feat(profile): ensure steam can update itself.

2025-01-18 00:48:10 +01:00 · 2024-06-23 11:16:23 +01:00 · 2024-06-23 11:16:23 +01:00 · 2710fd3484
commit 2710fd3484
parent 228d3b653c
3 changed files with 73 additions and 53 deletions
--- a/apparmor.d/abstractions/common/steam-game
+++ b/apparmor.d/abstractions/common/steam-game
@ -16,7 +16,6 @@

  @{bin}/env r,

-  @{app_dirs}/ r,
  @{lib_dirs}/ r,
  @{lib}/ r,
  / r,
@ -42,6 +41,9 @@
  owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
  owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,

+  owner @{app_dirs}/ r,
+  owner @{app_dirs}/[^S]*/** rwlk, # No access to "SteamLinuxRuntime_sniper"
+
  owner @{share_dirs}/ r,
  owner @{share_dirs}/* r,
  owner @{share_dirs}/appcache/** rk,
@ -51,8 +53,7 @@
  owner @{share_dirs}/logs/* rwk,
  owner @{share_dirs}/shader_cache_temp_dir_*/fozpipelinesv@{int}/{,**} rw,
  owner @{share_dirs}/steamapps/ r,
-  owner @{share_dirs}/steamapps/common/ r,
-  owner @{share_dirs}/steamapps/common/[^S]*/** rwlk,
+  owner @{share_dirs}/steamapps/appmanifest_* rw, 
  owner @{share_dirs}/steamapps/shadercache/{,**} rwk,

        @{tmp}/ r,
--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@ -45,8 +45,8 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  capability sys_ptrace,

  network inet dgram,
-  network inet6 dgram,
  network inet stream,
+  network inet6 dgram,
  network inet6 stream,
  network netlink raw,
  network unix,
@ -65,6 +65,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {

  @{sh_path}                    rix,
  @{coreutils_path}             rix,
+  @{open_path}                  rPx -> child-open,
  @{bin}/getopt                 rix,
  @{bin}/journalctl             rPx -> systemctl,
  @{bin}/ldconfig               rix,
@ -72,12 +73,14 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  @{bin}/lsb_release            rPx -> lsb_release,
  @{bin}/lsof                   rix,
  @{bin}/lspci                  rCx -> lspci,
+  @{bin}/tar                    rix,
  @{bin}/which{,.debianutils}   rix,
  @{bin}/xdg-icon-resource      rPx,
  @{bin}/xdg-user-dir           rix,
+  @{bin}/xz                     rix,
+  @{bin}/zenity                 rix,
  @{lib}/@{multiarch}/ld-*.so*  rix,
  @{lib}/ld-linux.so*           rix,
-  @{open_path}                  rPx -> child-open,

  @{lib_dirs}/**                mr,
  @{lib_dirs}/*driverquery      rix,
@ -90,14 +93,21 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {

  @{share_dirs}/linux{32,64}/steamerrorreporter rpx,

+  @{runtime_dirs}/*entry-point                                                      rix,
  @{runtime_dirs}/@{arch}/@{bin}/srt-logger                                         rix,
  @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements                   rcx -> check,
+  @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-dialog{,-ui}                         rix,
  @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-identify-library-abi                 rix,
+  @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-input-monitor                        rix,
+  @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launch-*                             rix,
+  @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-interface-@{int}            rix,
  @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-service                     rpx,
+  @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-libcurl-*                            rix,
+  @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote                         rix,
  @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-supervisor                           rix,
  @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-system-info                          rix,
+  @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-urlopen                              rix,
  @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-*                  rix,
-  @{runtime_dirs}/*entry-point rix,
  @{runtime_dirs}/pressure-vessel/@{bin}/pressure-vessel-*                          rix,
  @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-*  rix,
  @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap       rcx -> web,
@ -111,16 +121,22 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  /etc/lsb-release r,
  /etc/machine-id r,
  /etc/timezone r,
+
  /var/lib/dbus/machine-id r,

+  / r,
+
  @{bin}/ r,
  @{lib}/ r,
-  / r,
+
  /etc/ r,
+
  /home/ r,
+
  /usr/ r,
  /usr/local/ r,
  /usr/local/lib/ r,
+
  /var/ r,
  /var/tmp/ r,

@ -131,7 +147,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{HOME}/.steampid rw,

  owner @{share_dirs}/ rw,
-  owner @{share_dirs}/** rwkl -> @{share_dirs}/**,
+  owner @{share_dirs}/** rwlk -> @{share_dirs}/**,

  owner @{user_games_dirs}/ rw,
  owner @{user_games_dirs}/** rwlk -> @{user_games_dirs}/**,
@ -141,7 +157,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{user_config_dirs}/autostart/ r,
  owner @{user_config_dirs}/cef_user_data/{,**} r,
  owner @{user_config_dirs}/cef_user_data/Dictionaries/* rw,
-  owner @{user_config_dirs}/cef_user_data/WidevineCdm/** rwm,
+  owner @{user_config_dirs}/cef_user_data/WidevineCdm/** mrw,

  owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
  owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
@ -150,17 +166,17 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{user_share_dirs}/vulkan/implicit_layer.d/steam*.json rwk,

