felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refractor: moce a lot of profiles inside they own groups.

Browse source
This commit is contained in:
Alexandre Pujol 2025-02-09 21:46:10 +01:00
parent e5aad04be4
commit 9304c9a668
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
61 changed files with 1 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

23
apparmor.d/groups/apparmor/aa-enabled Normal file
View file

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/aa-enabled
profile aa-enabled @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
@{sys}/module/apparmor/parameters/enabled r,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/aa-enabled>
}
# vim:syntax=apparmor

41
apparmor.d/groups/apparmor/aa-enforce Normal file
View file

@ -0,0 +1,41 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/aa-enforce @{bin}/aa-complain @{bin}/aa-audit @{bin}/aa-disable
profile aa-enforce @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/python>
capability dac_read_search,
@{exec_path} mr,
@{bin}/ r,
@{bin}/apparmor_parser rPx,
/usr/share/terminfo/** r,
/etc/apparmor/logprof.conf r,
/etc/apparmor.d/{,**} rw,
@{etc_ro}/inputrc r,
@{etc_ro}/inputrc.keys r,
owner /snap/core@{int}/@{int}/etc/apparmor.d/{,**} rw,
owner /var/lib/snapd/apparmor/{,**} rw,
owner @{tmp}/@{rand8} rw,
owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw,
@{PROC}/@{pid}/fd/ r,
include if exists <local/aa-enforce>
}
# vim:syntax=apparmor

37
apparmor.d/groups/apparmor/aa-log Normal file
View file

@ -0,0 +1,37 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/aa-log
profile aa-log @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
capability dac_read_search,
@{exec_path} mr,
@{bin}/journalctl rix,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
/var/log/audit/* r,
/var/log/syslog* r,
/{run,var}/log/journal/ r,
/{run,var}/log/journal/@{hex32}/{,*} r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
/dev/tty@{int} rw,
include if exists <local/aa-log>
}
# vim:syntax=apparmor

49
apparmor.d/groups/apparmor/aa-notify Normal file
View file

@ -0,0 +1,49 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/aa-notify
profile aa-notify @{exec_path} {
include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/python>
capability setgid,
capability setuid,
capability sys_ptrace,
ptrace read,
@{exec_path} mr,
@{bin}/ r,
/usr/share/terminfo/** r,
@{etc_ro}/inputrc r,
@{etc_ro}/inputrc.keys r,
/etc/apparmor.d/{,**} r,
/etc/apparmor/*.conf r,
/var/log/audit/audit.log r,
owner @{HOME}/.inputrc r,
owner @{HOME}/.terminfo/@{int}/dumb r,
owner @{tmp}/@{word8} rw,
owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw,
@{PROC}/ r,
@{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/cmdline r,
include if exists <local/aa-notify>
}
# vim:syntax=apparmor

34
apparmor.d/groups/apparmor/aa-status Normal file
View file

@ -0,0 +1,34 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/aa-status @{bin}/apparmor_status
profile aa-status @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search,
capability sys_ptrace,
ptrace read,
@{exec_path} mr,
@{sys}/kernel/security/apparmor/profiles r,
@{sys}/module/apparmor/parameters/enabled r,
@{PROC}/ r,
@{PROC}/@{pids}/attr/apparmor/current r,
@{PROC}/@{pids}/attr/current r,
owner @{PROC}/@{pid}/mounts r,
/dev/tty@{int} rw,
include if exists <local/aa-status>
}
# vim:syntax=apparmor

28
apparmor.d/groups/apparmor/aa-teardown Normal file
View file

@ -0,0 +1,28 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/aa-teardown
profile aa-teardown @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search,
@{exec_path} mr,
@{sh_path} rix,
@{lib}/apparmor/apparmor.systemd rPx,
/usr/share/terminfo/** r,
/dev/tty rw,
include if exists <local/aa-teardown>
}
# vim:syntax=apparmor

44
apparmor.d/groups/apparmor/aa-unconfined Normal file
View file

@ -0,0 +1,44 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/aa-unconfined
profile aa-unconfined @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/python>
capability dac_read_search,
capability sys_ptrace,
ptrace read,
@{exec_path} mr,
@{bin}/ r,
@{bin}/netstat Px,
@{bin}/ss Px,
/usr/share/terminfo/** r,
/etc/apparmor/logprof.conf r,
@{etc_ro}/inputrc r,
owner @{tmp}/@{rand8} rw,
owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw,
owner /var/tmp/@{rand8} rw,
@{PROC}/ r,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pids}/attr/apparmor/current r,
@{PROC}/@{pids}/attr/current r,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/aa-unconfined>
}
# vim:syntax=apparmor

