feat(profile): update steam profiles.

2024-11-15 07:54:17 +01:00 · 2024-06-15 16:35:44 +01:00 · 2024-06-15 16:35:44 +01:00 · 39bfa9a40b
commit 39bfa9a40b
parent 637c2b4ccd
6 changed files with 49 additions and 14 deletions
--- a/apparmor.d/abstractions/common/steam-game
+++ b/apparmor.d/abstractions/common/steam-game
@ -36,19 +36,28 @@
  owner @{user_games_dirs}/*/ r,
  owner @{user_games_dirs}/*/{,**} rwkl,

-  owner @{user_config_dirs}/unity3d/{,**} rwk,
+  owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
+  owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
+
+  owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
+  owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,

  owner @{share_dirs}/ r,
  owner @{share_dirs}/* r,
-  owner @{share_dirs}/config/*.vdf* rw,
-  owner @{share_dirs}/logs/* rw,
+  owner @{share_dirs}/appcache/** rk,
+  owner @{share_dirs}/config/ r,
+  owner @{share_dirs}/config/* rwk,
+  owner @{share_dirs}/logs/ rw,
+  owner @{share_dirs}/logs/* rwk,
+  owner @{share_dirs}/shader_cache_temp_dir_*/fozpipelinesv@{int}/{,**} rw,
  owner @{share_dirs}/steamapps/ r,
  owner @{share_dirs}/steamapps/common/ r,
-  owner @{share_dirs}/steamapps/common/*/** rwlk,
+  owner @{share_dirs}/steamapps/common/[^S]*/** rwlk,
  owner @{share_dirs}/steamapps/shadercache/{,**} rwk,
-  owner @{share_dirs}/shader_cache_temp_dir_*/fozpipelinesv@{int}/{,**} rw,

        @{tmp}/ r,
+  owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw,
+  owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
  owner @{tmp}/#@{int} rw,
  owner @{tmp}/CASESENSITIVETEST@{hex32} rw,
  owner @{tmp}/crashes/ rw,
--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@ -49,7 +49,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  network inet stream,
  network inet6 stream,
  network netlink raw,
-  network unix stream,
+  network unix,

  ptrace read,
  ptrace trace peer=steam,
@ -59,6 +59,8 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  signal send peer=steam//journalctl,
  signal send peer=steam//web,

+  unix,
+
  @{exec_path} mrix,

  @{sh_path}                    rix,
@ -88,9 +90,11 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {

  @{share_dirs}/linux{32,64}/steamerrorreporter rpx,

+  @{runtime_dirs}/@{arch}/@{bin}/srt-logger rix,
  @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements rcx -> check,
  @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-identify-library-abi rix,
  @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-service rpx,
+  @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-supervisor rix,
  @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-system-info rix,
  @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix,
  @{runtime_dirs}/*entry-point rix,
@ -132,18 +136,22 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{user_games_dirs}/ rw,
  owner @{user_games_dirs}/** rwlk -> @{user_games_dirs}/**,

+  owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
+  owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
  owner @{user_config_dirs}/autostart/ r,
  owner @{user_config_dirs}/cef_user_data/{,**} r,
  owner @{user_config_dirs}/cef_user_data/Dictionaries/* rw,
  owner @{user_config_dirs}/cef_user_data/WidevineCdm/** rwm,
-  owner @{user_config_dirs}/unity3d/{,**} rwk,
-  owner @{user_config_dirs}/user-dirs.dirs r,

+  owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
+  owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
  owner @{user_share_dirs}/applications/*.desktop w,
  owner @{user_share_dirs}/icons/hicolor/**/apps/steam*.png rw,
  owner @{user_share_dirs}/vulkan/implicit_layer.d/steam*.json rwk,

        @{tmp}/ r,
+  owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw,
+  owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
  owner @{tmp}/#@{int} rw,
  owner @{tmp}/dumps/ rw,
  owner @{tmp}/dumps/** rwk,
@ -155,7 +163,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{tmp}/steam/** rwk,
  owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,

-        /dev/shm/ r,
  owner /dev/shm/fossilize-*-@{int}-@{int} rw,
  owner /dev/shm/u@{uid}-Shm_@{hex6} rw,
  owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw,
@ -176,6 +183,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  @{sys}/class/hidraw/ r,
  @{sys}/class/input/ r,
  @{sys}/class/net/ r,
+  @{sys}/class/power_supply/ r,
  @{sys}/devices/ r,
  @{sys}/devices/@{pci}/boot_vga r,
  @{sys}/devices/@{pci}/sound/card@{int}/input@{int}/properties r,
@ -183,6 +191,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  @{sys}/devices/**/input@{int}/capabilities/* r,
  @{sys}/devices/**/input/input@{int}/ r,
  @{sys}/devices/**/input/input@{int}/properties r,
+  @{sys}/devices/**/power_supply/{AC,BAT@{int},hidpp_battery_@{int}}/{,*} r,
  @{sys}/devices/**/report_descriptor r,
  @{sys}/devices/**/uevent r,
  @{sys}/devices/system/ r,
@ -204,15 +213,19 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
        @{PROC}/1/cgroup r,
        @{PROC}/locks r,
        @{PROC}/sys/kernel/sched_autogroup_enabled r,
+        @{PROC}/sys/kernel/unprivileged_userns_clone r,
        @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
+        @{PROC}/sys/user/max_user_namespaces r,
        @{PROC}/version r,
  owner @{PROC}/@{pid}/autogroup rw,
  owner @{PROC}/@{pid}/cmdline rk,
  owner @{PROC}/@{pid}/environ r,
  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/fd/@{int} rw,
  owner @{PROC}/@{pid}/mem r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/task/ r,
+  owner @{PROC}/@{pid}/task/@{tid}/children r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,