        @{tmp}/ r,
+  owner @{tmp}/#@{int} rw,
  owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw,
  owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
-  owner @{tmp}/#@{int} rw,
  owner @{tmp}/dumps/ rw,
  owner @{tmp}/dumps/** rwk,
  owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw,
  owner @{tmp}/glx-icds-@{rand6}/{,**} rw,
  owner @{tmp}/runtime-info.txt.@{rand6} rwk,
-  owner @{tmp}/steam@{rand6}/{,**} rw,
  owner @{tmp}/steam/ rw,
  owner @{tmp}/steam/** rwk,
+  owner @{tmp}/steam@{rand6}/{,**} rw,
  owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,

  owner /dev/shm/fossilize-*-@{int}-@{int} rw,
@ -185,15 +201,15 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  @{sys}/class/net/ r,
  @{sys}/class/power_supply/ r,
  @{sys}/devices/ r,
-  @{sys}/devices/@{pci}/boot_vga r,
-  @{sys}/devices/@{pci}/sound/card@{int}/input@{int}/properties r,
-  @{sys}/devices/**/input@{int}/ r,
-  @{sys}/devices/**/input@{int}/capabilities/* r,
  @{sys}/devices/**/input/input@{int}/ r,
  @{sys}/devices/**/input/input@{int}/properties r,
+  @{sys}/devices/**/input@{int}/ r,
+  @{sys}/devices/**/input@{int}/capabilities/* r,
  @{sys}/devices/**/power_supply/{AC,BAT@{int},hidpp_battery_@{int}}/{,*} r,
  @{sys}/devices/**/report_descriptor r,
  @{sys}/devices/**/uevent r,
+  @{sys}/devices/@{pci}/boot_vga r,
+  @{sys}/devices/@{pci}/sound/card@{int}/input@{int}/properties r,
  @{sys}/devices/system/ r,
  @{sys}/devices/system/cpu/cpu@{int}/ r,
  @{sys}/devices/virtual/dmi/id/bios_vendor r,
@ -209,7 +225,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
        @{PROC}/@{pid}/fdinfo/@{int} r,
        @{PROC}/@{pid}/net/* r,
        @{PROC}/@{pid}/stat r,
-        @{PROC}/@{pid}/stat r,
        @{PROC}/1/cgroup r,
        @{PROC}/locks r,
        @{PROC}/sys/kernel/sched_autogroup_enabled r,
@ -242,13 +257,14 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
    include <abstractions/fontconfig-cache-write>
    include <abstractions/graphics>
    include <abstractions/nameservice-strict>
+    include <abstractions/video>

    capability dac_read_search,
    capability sys_chroot,

    network inet dgram,
-    network inet6 dgram,
    network inet stream,
+    network inet6 dgram,
    network inet6 stream,
    network netlink raw,

@ -258,19 +274,19 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {

    unix receive type=stream,

-    @{bin}/ldconfig   rix,
    @{bin}/getopt     rix,
    @{bin}/gzip       rix,
-    @{bin}/true       rix,
+    @{bin}/ldconfig   rix,
    @{bin}/localedef  rix,
    @{bin}/readlink   rix,
+    @{bin}/true       rix,

    @{lib_dirs}/**                             mr,
    @{lib_dirs}/steamwebhelper                 rix,
    @{lib_dirs}/steamwebhelper_sniper_wrap.sh  rix,

-    @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap mr,
    @{runtime_dirs}/pressure-vessel/@{bin}/steam-runtime-launcher-interface-@{int}  rix,
+    @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap     mr,

    @{lib}/pressure-vessel/from-host/**  rix,
    @{run}/host/@{bin}/*                 rix,
@ -295,23 +311,23 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {

    owner @{HOME}/.pki/ rw,
    owner @{HOME}/.pki/nssdb/ rw,
-    owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
    owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
    owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
+    owner @{HOME}/.pki/nssdb/pkcs11.txt rw,

    owner @{lib_dirs}/.cef-* wk,

    owner @{share_dirs}/{,**} r,
+    owner @{share_dirs}/clientui/** k,
    owner @{share_dirs}/config/** rwk,
    owner @{share_dirs}/logs/** rwk,
-    owner @{share_dirs}/clientui/** k,
    owner @{share_dirs}/public/** k,

          @{tmp}/ r,
    owner @{tmp}/#@{int} rw,
+    owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
    owner @{tmp}/dumps/ rw,
    owner @{tmp}/dumps/** rwk,
-    owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
    owner @{tmp}/pressure-vessel-*-@{rand6}/ rw,
    owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**,
    owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw,
--- a/apparmor.d/profiles-s-z/steam-runtime
+++ b/apparmor.d/profiles-s-z/steam-runtime
@ -26,7 +26,7 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

-  @{sh_path} r,
+  @{sh_path}       rix,
  @{bin}/getopt    rix,
  @{bin}/readlink  rix,

@ -34,7 +34,7 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) {
  @{lib_dirs}/steam-launch-wrapper rix,

  # Native linux games (steam-game-native)
-  @{app_dirs}/[^S]*/** rpx -> steam-game-native,
+  @{app_dirs}/[^S]*/** rpx -> steam-game-native, # Only for @{app_dirs}/@{runtime}/**

  # Proton games, sandboxed (steam-game-proton)
  @{app_dirs}/@{runtime}/*entry-point rmix,
@ -54,7 +54,7 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) {
  owner @{HOME}/.steam/steam.pipe r,

  owner @{app_dirs}/*/ r,
-  owner @{app_dirs}/config/config.vdf rw,
+  owner @{app_dirs}/config/config.vdf{,.*} rw,
  owner @{app_dirs}/@{runtime}/** r,
  owner @{app_dirs}/@{runtime}/pressure-vessel/** rwk,
  owner @{app_dirs}/@{runtime}/sniper_platform_*/** rwk,
@ -62,6 +62,9 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) {
  owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/pressure-vessel/**,
  owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/sniper_platform_*/**,

+  owner @{share_dirs}/config/config.vdf{,.*} rw,
+  owner @{share_dirs}/steamapps/appmanifest_* rw, 
+
  owner @{tmp}/ r,
  owner @{tmp}/#@{int} rw,
  owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,