From 39bfa9a40bc0fddc791104e80e986e9c95089e69 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 15 Jun 2024 16:35:44 +0100 Subject: [PATCH] feat(profile): update steam profiles. --- apparmor.d/abstractions/common/steam-game | 19 ++++++++---- apparmor.d/profiles-s-z/steam | 35 ++++++++++++++++++----- apparmor.d/profiles-s-z/steam-game-native | 1 + apparmor.d/profiles-s-z/steam-game-proton | 6 ++-- apparmor.d/profiles-s-z/steam-runtime | 1 + apparmor.d/tunables/home.d/apparmor.d | 1 + 6 files changed, 49 insertions(+), 14 deletions(-) diff --git a/apparmor.d/abstractions/common/steam-game b/apparmor.d/abstractions/common/steam-game index 5a2cbd6d..88bd3d1b 100644 --- a/apparmor.d/abstractions/common/steam-game +++ b/apparmor.d/abstractions/common/steam-game @@ -36,19 +36,28 @@ owner @{user_games_dirs}/*/ r, owner @{user_games_dirs}/*/{,**} rwkl, - owner @{user_config_dirs}/unity3d/{,**} rwk, + owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, + + owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, owner @{share_dirs}/ r, owner @{share_dirs}/* r, - owner @{share_dirs}/config/*.vdf* rw, - owner @{share_dirs}/logs/* rw, + owner @{share_dirs}/appcache/** rk, + owner @{share_dirs}/config/ r, + owner @{share_dirs}/config/* rwk, + owner @{share_dirs}/logs/ rw, + owner @{share_dirs}/logs/* rwk, + owner @{share_dirs}/shader_cache_temp_dir_*/fozpipelinesv@{int}/{,**} rw, owner @{share_dirs}/steamapps/ r, owner @{share_dirs}/steamapps/common/ r, - owner @{share_dirs}/steamapps/common/*/** rwlk, + owner @{share_dirs}/steamapps/common/[^S]*/** rwlk, owner @{share_dirs}/steamapps/shadercache/{,**} rwk, - owner @{share_dirs}/shader_cache_temp_dir_*/fozpipelinesv@{int}/{,**} rw, @{tmp}/ r, + owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, owner @{tmp}/#@{int} rw, owner @{tmp}/CASESENSITIVETEST@{hex32} rw, owner @{tmp}/crashes/ rw, diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index 36b8bd54..49157e25 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -49,7 +49,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { network inet stream, network inet6 stream, network netlink raw, - network unix stream, + network unix, ptrace read, ptrace trace peer=steam, @@ -59,6 +59,8 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal send peer=steam//journalctl, signal send peer=steam//web, + unix, + @{exec_path} mrix, @{sh_path} rix, @@ -88,9 +90,11 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{share_dirs}/linux{32,64}/steamerrorreporter rpx, + @{runtime_dirs}/@{arch}/@{bin}/srt-logger rix, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements rcx -> check, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-identify-library-abi rix, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-service rpx, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-supervisor rix, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-system-info rix, @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, @{runtime_dirs}/*entry-point rix, @@ -132,18 +136,22 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_games_dirs}/ rw, owner @{user_games_dirs}/** rwlk -> @{user_games_dirs}/**, + owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, owner @{user_config_dirs}/autostart/ r, owner @{user_config_dirs}/cef_user_data/{,**} r, owner @{user_config_dirs}/cef_user_data/Dictionaries/* rw, owner @{user_config_dirs}/cef_user_data/WidevineCdm/** rwm, - owner @{user_config_dirs}/unity3d/{,**} rwk, - owner @{user_config_dirs}/user-dirs.dirs r, + owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, owner @{user_share_dirs}/applications/*.desktop w, owner @{user_share_dirs}/icons/hicolor/**/apps/steam*.png rw, owner @{user_share_dirs}/vulkan/implicit_layer.d/steam*.json rwk, @{tmp}/ r, + owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, owner @{tmp}/#@{int} rw, owner @{tmp}/dumps/ rw, owner @{tmp}/dumps/** rwk, @@ -155,7 +163,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/steam/** rwk, owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, - /dev/shm/ r, owner /dev/shm/fossilize-*-@{int}-@{int} rw, owner /dev/shm/u@{uid}-Shm_@{hex6} rw, owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, @@ -176,6 +183,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/class/hidraw/ r, @{sys}/class/input/ r, @{sys}/class/net/ r, + @{sys}/class/power_supply/ r, @{sys}/devices/ r, @{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/@{pci}/sound/card@{int}/input@{int}/properties r, @@ -183,6 +191,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/**/input@{int}/capabilities/* r, @{sys}/devices/**/input/input@{int}/ r, @{sys}/devices/**/input/input@{int}/properties r, + @{sys}/devices/**/power_supply/{AC,BAT@{int},hidpp_battery_@{int}}/{,*} r, @{sys}/devices/**/report_descriptor r, @{sys}/devices/**/uevent r, @{sys}/devices/system/ r, @@ -204,15 +213,19 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{PROC}/1/cgroup r, @{PROC}/locks r, @{PROC}/sys/kernel/sched_autogroup_enabled r, + @{PROC}/sys/kernel/unprivileged_userns_clone r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, + @{PROC}/sys/user/max_user_namespaces r, @{PROC}/version r, owner @{PROC}/@{pid}/autogroup rw, owner @{PROC}/@{pid}/cmdline rk, owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/fd/@{int} rw, owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/children r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/input/ r, @@ -230,6 +243,9 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + capability dac_read_search, + capability sys_chroot, + network inet dgram, network inet6 dgram, network inet stream, @@ -302,6 +318,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { /dev/shm/ r, owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw, owner /dev/shm/u@{uid}-Shm_@{hex6} rw, owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, owner /dev/shm/u@{uid}-Shm_@{hex8} rw, @@ -325,9 +342,11 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/oom_score_adj w, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm r, owner @{PROC}/@{pid}/task/@{tid}/status r, /dev/hidraw@{int} rw, @@ -341,6 +360,8 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + capability dac_read_search, + unix receive type=stream, @{bin}/true rix, @@ -376,7 +397,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/bus/pci/slots/ r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/devices/@{pci}/** r, - + owner /dev/shm/ValveIPCSHM_@{uid} rw, include if exists @@ -385,7 +406,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { profile systemctl { include include - + /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/system.journal* r, @@ -394,6 +415,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { include if exists } - + include if exists } diff --git a/apparmor.d/profiles-s-z/steam-game-native b/apparmor.d/profiles-s-z/steam-game-native index da72bf27..0a79b99d 100644 --- a/apparmor.d/profiles-s-z/steam-game-native +++ b/apparmor.d/profiles-s-z/steam-game-native @@ -22,6 +22,7 @@ profile steam-game-native @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network inet stream, network inet6 stream, + network netlink raw, network unix stream, signal receive peer=steam, diff --git a/apparmor.d/profiles-s-z/steam-game-proton b/apparmor.d/profiles-s-z/steam-game-proton index 7f1e2982..ed67e72b 100644 --- a/apparmor.d/profiles-s-z/steam-game-proton +++ b/apparmor.d/profiles-s-z/steam-game-proton @@ -20,6 +20,8 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) { include include + capability dac_read_search, + network inet dgram, network inet6 dgram, network inet stream, @@ -74,14 +76,14 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) { owner @{app_dirs}/Proton*/** rwkl, owner @{share_dirs}/*.dll r, - owner @{share_dirs}/steamapps/compatdata/{,**} rwk, + owner @{share_dirs}/bin/ r, owner @{share_dirs}/legacycompat/ r, owner @{share_dirs}/legacycompat/** mr, + owner @{share_dirs}/steamapps/compatdata/{,**} rwk, owner @{user_share_dirs}/applications/wine/ rw, owner @{user_share_dirs}/applications/wine/**/ rw, - owner @{tmp}/ r, owner @{tmp}/.wine-@{uid}/ rw, owner @{tmp}/.wine-@{uid}/** rwk, owner @{tmp}/glx-icds-@{rand6}/{,**} w, diff --git a/apparmor.d/profiles-s-z/steam-runtime b/apparmor.d/profiles-s-z/steam-runtime index 6893dbe2..9beaa2e8 100644 --- a/apparmor.d/profiles-s-z/steam-runtime +++ b/apparmor.d/profiles-s-z/steam-runtime @@ -54,6 +54,7 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.steam/steam.pipe r, owner @{app_dirs}/*/ r, + owner @{app_dirs}/config/config.vdf rw, owner @{app_dirs}/@{runtime}/** r, owner @{app_dirs}/@{runtime}/pressure-vessel/** rwk, owner @{app_dirs}/@{runtime}/sniper_platform_*/** rwk, diff --git a/apparmor.d/tunables/home.d/apparmor.d b/apparmor.d/tunables/home.d/apparmor.d index 87daf969..963e4bc8 100644 --- a/apparmor.d/tunables/home.d/apparmor.d +++ b/apparmor.d/tunables/home.d/apparmor.d @@ -24,6 +24,7 @@ @{XDG_VM_DIR}=".vm" @{XDG_VM_SHARES_DIR}="VM_Shares" @{XDG_IMG_DIR}="images" +@{XDG_GAMESSTUDIO_DIR}="unity3d" # User personal keyrings @{XDG_GPG_DIR}=".gnupg"