/** mr, @{lib_dirs}/** mr,
@{lib_dirs}/steamwebhelper rix, @{lib_dirs}/steamwebhelper rix,
@{lib_dirs}/steamwebhelper_sniper_wrap.sh rix, @{lib_dirs}/steamwebhelper_sniper_wrap.sh rix,
@{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap mr,
@{runtime_dirs}/pressure-vessel/@{bin}/steam-runtime-launcher-interface-@{int} rix, @{runtime_dirs}/pressure-vessel/@{bin}/steam-runtime-launcher-interface-@{int} rix,
@{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap mr,
@{lib}/pressure-vessel/from-host/** rix, @{lib}/pressure-vessel/from-host/** rix,
@{run}/host/@{bin}/* rix, @{run}/host/@{bin}/* rix,
@ -295,23 +311,23 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{HOME}/.pki/ rw, owner @{HOME}/.pki/ rw,
owner @{HOME}/.pki/nssdb/ rw, owner @{HOME}/.pki/nssdb/ rw,
owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
owner @{lib_dirs}/.cef-* wk, owner @{lib_dirs}/.cef-* wk,
owner @{share_dirs}/{,**} r, owner @{share_dirs}/{,**} r,
owner @{share_dirs}/clientui/** k,
owner @{share_dirs}/config/** rwk, owner @{share_dirs}/config/** rwk,
owner @{share_dirs}/logs/** rwk, owner @{share_dirs}/logs/** rwk,
owner @{share_dirs}/clientui/** k,
owner @{share_dirs}/public/** k, owner @{share_dirs}/public/** k,
@{tmp}/ r, @{tmp}/ r,
owner @{tmp}/#@{int} rw, owner @{tmp}/#@{int} rw,
owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
owner @{tmp}/dumps/ rw, owner @{tmp}/dumps/ rw,
owner @{tmp}/dumps/** rwk, owner @{tmp}/dumps/** rwk,
owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
owner @{tmp}/pressure-vessel-*-@{rand6}/ rw, owner @{tmp}/pressure-vessel-*-@{rand6}/ rw,
owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**, owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**,
owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw, owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw,

9
apparmor.d/profiles-s-z/steam-runtime
View file

@ -26,7 +26,7 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
@{sh_path} r, @{sh_path} rix,
@{bin}/getopt rix, @{bin}/getopt rix,
@{bin}/readlink rix, @{bin}/readlink rix,
@ -34,7 +34,7 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) {
@{lib_dirs}/steam-launch-wrapper rix, @{lib_dirs}/steam-launch-wrapper rix,
# Native linux games (steam-game-native) # Native linux games (steam-game-native)
@{app_dirs}/[^S]*/** rpx -> steam-game-native, @{app_dirs}/[^S]*/** rpx -> steam-game-native, # Only for @{app_dirs}/@{runtime}/**
# Proton games, sandboxed (steam-game-proton) # Proton games, sandboxed (steam-game-proton)
@{app_dirs}/@{runtime}/*entry-point rmix, @{app_dirs}/@{runtime}/*entry-point rmix,
@ -54,7 +54,7 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) {
owner @{HOME}/.steam/steam.pipe r, owner @{HOME}/.steam/steam.pipe r,
owner @{app_dirs}/*/ r, owner @{app_dirs}/*/ r,
owner @{app_dirs}/config/config.vdf rw, owner @{app_dirs}/config/config.vdf{,.*} rw,
owner @{app_dirs}/@{runtime}/** r, owner @{app_dirs}/@{runtime}/** r,
owner @{app_dirs}/@{runtime}/pressure-vessel/** rwk, owner @{app_dirs}/@{runtime}/pressure-vessel/** rwk,
owner @{app_dirs}/@{runtime}/sniper_platform_*/** rwk, owner @{app_dirs}/@{runtime}/sniper_platform_*/** rwk,
@ -62,6 +62,9 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) {
owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/pressure-vessel/**, owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/pressure-vessel/**,
owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/sniper_platform_*/**, owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/sniper_platform_*/**,
owner @{share_dirs}/config/config.vdf{,.*} rw,
owner @{share_dirs}/steamapps/appmanifest_* rw,
owner @{tmp}/ r, owner @{tmp}/ r,
owner @{tmp}/#@{int} rw, owner @{tmp}/#@{int} rw,
owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,