mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profiles): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2022-09-24 18:06:06 +01:00
parent ae6cecde52
commit f2989321eb
Failed to generate hash of commit
37 changed files with 120 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
apparmor.d/groups/apt/command-not-found
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -11,19 +12,23 @@ include <tunables/global>
@{exec_path} += /{usr/,}lib/command-not-found
profile command-not-found @{exec_path} {
include <abstractions/base>
include <abstractions/python>
include <abstractions/nameservice-strict>
include <abstractions/apt-common>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/python>
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/snap rPx,
/var/lib/command-not-found/commands.db rwk,
/usr/share/command-not-found/{,**} r,
owner @{PROC}/@{pid}/fd/ r,
# Silencer
deny /usr/lib/ r,

3
apparmor.d/groups/browsers/firefox
View file

@ -251,10 +251,11 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/oom_score_adj w,
owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
deny owner @{PROC}/@{pid}/smaps r,
deny owner @{PROC}/@{pid}/stat r,
deny owner @{PROC}/@{pid}/statm r,

6
apparmor.d/groups/freedesktop/polkitd
View file

@ -22,8 +22,8 @@ profile polkitd @{exec_path} {
ptrace (read),
dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/*
interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit[0-9].*}, # all members
dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit1/*
interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit1.*}, # all members
dbus (send) bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
@ -31,7 +31,7 @@ profile polkitd @{exec_path} {
peer=(name=org.freedesktop.DBus),
dbus (bind) bus=system
name=org.freedesktop.PolicyKit[0-9],
name=org.freedesktop.PolicyKit1,
@{exec_path} mr,

1
apparmor.d/groups/freedesktop/xdg-desktop-portal
View file

@ -49,6 +49,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
# Allowed apps to open
/{usr/,}bin/firefox rPx -> firefox,
/{usr/,}bin/nautilus rPx,
/ r,
/.flatpak-info r,

4
apparmor.d/groups/freedesktop/xdg-email
View file

@ -14,8 +14,10 @@ profile xdg-email @{exec_path} flags=(complain) {
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gio rPx,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/gio rPx,
/{usr/,}bin/readlink rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/which rix,
/{usr/,}bin/xdg-mime rPx,

1
apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update
View file

@ -13,6 +13,7 @@ profile xdg-user-dirs-gtk-update @{exec_path} {
@{exec_path} mr,
owner @{user_config_dirs}/gtk-3.0/bookmarks* rw,
owner @{user_config_dirs}/user-dirs.dirs r,
owner @{user_config_dirs}/user-dirs.locale r,

2
apparmor.d/groups/gnome/gio-launch-desktop
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,

1
apparmor.d/groups/gnome/gnome-control-center
View file

@ -49,6 +49,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/bwrap rPUx,
/{usr/,}bin/openvpn rPx,
/{usr/,}bin/passwd rPx,
/{usr/,}bin/software-properties-gtk rPx,
/{usr/,}lib/@{multiarch}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
/{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
/usr/share/language-tools/language2locale rix,

1
apparmor.d/groups/gnome/gnome-extension-ding
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js
profile gnome-extension-ding @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-gtk>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/dconf-write>

3
apparmor.d/groups/gnome/gnome-shell
View file

@ -164,13 +164,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card*
@{run}/udev/data/n[0-9]* r,
@{sys}/**/uevent r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/hwmon/ r,
@{sys}/class/input/ r,
@{sys}/class/net/ r,
@{sys}/class/power_supply/ r,
@{sys}/**/uevent r,
@{sys}/devices/**/hwmon[0-9]*/{,name,temp*,fan*} r,
@{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r,
@{sys}/devices/**/hwmon/{,name,temp*,fan*} r,
@ -180,6 +180,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/pci[0-9]*/**/drm/ r,
@{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r,
@{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r,
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r,
@{sys}/devices/system/cpu/possible r,
@{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r,

1
apparmor.d/groups/gnome/gnome-terminal-server
View file

@ -17,6 +17,7 @@ profile gnome-terminal-server @{exec_path} {
include <abstractions/gtk>
signal (send) set=(term hup kill) peer=unconfined,
ptrace (read) peer=unconfined,
@{exec_path} mr,

6
apparmor.d/groups/gnome/gsd-print-notifications
View file

@ -38,6 +38,12 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
interface=org.freedesktop.Avahi.Server
member=StateChanged,
dbus (send,receive) bus=session path=/org/gnome/SessionManager{,/*}
interface={org.freedesktop.DBus.Properties,org.gnome.SessionManager},
dbus bind bus=session
name=org.gnome.SettingsDaemon.PrintNotifications,
@{exec_path} mr,
@{libexec}/gsd-printer rPx,

