mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(profile): rewrite steam profiles.

Browse Source 
- Separate profile for sandboxes.
- Separate profile for native and proton games.
- Updated path dirs
- tested on arch & debian.

Note: these profiles are still in alpha stage and disabled by default.
This commit is contained in:
Alexandre Pujol 2024-06-11 00:21:29 +01:00
parent 6f5986a05e
commit 6d549b7c70
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
14 changed files with 681 additions and 411 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

115
apparmor.d/abstractions/common/steam-game Normal file
View File

@ -0,0 +1,115 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
include <abstractions/audio-client>
include <abstractions/desktop>
include <abstractions/devices-usb>
include <abstractions/fontconfig-cache-write>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
@{bin}/uname rix,
@{bin}/xdg-settings rPx,
@{browsers_path} rPx,
@{bin}/env r,
@{app_dirs}/ r,
@{lib_dirs}/ r,
@{lib}/ r,
/ r,
/home/ r,
/usr/ r,
/usr/local/ r,
/usr/local/lib/ r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
owner @{HOME}/ r,
owner @{HOME}/.steam/steam.pid r,
owner @{HOME}/.steam/steam.pipe r,
owner @{user_games_dirs}/ r,
owner @{user_games_dirs}/*/ r,
owner @{user_games_dirs}/*/{,**} rwkl,
owner @{user_config_dirs}/unity3d/{,**} rwk,
owner @{share_dirs}/ r,
owner @{share_dirs}/* r,
owner @{share_dirs}/config/*.vdf* rw,
owner @{share_dirs}/logs/* rw,
owner @{share_dirs}/steamapps/ r,
owner @{share_dirs}/steamapps/common/ r,
owner @{share_dirs}/steamapps/common/*/** rwlk,
owner @{share_dirs}/steamapps/shadercache/{,**} rwk,
owner @{share_dirs}/shader_cache_temp_dir_*/fozpipelinesv@{int}/{,**} rw,
@{tmp}/ r,
owner @{tmp}/#@{int} rw,
owner @{tmp}/CASESENSITIVETEST@{hex32} rw,
owner @{tmp}/crashes/ rw,
owner @{tmp}/crashes/** rwk,
owner @{tmp}/miles_image_@{rand6} mrw,
owner @{tmp}/runtime-info.txt.@{rand6} rw,
owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,
owner /dev/shm/mono.@{int} rw,
owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw,
owner /dev/shm/u@{uid}-Shm_@{hex6} rw,
owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw,
owner /dev/shm/u@{uid}-Shm_@{hex8} rw,
owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
owner /dev/shm/ValveIPCSHM_@{uid} rw,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{sys}/ r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/hidraw/ r,
@{sys}/class/input/ r,
@{sys}/devices/ r,
@{sys}/devices/@{pci}/boot_vga r,
@{sys}/devices/@{pci}/net/*/carrier r,
@{sys}/devices/**/input@{int}/ r,
@{sys}/devices/**/input@{int}/**/{vendor,product} r,
@{sys}/devices/**/input@{int}/capabilities/* r,
@{sys}/devices/**/input/input@{int}/ r,
@{sys}/devices/**/uevent r,
@{sys}/devices/system/ r,
@{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r,
@{sys}/devices/system/cpu/cpu@{int}/ r,
@{sys}/devices/virtual/dmi/id/* r,
@{sys}/devices/virtual/net/*/carrier r,
@{sys}/kernel/ r,
@{sys}/fs/cgroup/user.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
@{PROC}/uptime r,
@{PROC}/version r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/pagemap r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/stat r,
/dev/ r,
/dev/hidraw@{int} rw,
/dev/input/ r,
/dev/input/event@{int} rw,
/dev/tty rw,
/dev/uinput rw,
include if exists <abstractions/common/steam-game.d>

