mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 00:48:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): ensure steam can update itself.

Browse source
This commit is contained in:
Alexandre Pujol 2024-06-23 11:16:23 +01:00
parent 228d3b653c
commit 2710fd3484
Failed to generate hash of commit
3 changed files with 73 additions and 53 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
apparmor.d/abstractions/common/steam-game
View file

@ -16,7 +16,6 @@
@{bin}/env r, @{bin}/env r,
@{app_dirs}/ r,
@{lib_dirs}/ r, @{lib_dirs}/ r,
@{lib}/ r, @{lib}/ r,
/ r, / r,
@ -42,6 +41,9 @@
owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
owner @{app_dirs}/ r,
owner @{app_dirs}/[^S]*/** rwlk, # No access to "SteamLinuxRuntime_sniper"
owner @{share_dirs}/ r, owner @{share_dirs}/ r,
owner @{share_dirs}/* r, owner @{share_dirs}/* r,
owner @{share_dirs}/appcache/** rk, owner @{share_dirs}/appcache/** rk,
@ -51,8 +53,7 @@
owner @{share_dirs}/logs/* rwk, owner @{share_dirs}/logs/* rwk,
owner @{share_dirs}/shader_cache_temp_dir_*/fozpipelinesv@{int}/{,**} rw, owner @{share_dirs}/shader_cache_temp_dir_*/fozpipelinesv@{int}/{,**} rw,
owner @{share_dirs}/steamapps/ r, owner @{share_dirs}/steamapps/ r,
owner @{share_dirs}/steamapps/common/ r, owner @{share_dirs}/steamapps/appmanifest_* rw,
owner @{share_dirs}/steamapps/common/[^S]*/** rwlk,
owner @{share_dirs}/steamapps/shadercache/{,**} rwk, owner @{share_dirs}/steamapps/shadercache/{,**} rwk,
@{tmp}/ r, @{tmp}/ r,

110
apparmor.d/profiles-s-z/steam
View file

@ -45,8 +45,8 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
capability sys_ptrace, capability sys_ptrace,
network inet dgram, network inet dgram,
network inet6 dgram,
network inet stream, network inet stream,
network inet6 dgram,
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
network unix, network unix,
@ -65,6 +65,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{sh_path} rix, @{sh_path} rix,
@{coreutils_path} rix, @{coreutils_path} rix,
@{open_path} rPx -> child-open,
@{bin}/getopt rix, @{bin}/getopt rix,
@{bin}/journalctl rPx -> systemctl, @{bin}/journalctl rPx -> systemctl,
@{bin}/ldconfig rix, @{bin}/ldconfig rix,
@ -72,37 +73,46 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{bin}/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsof rix, @{bin}/lsof rix,
@{bin}/lspci rCx -> lspci, @{bin}/lspci rCx -> lspci,
@{bin}/tar rix,
@{bin}/which{,.debianutils} rix, @{bin}/which{,.debianutils} rix,
@{bin}/xdg-icon-resource rPx, @{bin}/xdg-icon-resource rPx,
@{bin}/xdg-user-dir rix, @{bin}/xdg-user-dir rix,
@{bin}/xz rix,
@{bin}/zenity rix,
@{lib}/@{multiarch}/ld-*.so* rix, @{lib}/@{multiarch}/ld-*.so* rix,
@{lib}/ld-linux.so* rix, @{lib}/ld-linux.so* rix,
@{open_path} rPx -> child-open,
@{lib_dirs}/** mr, @{lib_dirs}/** mr,
@{lib_dirs}/*driverquery rix, @{lib_dirs}/*driverquery rix,
@{lib_dirs}/fossilize_replay rpx, @{lib_dirs}/fossilize_replay rpx,
@{lib_dirs}/gameoverlayui rpx, @{lib_dirs}/gameoverlayui rpx,
@{lib_dirs}/reaper rpx, # steam-runtime @{lib_dirs}/reaper rpx, # steam-runtime
@{lib_dirs}/steam* rix, @{lib_dirs}/steam* rix,
@{app_dirs}/@{runtime}/*entry-point rpx -> steam-runtime, @{app_dirs}/@{runtime}/*entry-point rpx -> steam-runtime,
@{share_dirs}/linux{32,64}/steamerrorreporter rpx, @{share_dirs}/linux{32,64}/steamerrorreporter rpx,