4
apparmor.d/groups/gnome/gsd-sharing
View file

@ -36,6 +36,10 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
interface=org.freedesktop.NetworkManager
member=CheckPermissions,
dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
interface=org.freedesktop.NetworkManager.Connection.Active
member=StateChanged,
@{exec_path} mr,
/usr/share/dconf/profile/gdm r,

4
apparmor.d/groups/gnome/tracker-extract
View file

@ -59,6 +59,8 @@ profile tracker-extract @{exec_path} {
@{run}/udev/data/c51[0-9]:[0-9]* r,
@{run}/mount/utab r,
@{sys}/devices/system/cpu/possible r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
@ -67,5 +69,7 @@ profile tracker-extract @{exec_path} {
/dev/media[0-9]* r,
/dev/video[0-9]* rw,
deny owner @{user_share_dirs}/gvfs-metadata/** r,
include if exists <local/tracker-extract>
}

1
apparmor.d/groups/gvfs/gvfsd
View file

@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/gvfsd
profile gvfsd @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-gtk>
include <abstractions/dbus-session-strict>
@{exec_path} mr,

1
apparmor.d/groups/gvfs/gvfsd-fuse
View file

@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/gvfsd-fuse
profile gvfsd-fuse @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-gtk>
include <abstractions/dbus-session-strict>
unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount),

1
apparmor.d/groups/gvfs/gvfsd-metadata
View file

@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/gvfsd-metadata
profile gvfsd-metadata @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-gtk>
include <abstractions/dbus-session-strict>
include <abstractions/disks-read>

1
apparmor.d/groups/gvfs/gvfsd-trash
View file

@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/gvfsd-trash
profile gvfsd-trash @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-gtk>
include <abstractions/dbus-session-strict>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>

10
apparmor.d/groups/network/mullvad-daemon
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = "/opt/Mullvad VPN/resources/mullvad-daemon"
profile mullvad-daemon @{exec_path} {
profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -29,6 +29,9 @@ profile mullvad-daemon @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/ip rix,
"/opt/Mullvad VPN/resources/openvpn" rix,
"/opt/Mullvad VPN/resources/*" r,
/etc/mullvad-vpn/{,*} r,
@ -47,8 +50,13 @@ profile mullvad-daemon @{exec_path} {
@{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
owner /tmp/@{uuid} rw,
owner /tmp/talpid-openvpn-@{uuid} rw,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw,
/dev/net/tun rw,
include if exists <local/mullvad-daemon>
}

7
apparmor.d/groups/network/tailscaled
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{,s}bin/tailscaled
profile tailscaled @{exec_path} {
profile tailscaled @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
@ -22,6 +22,8 @@ profile tailscaled @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
network inet raw,
network inet6 raw,
network netlink raw,
ptrace (read),
@ -39,8 +41,9 @@ profile tailscaled @{exec_path} {
/etc/resolv.conf rw,
/etc/resolv.conf.*.tmp rw,
owner /var/lib/tailscale/{,**} rw,
owner @{run}/tailscale/{,**} rw,
owner /var/cache/{,**} rw,
owner /var/lib/tailscale/{,**} rw,
@{sys}/devices/virtual/dmi/id/{bios_vendor,product_name} r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

3
apparmor.d/groups/pacman/pacman
View file

@ -91,6 +91,7 @@ profile pacman @{exec_path} {
/{usr/,}bin/mkinitcpio rPx,
/{usr/,}bin/pacdiff rPx,
/{usr/,}bin/pacman-key rPx,
/{usr/,}bin/sbctl rPx,
/{usr/,}bin/sysctl rPx,
/{usr/,}bin/systemctl rPx -> child-systemctl,
/{usr/,}bin/systemd-* rPx,
@ -121,7 +122,7 @@ profile pacman @{exec_path} {
owner /var/lib/pacman/{,**} rwl,
owner /tmp/alpm_*/{,**} rw,
owner /tmp/checkup-db-[0-9]*/sync/{,*.db.part} rw,
owner /tmp/checkup-db-[0-9]*/sync/{,*.db*} rw,
owner /tmp/checkup-db-[0-9]*/db.lck rw,
owner @{PROC}/@{pid}/fd/ r,

1
apparmor.d/groups/ubuntu/check-new-release-gtk
View file

@ -12,6 +12,7 @@ profile check-new-release-gtk @{exec_path} {
include <abstractions/apt-common>
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
include <abstractions/fonts>
include <abstractions/gtk>
include <abstractions/nameservice-strict>
include <abstractions/openssl>

1
apparmor.d/groups/ubuntu/livepatch-notification
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/update-notifier/livepatch-notification
profile livepatch-notification @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
include <abstractions/gtk>