333
apparmor.d/profiles-s-z/steam
View File

@ -6,28 +6,32 @@
# - Ensure no user data is accessed by either steam or steam games # - Ensure no user data is accessed by either steam or steam games
# - Limit what steam/games can access to the host # - Limit what steam/games can access to the host
# #
# Current architecture: # Overall architecture of the steam profiles:
# steam # steam
# ├── steam-fossilize # ├── steam//check # Requirements check (sandboxed)
# ├── steam-reaper # ├── steam//web # steamwebhelper (sandboxed)
# │ └── steam-game # ├── steam-fossilize # Update shader cache
# ├── steam-gameoverlayui # ├── steam-runtime # Launcher tasks up to the creation of the sandbox
# └── steamerrorreporter # │ ├── steam-game-native # Native games
# │ └── steam-game-proton # Proton games (sandboxed)
# ├── steam-gameoverlayui # Steam game overlay
# └── steamerrorreporter # Error reporter
abi <abi/3.0>, abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{share_dirs} = @{user_share_dirs}/Steam @{arch} = amd64 i386
@{runtime} = SteamLinuxRuntime_sniper
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64}
@{runtime_dirs} = @{share_dirs}/steamapps/common/SteamLinuxRuntime_sniper @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@{app_dirs} = @{share_dirs}/steamapps/common/
@{exec_path} = @{share_dirs}/steam.sh @{exec_path} = @{share_dirs}/steam.sh
profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio-client> include <abstractions/audio-client>
include <abstractions/common/bwrap>
include <abstractions/common/chromium>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/desktop> include <abstractions/desktop>
@ -38,69 +42,71 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/video> include <abstractions/video>
capability sys_ptrace,
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
network unix stream,
ptrace (read), ptrace read,
ptrace (trace) peer=steam, ptrace trace peer=steam,
signal (send) peer=steam-game, signal send peer=steam-game,
signal (read), signal send peer=steam-launcher,
signal send peer=steam//journalctl,
unix (receive) type=stream, signal send peer=steam//web,
@{exec_path} mrix, @{exec_path} mrix,
@{sh_path} rix, @{sh_path} rix,
@{coreutils_path} rix, @{coreutils_path} rix,
@{bin}/cmp rix,
@{bin}/file rix,
@{bin}/getopt rix, @{bin}/getopt rix,
@{bin}/gzip rix, @{bin}/journalctl rPx -> systemctl,
@{bin}/ldconfig rix, @{bin}/ldconfig rix,
@{bin}/ldd rix, @{bin}/ldd rix,
@{bin}/localedef rix,
@{bin}/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsof rix, @{bin}/lsof rix,
@{bin}/lspci rCx -> lspci, @{bin}/lspci rCx -> lspci,
@{bin}/steam-runtime-urlopen rix, @{bin}/which{,.debianutils} rix,
@{bin}/tar rix,
@{bin}/which rix,
@{bin}/xdg-icon-resource rPx, @{bin}/xdg-icon-resource rPx,
@{bin}/xdg-user-dir rix, @{bin}/xdg-user-dir rix,
@{bin}/xz rix, @{lib}/@{multiarch}/ld-*.so* rix,
@{bin}/zenity rix,
@{lib}/ld-linux.so* rix, @{lib}/ld-linux.so* rix,
@{open_path} rPx -> child-open,
@{lib_dirs}/** mr, @{lib_dirs}/** mr,
@{lib_dirs}/*/** ix, @{lib_dirs}/*driverquery rix,
@{lib_dirs}/*driverquery rix, @{lib_dirs}/fossilize_replay rpx,
@{lib_dirs}/fossilize_replay rpx, @{lib_dirs}/gameoverlayui rpx,
@{lib_dirs}/gameoverlayui rpx, @{lib_dirs}/reaper rpx, # steam-runtime
@{lib_dirs}/reaper rpx, @{lib_dirs}/steam* rix,
@{lib_dirs}/steam* rix,
# Entry point for steam-game @{app_dirs}/@{runtime}/*entry-point rpx -> steam-runtime,
@{runtime_dirs}/*entry-point rpx,
@{lib}/pressure-vessel/from-host/** rix,
@{run}/host/@{bin}/* rix,
@{run}/host/@{lib}/** rix,
@{share_dirs}/linux{32,64}/steamerrorreporter rpx, @{share_dirs}/linux{32,64}/steamerrorreporter rpx,
@{share_dirs}/config/cefdata/WidevineCdm/**/linux_*/libwidevinecdm.so rm,
/usr/lib/os-release rk, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements rcx -> check,
/usr/share/fonts/**.{ttf,otf} rk, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-identify-library-abi rix,
/usr/share/terminfo/** r, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-service rpx,
/usr/share/zenity/* r, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-system-info rix,
@{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix,
@{runtime_dirs}/*entry-point rix,
@{runtime_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix,
@{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix,
@{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rcx -> web,
@{runtime_dirs}/run{,.sh} rix,
@{runtime_dirs}/setup.sh rix,
@{lib}/os-release rk,
/usr/share/fonts/** rk,
/etc/lsb-release r, /etc/lsb-release r,
/etc/udev/udev.conf r,
/etc/machine-id r, /etc/machine-id r,
/etc/timezone r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
@{bin}/ r, @{bin}/ r,
@ -108,16 +114,11 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
/ r, / r,
/etc/ r, /etc/ r,
/home/ r, /home/ r,
/run/ r,
/usr/ r, /usr/ r,
/usr/local/ r, /usr/local/ r,
/usr/local/lib/ r, /usr/local/lib/ r,
/var/ r, /var/ r,
/var/tmp/ r,
owner /bindfile@{rand6} rw,
owner /var/pressure-vessel/** rw,
owner /var/cache/ldconfig/aux-cache* rw,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{HOME}/.steam/{,**} rw, owner @{HOME}/.steam/{,**} rw,
@ -142,106 +143,231 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{user_share_dirs}/icons/hicolor/**/apps/steam*.png rw, owner @{user_share_dirs}/icons/hicolor/**/apps/steam*.png rw,
owner @{user_share_dirs}/vulkan/implicit_layer.d/steam*.json rwk, owner @{user_share_dirs}/vulkan/implicit_layer.d/steam*.json rwk,
owner /dev/shm/#@{int} rw,
owner /dev/shm/fossilize-*-@{int}-@{int} rw,
owner /dev/shm/u@{uid}-Shm_@{hex} rw,
owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
owner /dev/shm/ValveIPCSHM_@{uid} rw,
@{tmp}/ r, @{tmp}/ r,
owner @{tmp}/#@{int} rw, owner @{tmp}/#@{int} rw,
owner @{tmp}/dumps/ rw, owner @{tmp}/dumps/ rw,
owner @{tmp}/dumps/** rwk, owner @{tmp}/dumps/** rwk,
owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw,
owner @{tmp}/miles_image_* mrw, owner @{tmp}/glx-icds-@{rand6}/{,**} rw,
owner @{tmp}/pressure-vessel-*-@{rand6}/ rw, owner @{tmp}/runtime-info.txt.@{rand6} rwk,
owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**,
owner @{tmp}/runtime-info.txt.* rwk,
owner @{tmp}/sh-thd.* rw,
owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw,
owner @{tmp}/steam@{rand6}/{,**} rw, owner @{tmp}/steam@{rand6}/{,**} rw,
owner @{tmp}/steam/ rw, owner @{tmp}/steam/ rw,
owner @{tmp}/steam/** rwk, owner @{tmp}/steam/** rwk,
owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,
owner @{run}/pressure-vessel/** r, /dev/shm/ r,
owner /dev/shm/fossilize-*-@{int}-@{int} rw,
owner /dev/shm/u@{uid}-Shm_@{hex6} rw,
owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw,
owner /dev/shm/u@{uid}-Shm_@{hex8} rw,
owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
owner /dev/shm/ValveIPCSHM_@{uid} rw,
owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/ r,
@{run}/host/{,**} r,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{run}/udev/data/c116:@{int} r, # for ALSA
