From 847eb3deeb55860599284d58b30aad1176a05928 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 10 Mar 2023 10:22:23 +0000
Subject: [PATCH] feat(profiles): add steam_lib_dirs local variables.

---
 apparmor.d/profiles-s-z/steam               | 33 ++++++++++++---------
 apparmor.d/profiles-s-z/steam-fossilize     |  5 ++--
 apparmor.d/profiles-s-z/steam-game          | 11 +++----
 apparmor.d/profiles-s-z/steam-gameoverlayui |  9 +++---
 apparmor.d/profiles-s-z/steam-reaper        |  9 +++---
 5 files changed, 38 insertions(+), 29 deletions(-)

diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam
index e7ca32e68..26ac0143d 100644
--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@@ -6,8 +6,9 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
+@{steam_lib_dirs} = @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}
 @{exec_path} = @{user_share_dirs}/Steam/steam.sh
-profile steam @{exec_path} {
+profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) {
   include <abstractions/base>
   include <abstractions/audio>
   include <abstractions/chromium-common>
@@ -82,22 +83,24 @@ profile steam @{exec_path} {
   /{usr/,}bin/zenity                 rix,
   /{usr/,}lib{32,64}/ld-linux.so*    rix,
 
+  @{steam_lib_dirs}/*.so*  mr,
+  @{steam_lib_dirs}/*driverquery rix,
+  @{steam_lib_dirs}/fossilize_replay rpx,
+  @{steam_lib_dirs}/gameoverlayui rpx,
+  @{steam_lib_dirs}/panorama/** rm,
+  @{steam_lib_dirs}/reaper rpx,
+  @{steam_lib_dirs}/steam rix,
+  @{steam_lib_dirs}/steam-runtime-heavy.sh rix,
+  @{steam_lib_dirs}/steam-runtime{,-heavy}/{amd64,i386}/usr/bin/* rix,
+  @{steam_lib_dirs}/steam-runtime{,-heavy}/{setup,run}.sh  rix,
+  @{steam_lib_dirs}/steam-runtime/{usr/,}lib{exec,}/**  mrix,
+  @{steam_lib_dirs}/steamwebhelper rix,
+  @{steam_lib_dirs}/steamwebhelper.sh rix,
+  @{steam_lib_dirs}/swiftshader/* rm,
   @{user_share_dirs}/Steam/config/widevine/linux-x64/libwidevinecdm.so mr,
   @{user_share_dirs}/Steam/steamapps/common/SteamLinuxRuntime_soldier/*entry-point rpx,
-  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/*.so*  mr,
-  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/*driverquery rix,
-  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/fossilize_replay rPx,
-  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/gameoverlayui rpx,
-  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/panorama/** rm,
-  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/reaper rpx,
-  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam rix,
-  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime-heavy.sh rix,
-  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime{,-heavy}/{amd64,i386}/usr/bin/* rix,
-  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime{,-heavy}/{setup,run}.sh  rix,
-  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{usr/,}lib{exec,}/**  mr,
-  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steamwebhelper rix,
-  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steamwebhelper.sh rix,
 
+  /usr/lib/os-release rk,
   /usr/share/fonts/**.{ttf,otf} rk,
   /usr/share/terminfo/x/xterm-256color r,
   /usr/share/themes/{,**} r,
@@ -186,6 +189,7 @@ profile steam @{exec_path} {
   @{sys}/devices/pci[0-9]*/**/usb[0-9]*/{manufacturer,product,bcdDevice,bInterfaceNumber} r,
   @{sys}/devices/system/cpu/** r,
   @{sys}/devices/system/node/ r,
+  @{sys}/devices/virtual/dmi/id/bios_version rk,
   @{sys}/devices/virtual/dmi/id/board_{vendor,name,version} rk,
   @{sys}/devices/virtual/dmi/id/product_{name,version} r,
   @{sys}/devices/virtual/dmi/id/sys_vendor r,
@@ -202,6 +206,7 @@ profile steam @{exec_path} {
         @{PROC}/sys/fs/inotify/max_user_watches r,
         @{PROC}/sys/kernel/sched_autogroup_enabled r,
         @{PROC}/sys/kernel/unprivileged_userns_clone r,
+        @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
         @{PROC}/sys/kernel/yama/ptrace_scope r,
         @{PROC}/sys/user/max_user_namespaces r,
         @{PROC}/version r,
diff --git a/apparmor.d/profiles-s-z/steam-fossilize b/apparmor.d/profiles-s-z/steam-fossilize
index 9e8014b5e..40522a1d3 100644
--- a/apparmor.d/profiles-s-z/steam-fossilize
+++ b/apparmor.d/profiles-s-z/steam-fossilize
@@ -6,7 +6,8 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/fossilize_replay
+@{steam_lib_dirs} = @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}
+@{exec_path} = @{steam_lib_dirs}/fossilize_replay
 profile steam-fossilize @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dri-common>
@@ -17,7 +18,7 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/*.so*  mr,
+  @{steam_lib_dirs}/*.so*  mr,
 