1
apparmor.d/groups/ubuntu/software-properties-dbus
View file

@ -42,6 +42,7 @@ profile software-properties-dbus @{exec_path} {
/usr/share/xml/iso-codes/{,**} r,
owner /tmp/[a-z0-9]* rw,
owner /tmp/_[a-z0-9]* rw,
owner /tmp/tmp*/{,apt.conf} rw,
owner @{PROC}/@{pid}/fd/ r,

4
apparmor.d/groups/ubuntu/update-notifier
View file

@ -11,6 +11,7 @@ profile update-notifier @{exec_path} {
include <abstractions/base>
include <abstractions/apt-common>
include <abstractions/audio>
include <abstractions/dbus-session-strict>
include <abstractions/dconf-write>
include <abstractions/fonts>
include <abstractions/gtk>
@ -18,6 +19,9 @@ profile update-notifier @{exec_path} {
include <abstractions/openssl>
include <abstractions/python>
dbus receive bus=session path=/org/ayatana/NotificationItem/*
member={GetLayout,GetGroupProperties,GetAll,AboutToShow},
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,

14
apparmor.d/groups/virt/libvirtd
View file

@ -3,11 +3,13 @@
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Based on Libvirt Apparmor profile, it is largelly restricted from th
# Based on Libvirt Apparmor profile, it is largelly restricted from it.
# As upstream profile mostly focus on confining the guests. Not libvirt itself.
# It uses a lot of profiles provided by apparmor.d
# Source: https://gitlab.com/libvirt/libvirt/-/blob/master/src/security/apparmor/usr.sbin.libvirtd.in
# Warning: Such a profile is limited as it gives access to a lot of resources.
abi <abi/3.0>,
include <tunables/global>
@ -213,9 +215,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
@{sys}/fs/cgroup/net_cls/machine.slice/ rw,
@{sys}/fs/cgroup/net_cls/machine.slice/machine-qemu*.scope/{,**} rw,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/net/ip_tables_names r,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/net/route r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/net/dev r,
@ -227,10 +227,13 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
@{PROC}/devices r,
@{PROC}/mtrr w,
@{PROC}/sys/net/ipv{4,6}/** rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/net/ip_tables_names r,
/dev/dri/ r,
/dev/hugepages/{,**} w,
/dev/kvm r,
/dev/kvm rw,
/dev/mapper/ r,
/dev/mapper/control rw,
/dev/net/tun rw,
@ -268,5 +271,6 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
/dev/net/tun rw,
}
include if exists <usr/libvirtd>
include if exists <local/libvirtd>
}

3
apparmor.d/profiles-a-f/blueman
View file

@ -29,7 +29,8 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
@{exec_path} mrix,
/{usr/,}bin/{b,d}ash rix,
/{usr/,}bin/{b,d}ash rix,
/{usr/,}lib/gio-launch-desktop rix,
/{usr/,}bin/blueman-tray rPx,
/{usr/,}bin/xdg-open rCx -> open,

1
apparmor.d/profiles-g-l/git
View file

@ -67,6 +67,7 @@ profile git @{exec_path} {
/{usr/,}bin/man rPx,
/{usr/,}bin/meld rPUx,
/{usr/,}lib/code/extensions/git/dist/askpass.sh rPx,
/{usr/,}lib/code/extensions/git/dist/git-editor.sh rPx,
/usr/share/aurpublish/*.hook rPx,
/{usr/,}bin/gpg rCx -> gpg,

5
apparmor.d/profiles-g-l/glxinfo
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -14,10 +15,10 @@ profile glxinfo @{exec_path} {
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/opencl>
include <abstractions/vulkan>
capability sys_admin,
# Needed?
deny capability sys_nice,
audit capability sys_nice,
@{exec_path} mr,

6
apparmor.d/profiles-g-l/gtk-update-icon-cache
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -22,6 +22,10 @@ profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) {
/var/lib/flatpak/exports/share/icons/hicolor/.icon-theme.cache rw,
/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache w,
owner @{user_share_dirs}/** r,
owner @{user_share_dirs}/**/.icon-theme.cache rw,
owner @{user_share_dirs}/**/icon-theme.cache rw,
deny /apparmor/.null rw,
include if exists <local/gtk-update-icon-cache>

2
apparmor.d/profiles-g-l/lspci
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/lspci
profile lspci @{exec_path} {
profile lspci @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>

2
apparmor.d/profiles-m-r/mtools
View file

@ -28,6 +28,8 @@ profile mtools @{exec_path} {
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner /dev/shm/*/**.{iso,img,bin,mdf,nrg} rwk,
owner /dev/shm/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/mtools>
}

5
apparmor.d/profiles-s-z/snap
View file

@ -9,9 +9,10 @@ include <tunables/global>
@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}bin/snap
profile snap @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/dbus-session-strict>
include <abstractions/consoles>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
@{exec_path} mrix,