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{run}/udev/data/n@{int} r, @{run}/udev/data/n@{int} r,
@{sys}/ r, @{sys}/ r,
@{sys}/bus/ r, @{sys}/bus/ r,
@{sys}/bus/pci/devices/ r,
@{sys}/class/ r, @{sys}/class/ r,
@{sys}/class/hidraw/ r, @{sys}/class/hidraw/ r,
@{sys}/class/input/ r, @{sys}/class/input/ r,
@{sys}/class/net/ r, @{sys}/class/net/ r,
@{sys}/devices/@{pci}/class r, @{sys}/devices/ r,
@{sys}/devices/@{pci}/i2c-@{int}/{,**/}report_descriptor r, @{sys}/devices/@{pci}/boot_vga r,
@{sys}/devices/@{pci}/sound/card@{int}/** r, @{sys}/devices/@{pci}/sound/card@{int}/input@{int}/properties r,
@{sys}/devices/@{pci}/usb@{int}/{manufacturer,product,bcdDevice,bInterfaceNumber} r,
@{sys}/devices/**/input@{int}/ r, @{sys}/devices/**/input@{int}/ r,
@{sys}/devices/**/input@{int}/capabilities/* r, @{sys}/devices/**/input@{int}/capabilities/* r,
@{sys}/devices/**/input/input@{int}/ r, @{sys}/devices/**/input/input@{int}/ r,
@{sys}/devices/**/input/input@{int}/properties r, @{sys}/devices/**/input/input@{int}/properties r,
@{sys}/devices/**/report_descriptor r,
@{sys}/devices/**/uevent r, @{sys}/devices/**/uevent r,
@{sys}/devices/system/cpu/** r, @{sys}/devices/system/ r,
@{sys}/devices/system/node/ r, @{sys}/devices/system/cpu/cpu@{int}/ r,
@{sys}/devices/virtual/**/report_descriptor r, @{sys}/devices/virtual/dmi/id/bios_vendor r,
@{sys}/devices/virtual/dmi/id/bios_version r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/devices/virtual/net/*/ r, @{sys}/devices/virtual/net/*/ r,
@{sys}/devices/virtual/tty/tty@{int}/active r,
@{sys}/kernel/ r, @{sys}/kernel/ r,
@{sys}/power/suspend_stats/success rk, @{sys}/power/suspend_stats/success rk,
@{PROC}/ r, @{PROC}/ r,
@{PROC}/@{pids}/comm rk, @{PROC}/@{pid}/comm rk,
@{PROC}/@{pids}/net/route r, @{PROC}/@{pid}/fdinfo/@{int} r,
@{PROC}/@{pids}/stat r,
@{PROC}/locks r,
@{PROC}/@{pid}/net/* r, @{PROC}/@{pid}/net/* r,
@{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/stat r,
@{PROC}/1/cgroup r, @{PROC}/1/cgroup r,
@{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/locks r,
@{PROC}/sys/kernel/sched_autogroup_enabled r, @{PROC}/sys/kernel/sched_autogroup_enabled r,
@{PROC}/sys/kernel/unprivileged_userns_clone r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
@{PROC}/sys/user/max_user_namespaces r,
@{PROC}/version r, @{PROC}/version r,
owner @{PROC}/@{pid}/mem r,
owner @{PROC}/@{pid}/autogroup rw, owner @{PROC}/@{pid}/autogroup rw,
owner @{PROC}/@{pid}/cmdline rk, owner @{PROC}/@{pid}/cmdline rk,
owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/environ r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mem r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/oom_score_adj w,
owner @{PROC}/@{pid}/statm r,
owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/status r,
/dev/hidraw@{int} rw,
/dev/input/ r, /dev/input/ r,
/dev/input/event@{int} r,
/dev/tty rw,
/dev/uinput w, /dev/uinput w,
audit deny /**.steam_exec_test.sh rw, deny /opt/** r,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
profile lspci { profile web flags=(attach_disconnected,mediate_deleted,complain) {
include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/common/bwrap>
include <abstractions/dconf-write>
include <abstractions/desktop>
include <abstractions/fontconfig-cache-write>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
ptrace trace peer=steam//web,
signal receive set=kill peer=steam,
unix receive type=stream,
@{bin}/ldconfig rix,
@{bin}/getopt rix,
@{bin}/gzip rix,
@{bin}/true rix,
@{bin}/localedef rix,
@{bin}/readlink rix,
@{lib_dirs}/** mr,
@{lib_dirs}/steamwebhelper rix,
@{lib_dirs}/steamwebhelper_sniper_wrap.sh rix,
@{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap mr,
@{runtime_dirs}/pressure-vessel/@{bin}/steam-runtime-launcher-interface-@{int} rix,
@{lib}/pressure-vessel/from-host/** rix,
@{run}/host/@{bin}/* rix,
@{run}/host/@{lib}/** rix,
@{share_dirs}/config/cefdata/WidevineCdm/**/linux_*/libwidevinecdm.so mr,
@{runtime_dirs}/var/tmp-@{rand6}/usr/.ref w,
@{run}/host/{,**} r,
/etc/machine-id r,
@{lib}/ r,
/usr/local/lib/ r,
/var/tmp/ r,
owner /bindfile@{rand6} rw,
owner /var/cache/ldconfig/aux-cache* rw,
owner /var/pressure-vessel/ldso/* rw,
owner @{HOME}/.pki/ rw,
owner @{HOME}/.pki/nssdb/ rw,
owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
owner @{lib_dirs}/.cef-* wk,
owner @{share_dirs}/{,**} r,
owner @{share_dirs}/config/** rwk,
owner @{share_dirs}/logs/** rwk,
owner @{share_dirs}/clientui/** k,
owner @{share_dirs}/public/** k,
@{tmp}/ r,
owner @{tmp}/#@{int} rw,
owner @{tmp}/dumps/ rw,
owner @{tmp}/dumps/** rwk,
owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
owner @{tmp}/pressure-vessel-*-@{rand6}/ rw,
owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**,
owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw,
/dev/shm/ r,
owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
owner /dev/shm/u@{uid}-Shm_@{hex6} rw,
owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw,
owner /dev/shm/u@{uid}-Shm_@{hex8} rw,
owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
owner /dev/shm/ValveIPCSHM_@{uid} rw,
owner @{run}/pressure-vessel/** r,
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{sys}/bus/ r,
@{sys}/bus/*/devices/ r,
@{sys}/class/*/ r,
@{sys}/devices/**/report_descriptor r,
@{sys}/devices/**/uevent r,
@{sys}/devices/system/cpu/kernel_max r,
@{sys}/devices/virtual/tty/tty@{int}/active r,
@{PROC}/ r,
@{PROC}/@{pid}/stat r,
@{PROC}/sys/fs/inotify/max_user_watches r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/oom_score_adj w,
owner @{PROC}/@{pid}/statm r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/status r,
/dev/hidraw@{int} rw,
/dev/tty rw,
include if exists <local/steam_web>
}
profile check flags=(attach_disconnected,mediate_deleted,complain) {
include <abstractions/base>
include <abstractions/common/bwrap>
include <abstractions/nameservice-strict>
unix receive type=stream,
@{bin}/true rix,
@{lib_dirs}/** mr,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements mr,
@{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rix,
/ r,
owner @{HOME}/.steam/root r,
owner @{HOME}/.steam/steam r,
owner @{share_dirs}/ r,
@{PROC}/@{pid}/cgroup r,
include if exists <local/steam_check>
}
profile lspci flags=(attach_disconnected,mediate_deleted,complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
unix receive type=stream,
@{bin}/lspci mr, @{bin}/lspci mr,
owner @{HOME}/.steam/steam.pipe r, owner @{HOME}/.steam/steam.pipe r,
@ -256,5 +382,18 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include if exists <local/steam_lspci> include if exists <local/steam_lspci>
} }
profile systemctl {
include <abstractions/base>
include <abstractions/app/systemctl>
/{run,var}/log/journal/ r,
/{run,var}/log/journal/@{hex32}/ r,
/{run,var}/log/journal/@{hex32}/system.journal* r,
/{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r,
/{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r,
include if exists <local/steam_systemctl>
}
include if exists <local/steam> include if exists <local/steam>
} }