53
apparmor.d/groups/apparmor/apparmor.systemd Normal file
View file

@ -0,0 +1,53 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/apparmor/apparmor.systemd
profile apparmor.systemd @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
capability dac_read_search,
capability mac_admin,
@{exec_path} mr,
@{sh_path} rix,
@{bin}/{,e}grep rix,
@{bin}/aa-status rPx,
@{bin}/apparmor_parser rPx,
@{bin}/getconf rix,
@{bin}/ls rix,
@{bin}/sed rix,
@{bin}/cat rix,
@{bin}/sort rix,
@{bin}/sysctl rix,
@{bin}/systemd-detect-virt rPx,
@{bin}/xargs rix,
@{lib}/apparmor/rc.apparmor.functions r,
/etc/apparmor.d/ r,
@{sys}/fs/cgroup/systemd/ r,
@{sys}/kernel/security/apparmor/{,**} r,
@{sys}/kernel/security/apparmor/.remove rw,
@{sys}/module/apparmor/ r,
@{PROC}/@{pids}/fd/ r,
@{PROC}/@{pids}/maps r,
@{PROC}/@{pids}/mounts r,
@{PROC}/mounts r,
@{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r,
/dev/tty rw,
include if exists <local/apparmor.systemd>
}
# vim:syntax=apparmor

54
apparmor.d/groups/apparmor/apparmor_parser Normal file
View file

@ -0,0 +1,54 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib}
@{exec_path} = @{bin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser
profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
capability mac_admin,
@{exec_path} mr,
@{lib_dirs}/@{multiarch}/** mr,
@{lib_dirs}/snapd/apparmor.d/{,**} r,
@{lib_dirs}/snapd/apparmor/{,**} r,
/etc/apparmor.d/{,**} r,
/etc/apparmor.d/cache.d/{,**} rw,
/etc/apparmor/{,**} r,
/etc/apparmor/cache.d/{,**} rw,
/etc/apparmor/earlypolicy/{,**} rw,
/usr/share/apparmor-features/{,**} r,
/usr/share/apparmor/{,**} r,
owner /snap/core@{int}/@{int}/etc/apparmor.d/{,**} r,
owner /snap/core@{int}/@{int}/etc/apparmor/* r,
owner /var/cache/apparmor/{,**} rw,
owner /var/lib/docker/tmp/docker-default@{int} r,
owner /var/lib/snapd/apparmor/{,**} r,
owner /var/snap/lxd/common/lxd/security/apparmor/{,**} rw,
owner @{tmp}/cri-containerd.apparmor.d@{int} r,
@{sys}/kernel/security/apparmor/{,**} r,
owner @{sys}/kernel/security/apparmor/.{remove,replace,load,access} rw,
@{PROC}/sys/kernel/osrelease r,
owner @{PROC}/@{pid}/mounts r,
deny network netlink raw, # file_inherit
deny /apparmor/.null rw,
include if exists <local/apparmor_parser>
}
# vim:syntax=apparmor

20
apparmor.d/groups/cups/cups-backend-beh Normal file
View file

@ -0,0 +1,20 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/cups/backend/beh
profile cups-backend-beh @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/papersize r,
include if exists <local/cups-backend-beh>
}
# vim:syntax=apparmor

20
apparmor.d/groups/cups/cups-backend-bluetooth Normal file
View file

@ -0,0 +1,20 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/cups/backend/bluetooth
profile cups-backend-bluetooth @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/papersize r,
include if exists <local/cups-backend-bluetooth>
}
# vim:syntax=apparmor

22
apparmor.d/groups/cups/cups-backend-brf Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/cups/backend/cups-brf
profile cups-backend-brf @{exec_path} {
include <abstractions/base>
capability setuid,
@{exec_path} mr,
/etc/papersize r,
include if exists <local/cups-backend-brf>
}
# vim:syntax=apparmor

21
apparmor.d/groups/cups/cups-backend-dnssd Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/cups/backend/dnssd
profile cups-backend-dnssd @{exec_path} {
include <abstractions/base>
include <abstractions/bus/org.freedesktop.Avahi>
@{exec_path} mr,
/etc/papersize r,
include if exists <local/cups-backend-dnssd>
}
# vim:syntax=apparmor

