feat(profiles): general update.

2022-08-31 21:54:33 +01:00 · 2022-08-31 21:54:33 +01:00 · 0f61c4649c
commit 0f61c4649c
parent 0238adaaf1
23 changed files with 207 additions and 199 deletions
--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@ -86,7 +86,7 @@ profile steam @{exec_path} {
  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime-heavy.sh rix,
  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime{,-heavy}/{setup,run}.sh  rix,
  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{amd64,i386}/usr/bin/* rix,
-  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{usr/,}lib/**.so*  mr,
+  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{usr/,}lib{exec,}/**.so*  mr,
  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steamwebhelper rix,
  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steamwebhelper.sh rix,

@ -140,6 +140,7 @@ profile steam @{exec_path} {
  owner /tmp/sh-thd.* rw,
  owner /tmp/steam_chrome_shmem_uid@{uid}_spid[0-9]* rw,
  owner /tmp/miles_image_* mrw,
+  owner /tmp/runtime-info.txt.* rw,

  @{run}/udev/data/+input* r,      # for mouse, keyboard, touchpad
  @{run}/udev/data/+sound* r,
@ -147,7 +148,7 @@ profile steam @{exec_path} {

  @{run}/udev/data/c13:[0-9]*  r,  # for /dev/input/*
  @{run}/udev/data/c116:[0-9]* r,  # for ALSA
-  @{run}/udev/data/c241:[0-9]* r,
+  @{run}/udev/data/c24[0-9]:[0-9]* r,
  @{run}/udev/data/n[0-9]* r,

  @{sys}/ r,
@ -167,6 +168,9 @@ profile steam @{exec_path} {
  @{sys}/devices/pci[0-9]*/**/usb[0-9]*/{manufacturer,product,bcdDevice,bInterfaceNumber} r,
  @{sys}/devices/system/cpu/** r,
  @{sys}/devices/system/node/ r,
+  @{sys}/devices/virtual/dmi/id/board_{vendor,name,version} r,
+  @{sys}/devices/virtual/dmi/id/product_{name,version} r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
  @{sys}/devices/virtual/net/*/ r,
  @{sys}/devices/virtual/tty/tty[0-9]/active r,
  @{sys}/kernel/ r,
@ -176,6 +180,7 @@ profile steam @{exec_path} {
        @{PROC}/@{pids}/comm rk,
        @{PROC}/@{pids}/net/route r,
        @{PROC}/@{pids}/stat r,
+        @{PROC}/1/cgroup r,
        @{PROC}/sys/fs/inotify/max_user_watches r,
        @{PROC}/sys/kernel/sched_autogroup_enabled r,
        @{PROC}/sys/kernel/unprivileged_userns_clone r,
@ -193,7 +198,9 @@ profile steam @{exec_path} {
  owner @{PROC}/@{pid}/task/@{tid}/status r,

  /dev/input/ r,
+  /dev/input/event[0-9]* r,
  /dev/tty rw,
+  /dev/uinput w,

  audit deny /**.steam_exec_test.sh rw,

--- a/apparmor.d/profiles-s-z/steam-fossilize
+++ b/apparmor.d/profiles-s-z/steam-fossilize
@ -21,7 +21,7 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) {

  owner @{HOME}/.steam/steam.pipe r,

-  owner @{user_share_dirs}/Steam/steamapps/shadercache/[0-9]*/fozpipelinesv[0-9]*/{,*} rw,
+  owner @{user_share_dirs}/Steam/steamapps/shadercache/[0-9]*/fozpipelinesv[0-9]*/{,**} rw,
  owner @{user_share_dirs}/Steam/steamapps/shadercache/[0-9]*/mesa_shader_cache_sf/{,**} rwk,
  owner @{user_share_dirs}/Steam/steamapps/shadercache/[0-9]*/nvidiav[0-9]*/GLCache/ rw,
  owner @{user_share_dirs}/Steam/steamapps/shadercache/[0-9]*/nvidiav[0-9]*/GLCache/** rwk,
--- a/apparmor.d/profiles-s-z/steam-reaper
+++ b/apparmor.d/profiles-s-z/steam-reaper
@ -17,6 +17,7 @@ profile steam-reaper @{exec_path} {

  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/*.so*  mr,
  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{usr/,}lib/**.so*  mr,
+  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-launch-wrapper rpx -> steam-game,

  @{user_share_dirs}/Steam/steamapps/common/*/* rpx -> steam-game,

--- a/apparmor.d/profiles-s-z/whereis
+++ b/apparmor.d/profiles-s-z/whereis
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -13,31 +14,29 @@ profile whereis @{exec_path} flags=(complain) {

  @{exec_path} mr,

-  /{usr/,}{local/,}{s,}bin/ r,
-  /{usr/,}lib/go-*/bin/ r,
+  /{usr/,}{local/,}{s,}bin/{,*/} r,
  /{usr/,}{local/,}games/ r,
+  /{usr/,}lib/go-*/bin/ r,

-  /etc/ r,
-
+  @{libexec}/ r,
  /{usr/,}lib{,32,64}/ r,
-  /usr/local/{,etc/,lib/} r,
+  /usr/{local/,}{,etc/,lib/} r,
  /usr/include/ r,
  /usr/share/ r,
  /usr/share/info/{**,} r,
  /usr/share/man/{**,} r,
  /usr/src/{**,} r,

-  @{libexec}/ r,
-
  /opt/ r,
  /opt/cni/bin/ r,
  /opt/containerd/bin/ r,

  /snap/bin/ r,
+  /var/lib/flatpak/exports/bin/ r,

-  owner @{HOME}/{.local/,}/{.,}bin/ r,
  owner @{HOME}/.krew/bin/ r,
-  owner @{HOME}/go/bin/ r,
+  owner @{HOME}/{.,}go/bin/ r,
+  owner @{HOME}/{.local/,}{.,}bin/ r,

  include if exists <local/whereis>
 }
--- a/apparmor.d/profiles-s-z/whiptail
+++ b/apparmor.d/profiles-s-z/whiptail
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -13,6 +14,8 @@ profile whiptail @{exec_path} flags=(complain) {

  @{exec_path} mr,

+  /etc/newt/palette.ubuntu r,
+
  owner /tmp/gpm* w,

  include if exists <local/whiptail>