   owner @{HOME}/.steam/steam.pipe r,
 
diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game
index 6c90a0f04..f84f67741 100644
--- a/apparmor.d/profiles-s-z/steam-game
+++ b/apparmor.d/profiles-s-z/steam-game
@@ -19,6 +19,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{runtime} = @{user_share_dirs}/Steam/steamapps/common/SteamLinuxRuntime_soldier
+@{steam_lib_dirs} = @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}
 @{exec_path} = @{user_share_dirs}/Steam/steamapps/common/*/**
 profile steam-game @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
@@ -92,6 +93,11 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
   @{runtime}/pressure-vessel/lib{,exec}/** mrix,
   @{runtime}/run rix,
 
+  @{steam_lib_dirs}/{,**} r,
+  @{steam_lib_dirs}/**.so*  mr,
+  @{steam_lib_dirs}/reaper rix,
+  @{steam_lib_dirs}/steam-launch-wrapper rm,
+  @{steam_lib_dirs}/steam-runtime/{usr/,}lib{exec,}/** mrix,
   @{user_share_dirs}/Steam/bin/ r,
   @{user_share_dirs}/Steam/bin/* mr,
   @{user_share_dirs}/Steam/d3ddriverquery64.dxvk-cache rw,
@@ -106,11 +112,6 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
   @{user_share_dirs}/Steam/steamapps/common/Proton*/files/lib{,32,64}/** mrix,
   @{user_share_dirs}/Steam/steamapps/common/Proton*/proton rix,
   @{user_share_dirs}/Steam/steamapps/compatdata/[0-9]*/pfx/**.dll rm,
-  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/{,**} r,
-  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/**.so*  mr,
-  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/reaper rix,
-  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-launch-wrapper rm,
-  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{usr/,}lib{exec,}/** mrix,
 
   @{user_games_dirs}/*/* mr,
   @{user_games_dirs}/*/**.dll mr,
diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui
index 9e38f25a1..a6ab0c88a 100644
--- a/apparmor.d/profiles-s-z/steam-gameoverlayui
+++ b/apparmor.d/profiles-s-z/steam-gameoverlayui
@@ -6,7 +6,8 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/gameoverlayui
+@{steam_lib_dirs} = @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}
+@{exec_path} = @{steam_lib_dirs}/gameoverlayui
 profile steam-gameoverlayui @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio>
@@ -20,8 +21,8 @@ profile steam-gameoverlayui @{exec_path} {
 
   @{exec_path} mr,
 
-  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/*.so*  mr,
-  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{usr/,}lib/**.so*  mr,
+  @{steam_lib_dirs}/*.so*  mr,
+  @{steam_lib_dirs}/steam-runtime/{usr/,}lib/**.so*  mr,
 
   /usr/share/fonts/{,**}  rk,  # ?
 
@@ -32,11 +33,11 @@ profile steam-gameoverlayui @{exec_path} {
   owner @{HOME}/ r,
   owner @{HOME}/.steam/registry.vdf  rk,
   owner @{HOME}/.steam/steam.pipe r,
+  owner @{steam_lib_dirs}/fontconfig/{,**} rwl,
   owner @{user_share_dirs}/Steam/{,**} r,
   owner @{user_share_dirs}/Steam/config/DialogConfigOverlay*.vdf rw,
   owner @{user_share_dirs}/Steam/public/* rk,
   owner @{user_share_dirs}/Steam/resource/{,**} rk,
-  owner @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/fontconfig/{,**} rwl,
   owner @{user_share_dirs}/Steam/userdata/[0-9]*/{,**} rk,
 
   owner /var/cache/fontconfig/ rw,
diff --git a/apparmor.d/profiles-s-z/steam-reaper b/apparmor.d/profiles-s-z/steam-reaper
index ee50df52e..a18c77a90 100644
--- a/apparmor.d/profiles-s-z/steam-reaper
+++ b/apparmor.d/profiles-s-z/steam-reaper
@@ -6,7 +6,8 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/reaper
+@{steam_lib_dirs} = @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}
+@{exec_path} = @{steam_lib_dirs}/reaper
 profile steam-reaper @{exec_path} {
   include <abstractions/base>
   include <abstractions/nvidia>
@@ -15,9 +16,9 @@ profile steam-reaper @{exec_path} {
 
   @{exec_path} mr,
 
-  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/*.so*  mr,
-  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{usr/,}lib/**.so*  mr,
-  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-launch-wrapper rpx -> steam-game,
+  @{steam_lib_dirs}/*.so*  mr,
+  @{steam_lib_dirs}/steam-runtime/{usr/,}lib/**.so*  mr,
+  @{steam_lib_dirs}/steam-launch-wrapper rpx -> steam-game,
 
   @{user_share_dirs}/Steam/steamapps/common/*/* rpx -> steam-game,