16
apparmor.d/profiles-s-z/steam-fossilize
View File

@ -6,9 +6,12 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{share_dirs} = @{user_share_dirs}/Steam @{arch} = amd64 i386
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{runtime} = SteamLinuxRuntime_sniper
@{runtime_dirs} = @{share_dirs}/steamapps/common/SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@{app_dirs} = @{share_dirs}/steamapps/common/
@{exec_path} = @{lib_dirs}/fossilize_replay @{exec_path} = @{lib_dirs}/fossilize_replay
profile steam-fossilize @{exec_path} flags=(attach_disconnected) { profile steam-fossilize @{exec_path} flags=(attach_disconnected) {
@ -17,17 +20,22 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) {
include <abstractions/wayland> include <abstractions/wayland>
include <abstractions/X-strict> include <abstractions/X-strict>
signal receive peer=steam,
@{exec_path} mr, @{exec_path} mr,
@{lib_dirs}/*.so* mr, @{lib_dirs}/** mr,
owner @{HOME}/.steam/steam.pipe r, owner @{HOME}/.steam/steam.pipe r,
owner @{share_dirs}/logs/container-runtime-info.txt.@{rand6} rw,
owner @{share_dirs}/steamapps/shadercache/@{int}/fozpipelinesv@{int}/{,**} rw, owner @{share_dirs}/steamapps/shadercache/@{int}/fozpipelinesv@{int}/{,**} rw,
owner @{share_dirs}/steamapps/shadercache/@{int}/mesa_shader_cache_sf/{,**} rwk, owner @{share_dirs}/steamapps/shadercache/@{int}/mesa_shader_cache_sf/{,**} rwk,
owner @{share_dirs}/steamapps/shadercache/@{int}/nvidiav@{int}/GLCache/ rw, owner @{share_dirs}/steamapps/shadercache/@{int}/nvidiav@{int}/GLCache/ rw,
owner @{share_dirs}/steamapps/shadercache/@{int}/nvidiav@{int}/GLCache/** rwk, owner @{share_dirs}/steamapps/shadercache/@{int}/nvidiav@{int}/GLCache/** rwk,
owner @{tmp}/runtime-info.txt.@{rand6} rw,
owner /dev/shm/fossilize-*-@{int}-@{int} rw, owner /dev/shm/fossilize-*-@{int}-@{int} rw,
@{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/devices/system/node/node@{int}/cpumap r,