20
apparmor.d/groups/cups/cups-backend-hp Normal file
View file

@ -0,0 +1,20 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/cups/backend/hp{,fax}
profile cups-backend-hp @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/papersize r,
include if exists <local/cups-backend-hp>
}
# vim:syntax=apparmor

20
apparmor.d/groups/cups/cups-backend-implicitclass Normal file
View file

@ -0,0 +1,20 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/cups/backend/implicitclass
profile cups-backend-implicitclass @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/papersize r,
include if exists <local/cups-backend-implicitclass>
}
# vim:syntax=apparmor

20
apparmor.d/groups/cups/cups-backend-ipp Normal file
View file

@ -0,0 +1,20 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/cups/backend/ipp
profile cups-backend-ipp @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/papersize r,
include if exists <local/cups-backend-ipp>
}
# vim:syntax=apparmor

20
apparmor.d/groups/cups/cups-backend-lpd Normal file
View file

@ -0,0 +1,20 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/cups/backend/lpd
profile cups-backend-lpd @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/papersize r,
include if exists <local/cups-backend-lpd>
}
# vim:syntax=apparmor

20
apparmor.d/groups/cups/cups-backend-mdns Normal file
View file

@ -0,0 +1,20 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/cups/backend/mdns
profile cups-backend-mdns @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/papersize r,
include if exists <local/cups-backend-mdns>
}
# vim:syntax=apparmor

20
apparmor.d/groups/cups/cups-backend-parallel Normal file
View file

@ -0,0 +1,20 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/cups/backend/parallel
profile cups-backend-parallel @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/papersize r,
include if exists <local/cups-backend-parallel>
}
# vim:syntax=apparmor

48
apparmor.d/groups/cups/cups-backend-pdf Normal file
View file

@ -0,0 +1,48 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/cups/backend/cups-pdf
profile cups-backend-pdf @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
capability chown,
capability setgid,
capability setuid,
capability dac_override,
unix peer=(label=cupsd),
@{exec_path} mr,
@{sh_path} rix,
@{bin}/cp rix,
@{bin}/gs rix,
@{bin}/gsc rix,
@{lib}/ghostscript/** mr,
/usr/share/ghostscript/{,**} r,
/etc/papersize r,
/etc/cups/ r,
/etc/cups/cups-pdf.conf r,
/etc/cups/ppd/*.ppd r,
/var/log/cups/cups-pdf*_log w,
/var/spool/cups-pdf/{,**} rw,
/var/spool/cups/** r,
/var/tmp/gs_* rw,
/dev/tty rw,
include if exists <local/cups-backend-pdf>
}
# vim:syntax=apparmor

22
apparmor.d/groups/cups/cups-backend-serial Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/cups/backend/serial
profile cups-backend-serial @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/papersize r,
/dev/ttyS@{int} w,
include if exists <local/cups-backend-serial>
}
# vim:syntax=apparmor

26
apparmor.d/groups/cups/cups-backend-snmp Normal file
View file

@ -0,0 +1,26 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/cups/backend/snmp
profile cups-backend-snmp @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
network inet dgram,
network inet6 dgram,
network netlink raw,
@{exec_path} mr,
/etc/cups/snmp.conf r,
/etc/papersize r,
include if exists <local/cups-backend-snmp>
}
# vim:syntax=apparmor

20
apparmor.d/groups/cups/cups-backend-socket Normal file
View file

@ -0,0 +1,20 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/cups/backend/socket
profile cups-backend-socket @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/papersize r,
include if exists <local/cups-backend-socket>
}
# vim:syntax=apparmor

28
apparmor.d/groups/cups/cups-backend-usb Normal file
View file

@ -0,0 +1,28 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/cups/backend/usb
profile cups-backend-usb @{exec_path} {
include <abstractions/base>
include <abstractions/devices-usb>
capability net_admin,
network netlink raw,
@{exec_path} mr,
/usr/share/cups/usb/{,**} r,
/etc/cups/ppd/*.ppd r,
/etc/papersize r,
include if exists <local/cups-backend-usb>
}
# vim:syntax=apparmor