@{runtime_dirs}/@{arch}/@{bin}/srt-logger rix, @{runtime_dirs}/*entry-point rix,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements rcx -> check, @{runtime_dirs}/@{arch}/@{bin}/srt-logger rix,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-identify-library-abi rix, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements rcx -> check,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-service rpx, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-dialog{,-ui} rix,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-supervisor rix, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-identify-library-abi rix,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-system-info rix, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-input-monitor rix,
@{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launch-* rix,
@{runtime_dirs}/*entry-point rix, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-interface-@{int} rix,
@{runtime_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-service rpx,
@{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-libcurl-* rix,
@{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rcx -> web, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote rix,
@{runtime_dirs}/run{,.sh} rix, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-supervisor rix,
@{runtime_dirs}/setup.sh rix, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-system-info rix,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-urlopen rix,
@{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix,
@{runtime_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix,
@{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix,
@{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rcx -> web,
@{runtime_dirs}/run{,.sh} rix,
@{runtime_dirs}/setup.sh rix,
@{lib}/os-release rk, @{lib}/os-release rk,
@ -111,16 +121,22 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
/etc/lsb-release r, /etc/lsb-release r,
/etc/machine-id r, /etc/machine-id r,
/etc/timezone r, /etc/timezone r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
/ r,
@{bin}/ r, @{bin}/ r,
@{lib}/ r, @{lib}/ r,
/ r,
/etc/ r, /etc/ r,
/home/ r, /home/ r,
/usr/ r, /usr/ r,
/usr/local/ r, /usr/local/ r,
/usr/local/lib/ r, /usr/local/lib/ r,
/var/ r, /var/ r,
/var/tmp/ r, /var/tmp/ r,
@ -131,7 +147,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{HOME}/.steampid rw, owner @{HOME}/.steampid rw,
owner @{share_dirs}/ rw, owner @{share_dirs}/ rw,
owner @{share_dirs}/** rwkl -> @{share_dirs}/**, owner @{share_dirs}/** rwlk -> @{share_dirs}/**,
owner @{user_games_dirs}/ rw, owner @{user_games_dirs}/ rw,
owner @{user_games_dirs}/** rwlk -> @{user_games_dirs}/**, owner @{user_games_dirs}/** rwlk -> @{user_games_dirs}/**,
@ -141,7 +157,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{user_config_dirs}/autostart/ r, owner @{user_config_dirs}/autostart/ r,
owner @{user_config_dirs}/cef_user_data/{,**} r, owner @{user_config_dirs}/cef_user_data/{,**} r,
owner @{user_config_dirs}/cef_user_data/Dictionaries/* rw, owner @{user_config_dirs}/cef_user_data/Dictionaries/* rw,
owner @{user_config_dirs}/cef_user_data/WidevineCdm/** rwm, owner @{user_config_dirs}/cef_user_data/WidevineCdm/** mrw,
owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
@ -150,17 +166,17 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{user_share_dirs}/vulkan/implicit_layer.d/steam*.json rwk, owner @{user_share_dirs}/vulkan/implicit_layer.d/steam*.json rwk,
@{tmp}/ r, @{tmp}/ r,
owner @{tmp}/#@{int} rw,
owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw, owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw,
owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
owner @{tmp}/#@{int} rw,
owner @{tmp}/dumps/ rw, owner @{tmp}/dumps/ rw,
owner @{tmp}/dumps/** rwk, owner @{tmp}/dumps/** rwk,
owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw,
owner @{tmp}/glx-icds-@{rand6}/{,**} rw, owner @{tmp}/glx-icds-@{rand6}/{,**} rw,
owner @{tmp}/runtime-info.txt.@{rand6} rwk, owner @{tmp}/runtime-info.txt.@{rand6} rwk,
owner @{tmp}/steam@{rand6}/{,**} rw,
