From 3c75243f1577d5c7b3b34380d616e51c312f46a0 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 19 Nov 2024 22:16:18 +0000
Subject: [PATCH] feat(abs): add the wine abstraction.

---
 apparmor.d/abstractions/wine              | 20 ++++++++++++++++++++
 apparmor.d/profiles-s-z/steam-game-proton |  9 +--------
 2 files changed, 21 insertions(+), 8 deletions(-)
 create mode 100644 apparmor.d/abstractions/wine

diff --git a/apparmor.d/abstractions/wine b/apparmor.d/abstractions/wine
new file mode 100644
index 00000000..139b0345
--- /dev/null
+++ b/apparmor.d/abstractions/wine
@@ -0,0 +1,20 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Basic set of resources for wine regardless of the installation method (system or through a game launcher).
+
+  abi <abi/4.0>,
+
+  owner @{user_share_dirs}/applications/wine/ rw,
+  owner @{user_share_dirs}/applications/wine/**/ rw,
+
+  owner @{tmp}/.wine-@{uid}/ rw,
+  owner @{tmp}/.wine-@{uid}/** rwk,
+
+  owner /dev/shm/wine-@{hex6}-fsync rw,
+  owner /dev/shm/wine-@{hex6}@{h}-fsync rw,
+
+  include if exists <abstractions/wine.d>
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-s-z/steam-game-proton b/apparmor.d/profiles-s-z/steam-game-proton
index dfa8b84d..46f296c4 100644
--- a/apparmor.d/profiles-s-z/steam-game-proton
+++ b/apparmor.d/profiles-s-z/steam-game-proton
@@ -18,6 +18,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) {
   include <abstractions/common/bwrap>
   include <abstractions/common/steam-game>
   include <abstractions/python>
+  include <abstractions/wine>
 
   capability dac_override,
   capability dac_read_search,
@@ -79,19 +80,11 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) {
   owner @{share_dirs}/legacycompat/** mr,
   owner @{share_dirs}/steamapps/compatdata/{,**} rwk,
 
-  owner @{user_share_dirs}/applications/wine/ rw,
-  owner @{user_share_dirs}/applications/wine/**/ rw,
-
-  owner @{tmp}/.wine-@{uid}/ rw,
-  owner @{tmp}/.wine-@{uid}/** rwk,
   owner @{tmp}/glx-icds-@{rand6}/{,**} w,
   owner @{tmp}/pressure-vessel-*-@{rand6}/ rw,
   owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**,
   owner @{tmp}/vdpau-drivers-@{rand6}/{,**} w,
 
-  owner /dev/shm/wine-@{hex6}-fsync rw,
-  owner /dev/shm/wine-@{hex6}@{h}-fsync rw,
-
         @{run}/host/fonts/{,**} r,
         @{run}/host/share/{,**} r,
         @{run}/host/usr/{,**} r,