225
apparmor.d/profiles-s-z/steam-game
View File

@ -1,225 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Default profile for steam games
# TODO:
# Split this profile in three:
# - steam-game-native for native linux games
# - steam-runtime for all runtime related task up to the creation of the sandbox
# - steam-game-proton for the sandboxed proton games
#
# Tasks:
# - AppArmor supports for {*^} regex, or find an alternative
# - AppArmor supports change profile from pivot_root
# - Stack steam//&game to bypass no-new-privs issue
#
# The current version of this profile is not very useful as it is very similar
# to the main steam profile.
abi <abi/3.0>,
include <tunables/global>
@{share_dirs} = @{user_share_dirs}/Steam
@{lib_dirs} = @{share_dirs}/ubuntu@{int}_{32,64}
@{runtime_dirs} = @{share_dirs}/steamapps/common/SteamLinuxRuntime_sniper
@{exec_path} = @{share_dirs}/steamapps/common/*/**
@{exec_path} += @{lib_dirs}/steam-runtime-sniper/*entry-point
profile steam-game @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/common/bwrap>
include <abstractions/desktop>
include <abstractions/devices-usb>
include <abstractions/fontconfig-cache-write>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/python>
include <abstractions/ssl_certs>
capability dac_override,
capability dac_read_search,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
signal (receive) peer=steam,
unix (receive) type=stream,
@{exec_path} mrix,
@{sh_path} rix,
@{bin}/bwrap rix,
@{bin}/env rix,
@{bin}/getopt rix,
@{bin}/gzip rix,
@{bin}/localedef rix,
@{bin}/python3.@{int} rix,
@{bin}/readlink rix,
@{bin}/steam-runtime-launcher-interface-* rix,
@{bin}/steam-runtime-system-info rix,
@{bin}/timeout rix,
@{bin}/true rix,
@{bin}/uname rix,
@{bin}/xdg-open rPx,
@{lib}/pressure-vessel/from-host/@{bin}/* rix,
@{lib}/pressure-vessel/from-host/@{lib}/** rix,
@{lib}/steam-runtime-tools*/* mrix,
@{lib_dirs}/{,**} r,
@{lib_dirs}/**.so* mr,
@{lib_dirs}/reaper rix,
@{lib_dirs}/steam-launch-wrapper rm,
@{lib_dirs}/steam-runtime/@{lib}/** mrix,
@{runtime_dirs}/pressure-vessel/@{bin}/ r,
@{runtime_dirs}/pressure-vessel/@{bin}/* rix,
@{runtime_dirs}/pressure-vessel/@{lib}/ r,
@{runtime_dirs}/pressure-vessel/@{lib}/** mrix,
@{runtime_dirs}/run rix,
@{share_dirs}/@{bin}/ r,
@{share_dirs}/@{bin}/* mr,
@{share_dirs}/d3ddriverquery64.dxvk-cache rw,
@{share_dirs}/legacycompat/ r,
@{share_dirs}/legacycompat/** mr,
@{share_dirs}/linux{32,64}/ r,
@{share_dirs}/linux{32,64}/**.so* mr,
@{share_dirs}/standalone_installscript_progress_@{int}.vdf rw,
@{share_dirs}/steamapps/common/*/* mr,
@{share_dirs}/steamapps/common/Proton*/ r,
@{share_dirs}/steamapps/common/Proton*/files/@{bin}/* mrix,
@{share_dirs}/steamapps/common/Proton*/files/@{lib}/** mrix,
@{share_dirs}/steamapps/common/Proton*/proton rix,
@{share_dirs}/steamapps/compatdata/@{int}/pfx/**.dll rm,
@{user_games_dirs}/*/* mr,
@{user_games_dirs}/*/**.dll mr,
@{run}/host/usr/bin/ldconfig rix,
@{run}/host/usr/lib{,32,64}/**.so* rm,
@{run}/host/usr/bin/localedef rix,
/usr/share/terminfo/** r,
/etc/machine-id r,
/etc/udev/udev.conf r,
/var/lib/dbus/machine-id r,
/ r,
/{usr/,}{local/,} r,
/{usr/,}{local/,}lib{,32,64}/ r,
/bindfile@{rand6} rw,
/home/ r,
/tmp/ r,
owner /var/pressure-vessel/** rw,
owner /var/cache/ldconfig/aux-cache* rw,
owner @{HOME}/ r,
owner @{HOME}/.steam/steam.pid r,
owner @{HOME}/.steam/steam.pipe r,
owner @{user_games_dirs}/{,*/} r,
owner @{user_games_dirs}/*/{,**} rwkl,
owner @{user_config_dirs}/unity3d/{,**} rwk,
owner @{share_dirs}/ r,
owner @{share_dirs}/* r,
owner @{share_dirs}/*log* rw,
owner @{share_dirs}/config/config.vdf* rw,
owner @{share_dirs}/logs/{,*} rw,
owner @{share_dirs}/shader_cache_temp*/fozpipelinesv*/{,**} rw,
owner @{share_dirs}/steamapps/ r,
owner @{share_dirs}/steamapps/common/ r,
owner @{share_dirs}/steamapps/common/*/ r,
owner @{share_dirs}/steamapps/common/*/** rwkl,
owner @{share_dirs}/steamapps/common/Proton*/files/share/{,**} r,
owner @{share_dirs}/steamapps/compatdata/{,**} rwk,
owner @{share_dirs}/steamapps/shadercache/{,**} rwk,
owner @{share_dirs}/userdata/**/remotecache.vdf rw,
@{run}/host/ r,
@{run}/host/container-manager r,
@{run}/host/fonts/{,**} r,
@{run}/host/share/{,**} r,
@{run}/host/usr/{,**} r,
owner @{run}/pressure-vessel/{,**} rw,
owner @{run}/user/@{uid}/ r,
owner @{run}/user/@{uid}/orcexec.* mrw, # gstreamer
owner /dev/shm/#@{int} rw,
owner /dev/shm/mono.* rw,
owner /dev/shm/u@{uid}-Shm_@{hex} rw,
owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
owner /dev/shm/ValveIPCSHM_@{uid} rw,
owner /dev/shm/wine-*-fsync rw,
owner @{tmp}/ r,
owner @{tmp}/.wine-@{int}/ rw,
owner @{tmp}/.wine-@{int}/** rwk,
owner @{tmp}/.wine-@{uid}/server-*/* rwk,
owner @{tmp}/#@{int} rw,
owner @{tmp}/CASESENSITIVETEST@{hex32} rw,
owner @{tmp}/miles_image_* mr,
owner @{tmp}/pressure-vessel-*/{,**} rwl,
owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{run}/udev/data/c116:@{int} r, # for ALSA
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{sys}/ r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/hidraw/ r,
@{sys}/class/input/ r,
@{sys}/devices/**/input@{int}/ r,
@{sys}/devices/**/input@{int}/**/{vendor,product} r,
@{sys}/devices/**/input@{int}/capabilities/* r,
@{sys}/devices/**/input/input@{int}/ r,
@{sys}/devices/**/uevent r,
@{sys}/devices/@{pci}/sound/card@{int}/** r,
@{sys}/devices/@{pci}/usb@{int}/{manufacturer,product,bcdDevice,bInterfaceNumber} r,
@{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r,
@{sys}/devices/system/cpu/** r,
@{sys}/devices/system/node/node[0-9]/cpumap r,
@{sys}/devices/system/node/online r,
@{sys}/devices/virtual/dmi/id/* r,
@{sys}/kernel/ r,
@{PROC}/@{pids}/net/dev r,
@{PROC}/@{pids}/net/route r,
@{PROC}/sys/net/core/bpf_jit_enable r,
@{PROC}/uptime r,
@{PROC}/version r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/pagemap r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/stat r,
/dev/hidraw@{int} rw,
/dev/input/ r,
/dev/input/* rw,
/dev/tty rw,
/dev/uinput rw,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
include if exists <local/steam-game>
}