owner @{tmp}/steam/ rw, owner @{tmp}/steam/ rw,
owner @{tmp}/steam/** rwk, owner @{tmp}/steam/** rwk,
owner @{tmp}/steam@{rand6}/{,**} rw,
owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,
owner /dev/shm/fossilize-*-@{int}-@{int} rw, owner /dev/shm/fossilize-*-@{int}-@{int} rw,
@ -174,7 +190,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{run}/udev/data/n@{int} r, @{run}/udev/data/n@{int} r,
@{sys}/ r, @{sys}/ r,
@ -185,15 +201,15 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{sys}/class/net/ r, @{sys}/class/net/ r,
@{sys}/class/power_supply/ r, @{sys}/class/power_supply/ r,
@{sys}/devices/ r, @{sys}/devices/ r,
@{sys}/devices/@{pci}/boot_vga r,
@{sys}/devices/@{pci}/sound/card@{int}/input@{int}/properties r,
@{sys}/devices/**/input@{int}/ r,
@{sys}/devices/**/input@{int}/capabilities/* r,
@{sys}/devices/**/input/input@{int}/ r, @{sys}/devices/**/input/input@{int}/ r,
@{sys}/devices/**/input/input@{int}/properties r, @{sys}/devices/**/input/input@{int}/properties r,
@{sys}/devices/**/input@{int}/ r,
@{sys}/devices/**/input@{int}/capabilities/* r,
@{sys}/devices/**/power_supply/{AC,BAT@{int},hidpp_battery_@{int}}/{,*} r, @{sys}/devices/**/power_supply/{AC,BAT@{int},hidpp_battery_@{int}}/{,*} r,
@{sys}/devices/**/report_descriptor r, @{sys}/devices/**/report_descriptor r,
@{sys}/devices/**/uevent r, @{sys}/devices/**/uevent r,
@{sys}/devices/@{pci}/boot_vga r,
@{sys}/devices/@{pci}/sound/card@{int}/input@{int}/properties r,
@{sys}/devices/system/ r, @{sys}/devices/system/ r,
@{sys}/devices/system/cpu/cpu@{int}/ r, @{sys}/devices/system/cpu/cpu@{int}/ r,
@{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/devices/virtual/dmi/id/bios_vendor r,
@ -209,7 +225,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pid}/fdinfo/@{int} r,
@{PROC}/@{pid}/net/* r, @{PROC}/@{pid}/net/* r,
@{PROC}/@{pid}/stat r, @{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/stat r,
@{PROC}/1/cgroup r, @{PROC}/1/cgroup r,
@{PROC}/locks r, @{PROC}/locks r,
@{PROC}/sys/kernel/sched_autogroup_enabled r, @{PROC}/sys/kernel/sched_autogroup_enabled r,
@ -242,13 +257,14 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include <abstractions/fontconfig-cache-write> include <abstractions/fontconfig-cache-write>
include <abstractions/graphics> include <abstractions/graphics>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/video>
capability dac_read_search, capability dac_read_search,
capability sys_chroot, capability sys_chroot,
network inet dgram, network inet dgram,
network inet6 dgram,
network inet stream, network inet stream,
network inet6 dgram,
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
@ -258,19 +274,19 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
unix receive type=stream, unix receive type=stream,
@{bin}/ldconfig rix,
@{bin}/getopt rix, @{bin}/getopt rix,
@{bin}/gzip rix, @{bin}/gzip rix,
@{bin}/true rix, @{bin}/ldconfig rix,
@{bin}/localedef rix, @{bin}/localedef rix,
@{bin}/readlink rix, @{bin}/readlink rix,
@{bin}/true rix,
@{lib_dirs}/** mr, @{lib_dirs}/** mr,
@{lib_dirs}/steamwebhelper rix, @{lib_dirs}/steamwebhelper rix,
@{lib_dirs}/steamwebhelper_sniper_wrap.sh rix, @{lib_dirs}/steamwebhelper_sniper_wrap.sh rix,
@{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap mr, @{runtime_dirs}/pressure-vessel/@{bin}/steam-runtime-launcher-interface-@{int} rix,
@{runtime_dirs}/pressure-vessel/@{bin}/steam-runtime-launcher-interface-@{int} rix, @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap mr,
@{lib}/pressure-vessel/from-host/** rix, @{lib}/pressure-vessel/from-host/** rix,
@{run}/host/@{bin}/* rix, @{run}/host/@{bin}/* rix,
@ -295,23 +311,23 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{HOME}/.pki/ rw, owner @{HOME}/.pki/ rw,
