diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game new file mode 100644 index 000000000..a3619b164 --- /dev/null +++ b/apparmor.d/abstractions/common/game @@ -0,0 +1,112 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Core set of resources for any games on Linux. Runtimes such as sandboxing, +# wine, proton, game launchers should use this abstraction. + +# This abstraction use the following tunables: +# - @{XDG_GAMESSTUDIO_DIR} for game studio and game engines specific directories +# (Default: @{XDG_GAMESSTUDIO_DIR}="unity3d") +# - @{user_games_dirs} for user specific game directories (eg: steam storage dir) + + include + include + include + include + include + include + include + + @{bin}/uname rix, + @{bin}/xdg-settings rPx, + @{browsers_path} rPx, + + @{bin}/env r, + + @{lib}/ r, + / r, + /home/ r, + /usr/ r, + /usr/local/ r, + /usr/local/lib/ r, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + owner @{HOME}/ r, + + owner @{user_games_dirs}/ r, + owner @{user_games_dirs}/*/ r, + owner @{user_games_dirs}/*/{,**} rwkl, + + owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, + + owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, + + @{tmp}/ r, + owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, + owner @{tmp}/#@{int} rw, + owner @{tmp}/CASESENSITIVETEST@{hex32} rw, + owner @{tmp}/crashes/ rw, + owner @{tmp}/crashes/** rwk, + owner @{tmp}/miles_image_@{rand6} mrw, + owner @{tmp}/runtime-info.txt.@{rand6} rw, + owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, + + owner /dev/shm/mono.@{int} rw, + owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw, + + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + + @{sys}/ r, + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/hidraw/ r, + @{sys}/class/input/ r, + @{sys}/devices/ r, + @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/net/*/carrier r, + @{sys}/devices/**/input@{int}/ r, + @{sys}/devices/**/input@{int}/**/{vendor,product} r, + @{sys}/devices/**/input@{int}/capabilities/* r, + @{sys}/devices/**/input/input@{int}/ r, + @{sys}/devices/**/uevent r, + @{sys}/devices/system/ r, + @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r, + @{sys}/devices/system/cpu/cpu@{int}/ r, + @{sys}/devices/virtual/dmi/id/* r, + @{sys}/devices/virtual/net/*/carrier r, + @{sys}/kernel/ r, + + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + + @{PROC}/uptime r, + @{PROC}/version r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/pagemap r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + /dev/ r, + /dev/hidraw@{int} rw, + /dev/input/ r, + /dev/input/event@{int} rw, + /dev/tty rw, + /dev/uinput rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/steam-game b/apparmor.d/abstractions/common/steam-game index c6a7aff75..4bd211f27 100644 --- a/apparmor.d/abstractions/common/steam-game +++ b/apparmor.d/abstractions/common/steam-game @@ -2,45 +2,13 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - include - include - include - include - include - include - include - - @{bin}/uname rix, - @{bin}/xdg-settings rPx, - @{browsers_path} rPx, - - @{bin}/env r, + include @{lib_dirs}/ r, - @{lib}/ r, - / r, - /home/ r, - /usr/ r, - /usr/local/ r, - /usr/local/lib/ r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - - owner @{HOME}/ r, owner @{HOME}/.steam/steam.pid r, owner @{HOME}/.steam/steam.pipe r, - owner @{user_games_dirs}/ r, - owner @{user_games_dirs}/*/ r, - owner @{user_games_dirs}/*/{,**} rwkl, - - owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, - owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, - - owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, - owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, - owner @{app_dirs}/ r, owner @{app_dirs}/[^S]*/** rwlk, # No access to "SteamLinuxRuntime_sniper" @@ -56,19 +24,6 @@ owner @{share_dirs}/steamapps/appmanifest_* rw, owner @{share_dirs}/steamapps/shadercache/{,**} rwk, - @{tmp}/ r, - owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw, - owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, - owner @{tmp}/#@{int} rw, - owner @{tmp}/CASESENSITIVETEST@{hex32} rw, - owner @{tmp}/crashes/ rw, - owner @{tmp}/crashes/** rwk, - owner @{tmp}/miles_image_@{rand6} mrw, - owner @{tmp}/runtime-info.txt.@{rand6} rw, - owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, - - owner /dev/shm/mono.@{int} rw, - owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw, owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw, owner /dev/shm/u@{uid}-Shm_@{hex6} rw, owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, @@ -76,53 +31,6 @@ owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, owner /dev/shm/ValveIPCSHM_@{uid} rw, - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - - @{sys}/ r, - @{sys}/bus/ r, - @{sys}/class/ r, - @{sys}/class/hidraw/ r, - @{sys}/class/input/ r, - @{sys}/devices/ r, - @{sys}/devices/@{pci}/boot_vga r, - @{sys}/devices/@{pci}/net/*/carrier r, - @{sys}/devices/**/input@{int}/ r, - @{sys}/devices/**/input@{int}/**/{vendor,product} r, - @{sys}/devices/**/input@{int}/capabilities/* r, - @{sys}/devices/**/input/input@{int}/ r, - @{sys}/devices/**/uevent r, - @{sys}/devices/system/ r, - @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r, - @{sys}/devices/system/cpu/cpu@{int}/ r, - @{sys}/devices/virtual/dmi/id/* r, - @{sys}/devices/virtual/net/*/carrier r, - @{sys}/kernel/ r, - - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - - @{PROC}/uptime r, - @{PROC}/version r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/pagemap r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - - /dev/ r, - /dev/hidraw@{int} rw, - /dev/input/ r, - /dev/input/event@{int} rw, - /dev/tty rw, - /dev/uinput rw, - include if exists # vim:syntax=apparmor diff --git a/docs/development/abstractions.md b/docs/development/abstractions.md index 82c7f4b04..1e075e66c 100644 --- a/docs/development/abstractions.md +++ b/docs/development/abstractions.md @@ -122,6 +122,15 @@ A minimal set of rules for all electron based UI applications. It works as a *fu @{cache_dirs} = @{user_cache_dirs}/@{name} ``` +### **`common/game`** + +Core set of resources for any games on Linux. Runtimes such as sandboxing, wine, proton, game launchers should use this abstraction. + +This abstraction uses the following tunables: + +- `@{XDG_GAMESSTUDIO_DIR}` for game studio and game engines specific directories (Default: `@{XDG_GAMESSTUDIO_DIR}="unity3d"`) +- `@{user_games_dirs}` for user specific game directories (e.g.: steam storage dir) + ### **`common/systemd`** Common set of rules for internal systemd suite.