  /dev/input/ r,
@ -230,6 +243,9 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
    include <abstractions/graphics>
    include <abstractions/nameservice-strict>

+    capability dac_read_search,
+    capability sys_chroot,
+
    network inet dgram,
    network inet6 dgram,
    network inet stream,
@ -302,6 +318,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {

          /dev/shm/ r,
    owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
+    owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw,
    owner /dev/shm/u@{uid}-Shm_@{hex6} rw,
    owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw,
    owner /dev/shm/u@{uid}-Shm_@{hex8} rw,
@ -325,9 +342,11 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
          @{PROC}/sys/fs/inotify/max_user_watches r,
          @{PROC}/sys/kernel/yama/ptrace_scope r,
    owner @{PROC}/@{pid}/cmdline r,
+    owner @{PROC}/@{pid}/mem r,
    owner @{PROC}/@{pid}/oom_score_adj w,
    owner @{PROC}/@{pid}/statm r,
    owner @{PROC}/@{pid}/task/ r,
+    owner @{PROC}/@{pid}/task/@{tid}/comm r,
    owner @{PROC}/@{pid}/task/@{tid}/status r,

    /dev/hidraw@{int} rw,
@ -341,6 +360,8 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
    include <abstractions/common/bwrap>
    include <abstractions/nameservice-strict>

+    capability dac_read_search,
+
    unix receive type=stream,

    @{bin}/true rix,
@ -376,7 +397,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
    @{sys}/bus/pci/slots/ r,
    @{sys}/bus/pci/slots/@{int}/address r,
    @{sys}/devices/@{pci}/** r,
-  
+
    owner /dev/shm/ValveIPCSHM_@{uid} rw,

    include if exists <local/steam_lspci>
@ -385,7 +406,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  profile systemctl {
    include <abstractions/base>
    include <abstractions/app/systemctl>
-  
+
    /{run,var}/log/journal/ r,
    /{run,var}/log/journal/@{hex32}/ r,
    /{run,var}/log/journal/@{hex32}/system.journal* r,
@ -394,6 +415,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {

    include if exists <local/steam_systemctl>
  }
-  
+
  include if exists <local/steam>
 }
--- a/apparmor.d/profiles-s-z/steam-game-native
+++ b/apparmor.d/profiles-s-z/steam-game-native
@ -22,6 +22,7 @@ profile steam-game-native @{exec_path} flags=(attach_disconnected) {
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
+  network netlink raw,
  network unix stream,

  signal receive peer=steam,
--- a/apparmor.d/profiles-s-z/steam-game-proton
+++ b/apparmor.d/profiles-s-z/steam-game-proton
@ -20,6 +20,8 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) {
  include <abstractions/common/steam-game>
  include <abstractions/python>

+  capability dac_read_search,
+
  network inet dgram,
  network inet6 dgram,
  network inet stream,
@ -74,14 +76,14 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) {
  owner @{app_dirs}/Proton*/** rwkl,

  owner @{share_dirs}/*.dll r,
-  owner @{share_dirs}/steamapps/compatdata/{,**} rwk,
+  owner @{share_dirs}/bin/ r,
  owner @{share_dirs}/legacycompat/ r,
  owner @{share_dirs}/legacycompat/** mr,
+  owner @{share_dirs}/steamapps/compatdata/{,**} rwk,

  owner @{user_share_dirs}/applications/wine/ rw,
  owner @{user_share_dirs}/applications/wine/**/ rw,

-  owner @{tmp}/ r,
  owner @{tmp}/.wine-@{uid}/ rw,
  owner @{tmp}/.wine-@{uid}/** rwk,
  owner @{tmp}/glx-icds-@{rand6}/{,**} w,
--- a/apparmor.d/profiles-s-z/steam-runtime
+++ b/apparmor.d/profiles-s-z/steam-runtime
@ -54,6 +54,7 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) {
  owner @{HOME}/.steam/steam.pipe r,

  owner @{app_dirs}/*/ r,
+  owner @{app_dirs}/config/config.vdf rw,
  owner @{app_dirs}/@{runtime}/** r,
  owner @{app_dirs}/@{runtime}/pressure-vessel/** rwk,
  owner @{app_dirs}/@{runtime}/sniper_platform_*/** rwk,
--- a/apparmor.d/tunables/home.d/apparmor.d
+++ b/apparmor.d/tunables/home.d/apparmor.d
@ -24,6 +24,7 @@
@{XDG_VM_DIR}=".vm"
@{XDG_VM_SHARES_DIR}="VM_Shares"
@{XDG_IMG_DIR}="images"
+@{XDG_GAMESSTUDIO_DIR}="unity3d"

 # User personal keyrings
@{XDG_GPG_DIR}=".gnupg"