owner @{HOME}/.pki/nssdb/ rw, owner @{HOME}/.pki/nssdb/ rw,
owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
owner @{lib_dirs}/.cef-* wk, owner @{lib_dirs}/.cef-* wk,
owner @{share_dirs}/{,**} r, owner @{share_dirs}/{,**} r,
owner @{share_dirs}/clientui/** k,
owner @{share_dirs}/config/** rwk, owner @{share_dirs}/config/** rwk,
owner @{share_dirs}/logs/** rwk, owner @{share_dirs}/logs/** rwk,
owner @{share_dirs}/clientui/** k,
owner @{share_dirs}/public/** k, owner @{share_dirs}/public/** k,
@{tmp}/ r, @{tmp}/ r,
owner @{tmp}/#@{int} rw, owner @{tmp}/#@{int} rw,
owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
owner @{tmp}/dumps/ rw, owner @{tmp}/dumps/ rw,
owner @{tmp}/dumps/** rwk, owner @{tmp}/dumps/** rwk,
owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
owner @{tmp}/pressure-vessel-*-@{rand6}/ rw, owner @{tmp}/pressure-vessel-*-@{rand6}/ rw,
owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**, owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**,
owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw, owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw,
@ -327,7 +343,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{run}/pressure-vessel/** r, owner @{run}/pressure-vessel/** r,
@{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{sys}/bus/ r, @{sys}/bus/ r,
@{sys}/bus/*/devices/ r, @{sys}/bus/*/devices/ r,
@ -366,9 +382,9 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{bin}/true rix, @{bin}/true rix,
@{lib_dirs}/** mr, @{lib_dirs}/** mr,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements mr, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements mr,
@{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rix, @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rix,
/ r, / r,

9
apparmor.d/profiles-s-z/steam-runtime
View file

@ -26,7 +26,7 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
@{sh_path} r, @{sh_path} rix,
@{bin}/getopt rix, @{bin}/getopt rix,
@{bin}/readlink rix, @{bin}/readlink rix,
@ -34,7 +34,7 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) {
@{lib_dirs}/steam-launch-wrapper rix, @{lib_dirs}/steam-launch-wrapper rix,
# Native linux games (steam-game-native) # Native linux games (steam-game-native)
@{app_dirs}/[^S]*/** rpx -> steam-game-native, @{app_dirs}/[^S]*/** rpx -> steam-game-native, # Only for @{app_dirs}/@{runtime}/**
# Proton games, sandboxed (steam-game-proton) # Proton games, sandboxed (steam-game-proton)
@{app_dirs}/@{runtime}/*entry-point rmix, @{app_dirs}/@{runtime}/*entry-point rmix,
@ -54,7 +54,7 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) {
owner @{HOME}/.steam/steam.pipe r, owner @{HOME}/.steam/steam.pipe r,
owner @{app_dirs}/*/ r, owner @{app_dirs}/*/ r,
owner @{app_dirs}/config/config.vdf rw, owner @{app_dirs}/config/config.vdf{,.*} rw,
owner @{app_dirs}/@{runtime}/** r, owner @{app_dirs}/@{runtime}/** r,
owner @{app_dirs}/@{runtime}/pressure-vessel/** rwk, owner @{app_dirs}/@{runtime}/pressure-vessel/** rwk,
owner @{app_dirs}/@{runtime}/sniper_platform_*/** rwk, owner @{app_dirs}/@{runtime}/sniper_platform_*/** rwk,
@ -62,6 +62,9 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) {
owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/pressure-vessel/**, owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/pressure-vessel/**,
owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/sniper_platform_*/**, owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/sniper_platform_*/**,
owner @{share_dirs}/config/config.vdf{,.*} rw,
owner @{share_dirs}/steamapps/appmanifest_* rw,
owner @{tmp}/ r, owner @{tmp}/ r,
owner @{tmp}/#@{int} rw, owner @{tmp}/#@{int} rw,
owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,