37
apparmor.d/profiles-s-z/steam-game-native Normal file
View File

@ -0,0 +1,37 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{arch} = amd64 i386
@{runtime} = SteamLinuxRuntime_sniper
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@{app_dirs} = @{share_dirs}/steamapps/common/
@{exec_path} = @{app_dirs}/*/**
profile steam-game-native @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/common/steam-game>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network unix stream,
signal receive peer=steam,
@{exec_path} rmix,
@{sh_path} rix,
@{app_dirs}/** mr,
@{lib_dirs}/** mr,
include if exists <local/steam-game-native>
}

107
apparmor.d/profiles-s-z/steam-game-proton Normal file
View File

@ -0,0 +1,107 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{arch} = amd64 i386
@{runtime} = SteamLinuxRuntime_sniper
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@{app_dirs} = @{share_dirs}/steamapps/common/
@{exec_path} = @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap
profile steam-game-proton @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/common/bwrap>
include <abstractions/common/steam-game>
include <abstractions/python>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network unix stream,
signal receive peer=steam,
@{exec_path} mr,
@{bin}/bwrap mrix,
@{bin}/getopt rix,
@{bin}/gzip rix,
@{bin}/ldconfig rix,
@{bin}/localedef rix,
@{bin}/python3.@{int} rix,
@{bin}/readlink rix,
@{bin}/steam-runtime-launcher-interface-@{int} rix,
@{bin}/steam-runtime-system-info rix,
@{bin}/steam-runtime-urlopen rix,
@{bin}/true rix,
@{bin}/chmod rix,
@{open_path} rix,
@{lib_dirs}/** mr,
@{lib}/pressure-vessel/from-host/@{bin}/* rix,
@{lib}/pressure-vessel/from-host/@{lib}/** rix,
@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix,
@{app_dirs}/** mr,
@{app_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix,
@{app_dirs}/Proton*/files/@{bin}/* rix,
@{app_dirs}/Proton*/files/@{lib}/** rix,
@{app_dirs}/Proton*/proton rix,
@{app_dirs}/@{runtime}/pressure-vessel/@{bin}/steam-runtime-launcher-interface-@{int} rix,
@{run}/host/@{bin}/ldconfig rix,
@{run}/host/@{bin}/localedef rix,
@{run}/host/@{lib}/** mr,
@{share_dirs}/bin/d3ddriverquery64.exe mr,
@{share_dirs}/steamapps/compatdata/@{int}/pfx/** mr,
@{user_games_dirs}/** mr,
owner /bindfile@{rand6} rw,
owner /var/pressure-vessel/** rw,
owner /var/cache/ldconfig/aux-cache* rw,
owner @{app_dirs}/@{runtime}/var/tmp-@{rand6}/usr/.ref rwk,
owner @{app_dirs}/Proton*/** rwkl,
owner @{share_dirs}/*.dll r,
owner @{share_dirs}/steamapps/compatdata/{,**} rwk,
owner @{share_dirs}/legacycompat/ r,
owner @{share_dirs}/legacycompat/** mr,
owner @{user_share_dirs}/applications/wine/ rw,
owner @{user_share_dirs}/applications/wine/**/ rw,
owner @{tmp}/ r,
owner @{tmp}/.wine-@{uid}/ rw,
owner @{tmp}/.wine-@{uid}/** rwk,
owner @{tmp}/glx-icds-@{rand6}/{,**} w,
owner @{tmp}/pressure-vessel-*-@{rand6}/ rw,
owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**,
owner @{tmp}/vdpau-drivers-@{rand6}/{,**} w,
owner /dev/shm/wine-@{hex6}-fsync rw,
owner /dev/shm/wine-@{hex6}@{h}-fsync rw,
@{run}/host/fonts/{,**} r,
@{run}/host/share/{,**} r,
@{run}/host/usr/{,**} r,
owner @{run}/pressure-vessel/{,**} r,
@{sys}/devices/system/node/node@{int}/cpumap r,
@{sys}/devices/system/node/online r,
@{PROC}/@{pids}/net/* r,
@{PROC}/sys/net/core/bpf_jit_enable r,
include if exists <local/steam-game-proton>
}