4
apparmor.d/profiles-s-z/snap-seccomp
View file

@ -22,9 +22,9 @@ profile snap-seccomp @{exec_path} {
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
deny @{user_share_dirs}/gvfs-metadata/* r,
owner @{PROC}/@{pids}/mountinfo r,
deny @{user_share_dirs}/gvfs-metadata/* r,
include if exists <local/snap-seccomp>
}

9
apparmor.d/profiles-s-z/spice-vdagent
View file

@ -15,6 +15,15 @@ profile spice-vdagent @{exec_path} {
include <abstractions/gtk>
include <abstractions/X-strict>
dbus send bus=session path=/org/a11y/bus
interface=org.a11y.Bus
member=GetAddress
peer=(name=org.a11y.Bus),
dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
interface=org.gnome.Mutter.DisplayConfig
member=GetCurrentState,
@{exec_path} mr,
/etc/pipewire/client.conf r,

11
apparmor.d/profiles-s-z/steam
View file

@ -81,6 +81,7 @@ profile steam @{exec_path} {
@{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/*driverquery rix,
@{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/fossilize_replay rPx,
@{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/gameoverlayui rpx,
@{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/panorama/** rm,
@{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/reaper rpx,
@{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam rix,
@{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime-heavy.sh rix,
@ -107,6 +108,9 @@ profile steam @{exec_path} {
/{usr/,}lib{,32,64}/ r,
/etc/ r,
/home/ r,
/run/ r,
/usr/bin/ r,
/var/ r,
owner @{HOME}/ r,
owner @{HOME}/.local/ r,
@ -115,6 +119,8 @@ profile steam @{exec_path} {
owner @{HOME}/.steampath rw,
owner @{HOME}/.steampid rw,
owner @{user_games_dirs}/{,**} rwkl,
owner @{user_config_dirs}/ r,
owner @{user_config_dirs}/autostart/ r,
owner @{user_config_dirs}/unity3d/{,**} rwk,
@ -136,10 +142,11 @@ profile steam @{exec_path} {
owner /tmp/dumps/ rw,
owner /tmp/dumps/{assert,crash}_[0-9]*_[0-9]*.dmp rw,
owner /tmp/sh-thd.* rw,
owner /tmp/steam_chrome_shmem_uid@{uid}_spid[0-9]* rw,
owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw,
owner /tmp/miles_image_* mrw,
owner /tmp/runtime-info.txt.* rw,
owner /tmp/sh-thd.* rw,
owner /tmp/steam_chrome_shmem_uid@{uid}_spid[0-9]* rw,
@{run}/udev/data/+input* r, # for mouse, keyboard, touchpad
@{run}/udev/data/+sound* r,

13
apparmor.d/profiles-s-z/steam-game
View file

@ -25,7 +25,6 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
include <abstractions/audio>
include <abstractions/devices-usb>
include <abstractions/dri-common>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fontconfig-cache-write>
include <abstractions/fonts>
@ -108,6 +107,9 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
@{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-launch-wrapper rm,
@{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{usr/,}lib{exec,}/** mrix,
@{user_games_dirs}/*/* mr,
@{user_games_dirs}/*/**.dll mr,
@{run}/host/usr/bin/ldconfig rix,
@{run}/host/usr/lib{,32,64}/**.so* rm,
@{run}/host/usr/bin/localedef rix,
@ -136,6 +138,9 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
owner @{HOME}/.steam/steam.pid r,
owner @{HOME}/.steam/steam.pipe r,
owner @{user_games_dirs}/{,*/} r,
owner @{user_games_dirs}/*/{,**} rwkl,
owner @{user_config_dirs}/ r,
owner @{user_config_dirs}/unity3d/{,**} rwk,
@ -151,7 +156,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/Steam/steamapps/common/*/ r,
owner @{user_share_dirs}/Steam/steamapps/common/*/** rwkl,
owner @{user_share_dirs}/Steam/steamapps/common/Proton*/files/share/{,**} r,
owner @{user_share_dirs}/Steam/steamapps/compatdata/[0-9]*/{,**} rwk,
owner @{user_share_dirs}/Steam/steamapps/compatdata/{,**} rwk,
owner @{user_share_dirs}/Steam/steamapps/shadercache/{,**} rwk,
owner @{user_share_dirs}/Steam/userdata/**/remotecache.vdf rw,
@ -161,6 +166,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
owner @{run}/pressure-vessel/{,**} rw,
owner @{run}/user/@{uid}/ r,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
owner @{run}/user/@{uid}/orcexec.* mrw, # gstreamer
owner /dev/shm/#[0-9]* rw,
owner /dev/shm/mono.* rw,
@ -206,12 +212,13 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
@{PROC}/sys/kernel/overflowuid r,
@{PROC}/uptime r,
@{PROC}/version r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/gid_map rw,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/setgroups rw,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/stat r,