28
apparmor.d/profiles-s-z/steam-gameoverlayui
View File

@ -6,9 +6,12 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{share_dirs} = @{user_share_dirs}/Steam @{arch} = amd64 i386
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{runtime} = SteamLinuxRuntime_sniper
@{runtime_dirs} = @{share_dirs}/steamapps/common/SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@{app_dirs} = @{share_dirs}/steamapps/common/
@{exec_path} = @{lib_dirs}/gameoverlayui @{exec_path} = @{lib_dirs}/gameoverlayui
profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) { profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) {
@ -19,15 +22,16 @@ profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) {
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network unix stream,
unix (receive) type=stream,
@{exec_path} mr, @{exec_path} mr,
@{lib_dirs}/*.so* mr, @{lib_dirs}/**.so* mr,
@{lib_dirs}/steam-runtime/@{lib}/**.so* mr, @{runtime_dirs}/@{lib}/**.so* mr,
/usr/share/fonts/{,**} rk, # ? @{lib_dirs}/steamerrorreporter rpx,
/usr/share/fonts/{,**} rk,
/ r, / r,
/home/ r, /home/ r,
@ -45,15 +49,19 @@ profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) {
owner @{share_dirs}/userdata/@{int}/{,**} rk, owner @{share_dirs}/userdata/@{int}/{,**} rk,
owner /dev/shm/u@{uid}-Shm_@{hex} rw, owner /dev/shm/u@{uid}-Shm_@{hex} rw,
owner /dev/shm/u@{uid}-ValveIPCSharedObj-* rwk, owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
owner /dev/shm/ValveIPCSHM_@{uid} rw, owner /dev/shm/ValveIPCSHM_@{uid} rw,
owner @{tmp}/gameoverlayui.log* rw, owner @{tmp}/gameoverlayui.log* rw,
owner @{tmp}/miles_image_@{rand6} mrw,
owner @{tmp}/runtime-info.txt.@{rand6} rw,
owner @{tmp}/steam_chrome_overlay_uid@{uid}_spid@{pids} rw, owner @{tmp}/steam_chrome_overlay_uid@{uid}_spid@{pids} rw,
owner @{tmp}/miles_image_* mrw,
@{sys}/ r, @{sys}/ r,
@{sys}/kernel/ r, @{sys}/kernel/ r,
@{sys}/devices/ r,
@{sys}/devices/system/ r,
@{sys}/devices/system/cpu/cpu@{int}/ r,
@{PROC}/version r, @{PROC}/version r,

46
apparmor.d/profiles-s-z/steam-launch Normal file
View File

@ -0,0 +1,46 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{arch} = amd64 i386
@{runtime} = SteamLinuxRuntime_sniper
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@{app_dirs} = @{share_dirs}/steamapps/common/
@{exec_path} = @{bin}/steam @{bin}/steam-runtime
profile steam-launch @{exec_path} {
include <abstractions/base>
include <abstractions/python>
network unix stream,
@{exec_path} mr,
@{sh_path} rix,
@{bin}/cp rix,
@{bin}/dirname rix,
@{bin}/env rix,
@{bin}/id rix,
@{bin}/readlink rix,
@{lib}/steam/steam rix,
@{lib}/steam/bin_steam.sh rix,
@{share_dirs}/steam.sh rPx,
/usr/ r,
/usr/local/ r,
owner @{share_dirs}/bootstrap.tar.xz rw,
/dev/tty rw,
deny /opt/** r,
include if exists <local/steam-launch>
}

29
apparmor.d/profiles-s-z/steam-launcher Normal file
View File

@ -0,0 +1,29 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{arch} = amd64 i386
@{runtime} = SteamLinuxRuntime_sniper
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@{app_dirs} = @{share_dirs}/steamapps/common/
@{exec_path} = @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-service
profile steam-launcher @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
network unix stream,
signal receive peer=steam,
@{exec_path} mr,
@{lib_dirs}/** mr,
include if exists <local/steam-launcher>
}

40
apparmor.d/profiles-s-z/steam-reaper
View File

@ -1,40 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{share_dirs} = @{user_share_dirs}/Steam
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64}
@{runtime_dirs} = @{share_dirs}/steamapps/common/SteamLinuxRuntime_sniper
@{exec_path} = @{lib_dirs}/reaper
profile steam-reaper @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/graphics>
unix (receive) type=stream,
@{exec_path} mr,
@{lib_dirs}/*.so* mr,
@{lib_dirs}/steam-runtime/@{lib}/**.so* mr,
@{lib_dirs}/steam-launch-wrapper rpx -> steam-game,
@{share_dirs}/steamapps/common/*/* rpx -> steam-game,
owner @{HOME}/.steam/steam.pipe r,
owner @{share_dirs}/userdata/**/remotecache.vdf rw,
owner /dev/shm/u@{uid}-Shm_@{hex} rw,
owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
@{sys}/devices/system/cpu/cpu@{int}/** r,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
include if exists <local/steam-reaper>
}

81
apparmor.d/profiles-s-z/steam-runtime
View File

@ -6,38 +6,77 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{share_dirs} = @{user_share_dirs}/Steam @{arch} = amd64 i386
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{runtime} = SteamLinuxRuntime_sniper
@{runtime_dirs} = @{share_dirs}/steamapps/common/SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@{app_dirs} = @{share_dirs}/steamapps/common/
@{exec_path} = @{bin}/steam @{bin}/steam-runtime @{exec_path} = @{lib_dirs}/reaper
profile steam-runtime @{exec_path} { profile steam-runtime @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/python> include <abstractions/audio-client>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/wayland>
include <abstractions/X-strict>
unix (receive) type=stream, network unix stream,
@{exec_path} mr, @{exec_path} mr,
@{sh_path} rix, @{sh_path} r,
@{bin}/cp rix, @{bin}/getopt rix,
@{bin}/dirname rix, @{bin}/readlink rix,
@{bin}/env rix,
@{bin}/id rix,
@{bin}/readlink rix,
@{lib}/steam/steam rix, @{lib_dirs}/** mr,
@{lib}/steam/bin_steam.sh rix, @{lib_dirs}/steam-launch-wrapper rix,
@{share_dirs}/steam.sh rPx,
/usr/ r, # Native linux games (steam-game-native)
/usr/local/ r, @{app_dirs}/[^S]*/** rpx -> steam-game-native,
owner @{share_dirs}/bootstrap.tar.xz rw, # Proton games, sandboxed (steam-game-proton)
@{app_dirs}/@{runtime}/*entry-point rmix,
@{app_dirs}/@{runtime}/pressure-vessel/@{bin}/pressure-vessel-* rix,
@{app_dirs}/@{runtime}/pressure-vessel/@{lib}/** mr,
@{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-capsule-capture-libs rix,
@{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-detect-platform rix,
@{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-inspect-library rix,
@{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rpx -> steam-game-proton,
@{app_dirs}/@{runtime}/run rix,
@{bin}/bwrap rpx -> steam-game-proton,
/ r,
@{lib}/ r,
@{lib_dirs}/ r,
owner @{HOME}/.steam/steam.pipe r,
owner @{app_dirs}/*/ r,
owner @{app_dirs}/@{runtime}/** r,
owner @{app_dirs}/@{runtime}/pressure-vessel/** rwk,
owner @{app_dirs}/@{runtime}/sniper_platform_*/** rwk,
owner @{app_dirs}/@{runtime}/var/** rwk,
owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/pressure-vessel/**,
owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/sniper_platform_*/**,
owner @{tmp}/ r,
owner @{tmp}/#@{int} rw,
owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,
owner @{run}/user/@{uid}/ r,
owner /dev/shm/u@{uid}-Shm_@{hex6} rw,
owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw,
owner /dev/shm/u@{uid}-Shm_@{hex8} rw,
owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/comm r,
owner @{PROC}/@{pid}/fd/ r,
/dev/tty rw, /dev/tty rw,
deny /opt/** r,
include if exists <local/steam-runtime> include if exists <local/steam-runtime>
} }

19
apparmor.d/profiles-s-z/steamerrorreporter
View File

@ -6,12 +6,15 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{share_dirs} = @{user_share_dirs}/Steam @{arch} = amd64 i386
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{runtime} = SteamLinuxRuntime_sniper
@{runtime_dirs} = @{share_dirs}/steamapps/common/SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@{app_dirs} = @{share_dirs}/steamapps/common/
@{exec_path} = @{share_dirs}/linux{32,64}/steamerrorreporter @{exec_path} = @{lib_dirs}/steamerrorreporter
profile steamerrorreporter @{exec_path} { profile steamerrorreporter @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -19,14 +22,14 @@ profile steamerrorreporter @{exec_path} {
network inet stream, network inet stream,
network inet6 dgram, network inet6 dgram,
network inet6 stream, network inet6 stream,
network unix stream,
@{exec_path} mr, @{exec_path} mr,
owner @{HOME}/.steam/steam.pipe r, owner @{HOME}/.steam/steam.pipe r,
owner @{lib_dirs}/ r, owner @{lib_dirs}/{,**} r,
owner @{lib_dirs}/steam-runtime/pinned_libs_{32,64}/ r, owner @{runtime_dirs}/pinned_libs_{32,64}/ r,
owner @{share_dirs}/ r, owner @{share_dirs}/ r,
owner @{tmp}/dumps/ r, owner @{tmp}/dumps/ r,

10
dists/flags/main.flags
View File

@ -298,11 +298,13 @@ startplasma complain
startx attach_disconnected,complain startx attach_disconnected,complain
steam attach_disconnected,mediate_deleted,complain steam attach_disconnected,mediate_deleted,complain
steam-fossilize attach_disconnected,complain steam-fossilize attach_disconnected,complain
steam-game attach_disconnected,complain steam-game-native attach_disconnected,complain
steam-game-proton attach_disconnected,complain
steam-gameoverlayui attach_disconnected,complain steam-gameoverlayui attach_disconnected,complain
steam-reaper attach_disconnected,complain steam-launch complain
steam-runtime complain steam-launcher attach_disconnected,complain
steamerrorreporter complain steam-runtime attach_disconnected,complain
steamerrorreporter attach_disconnected,complain
sulogin complain sulogin complain
switcherooctl complain switcherooctl complain
swtpm complain swtpm complain

6
dists/ignore/main.ignore
View File

@ -17,8 +17,10 @@ man
plasma-discover plasma-discover
steam steam
steam-fossilize steam-fossilize
steam-game steam-game-native
steam-game-proton
steam-gameoverlayui steam-gameoverlayui
steam-reaper steam-launch
steam-launcher
steam-runtime steam-runtime
steamerrorreporter steamerrorreporter