55
apparmor.d/groups/cups/cups-browsed Normal file
View file

@ -0,0 +1,55 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/cups-browsed
profile cups-browsed @{exec_path} {
include <abstractions/base>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.Avahi>
include <abstractions/bus/org.freedesktop.NetworkManager>
include <abstractions/cups-client>
include <abstractions/nameservice-strict>
include <abstractions/p11-kit>
capability net_admin,
capability net_bind_service,
capability sys_nice,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
dbus receive bus=system path=/
interface=org.freedesktop.Avahi.Server
member=StateChanged
peer=(name=:*, label=avahi-daemon),
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member=CheckPermissions
peer=(name=:*, label=NetworkManager),
@{exec_path} mr,
/usr/share/cups/locale/{,**} r,
/etc/cups/{,**} r,
/var/cache/cups/{,**} rw,
/var/log/cups/{,**} rw,
@{run}/cups/certs/* r,
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
include if exists <local/cups-browsed>
}
# vim:syntax=apparmor

28
apparmor.d/groups/cups/cups-notifier-dbus Normal file
View file

@ -0,0 +1,28 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/cups/notifier/dbus
profile cups-notifier-dbus @{exec_path} {
include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/cups-client>
include <abstractions/nameservice-strict>
signal (receive) set=(term) peer=cupsd,
@{exec_path} mr,
owner /var/spool/cups/tmp/cups-dbus-notifier-lockfile rw,
owner @{tmp}/cups-dbus-notifier-lockfile rwk,
include if exists <local/cups-notifier-dbus>
}
# vim:syntax=apparmor

18
apparmor.d/groups/cups/cups-notifier-mailto Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/cups/notifier/mailto
profile cups-notifier-mailto @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/cups-notifier-mailto>
}
# vim:syntax=apparmor

18
apparmor.d/groups/cups/cups-notifier-rss Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/cups/notifier/rss
profile cups-notifier-rss @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/cups-notifier-rss>
}
# vim:syntax=apparmor

36
apparmor.d/groups/cups/cups-pk-helper-mechanism Normal file
View file

@ -0,0 +1,36 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/{,cups-pk-helper/}cups-pk-helper-mechanism
@{exec_path} += @{lib}/@{multiarch}/cups-pk-helper-mechanism
profile cups-pk-helper-mechanism @{exec_path} {
include <abstractions/base>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.PolicyKit1>
include <abstractions/nameservice-strict>
capability dac_read_search,
capability sys_nice,
network inet stream,
network inet6 stream,
#aa:dbus own bus=system name=org.opensuse.CupsPkHelper.Mechanism path=/
@{exec_path} mr,
/etc/cups/ppd/*.ppd r,
owner @{tmp}/[a-z0-9]* rw,
@{run}/cups/cups.sock rw,
include if exists <local/cups-pk-helper-mechanism>
}
# vim:syntax=apparmor

106
apparmor.d/groups/cups/cupsd Normal file
View file

@ -0,0 +1,106 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/cupsd
profile cupsd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/authentication>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.Avahi>
include <abstractions/bus/org.freedesktop.ColorManager>
include <abstractions/nameservice-strict>
include <abstractions/python>
capability audit_write,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability kill,
capability net_admin,
capability net_bind_service,
capability setgid,
capability setuid,
capability wake_alarm,
network inet stream,
network inet6 stream,
network appletalk dgram,
network ash dgram,
network ax25 dgram,
network bluetooth,
network econet dgram,
network ipx dgram,
network netrom seqpacket,
network rose dgram,
network x25 seqpacket,
signal (send) set=(term) peer=cups-notifier-dbus,
@{exec_path} mr,
@{sh_path} rix,
@{bin}/cat rix,
@{bin}/chmod rix,
@{bin}/cp rix,
@{bin}/grep rix,
@{bin}/gs rix,
@{bin}/gsc rix,
@{bin}/hostname rix,
@{bin}/ippfind rix,
@{bin}/mktemp rix,
@{bin}/printenv rix,
@{bin}/python3.@{int} rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/smbspool rPx,
@{bin}/touch rix,
@{bin}/xz rix,
@{lib}/cups/backend/* rPx,
@{lib}/cups/cgi-bin/*.cgi rix,
@{lib}/cups/daemon/* rix,
@{lib}/cups/driver/* rix,
@{lib}/cups/filter/* rix,
@{lib}/cups/monitor/* rix,
@{lib}/cups/notifier/* rPx,
/usr/share/cups/{,**} r,
/usr/share/ghostscript/{,**} r,
/usr/share/poppler/{,**} r,
/usr/share/ppd/{,**} r,
/etc/cups/{,**} rw,
/etc/foomatic/* r,
/etc/papersize r,
/etc/paperspecs r,
/etc/pnm2ppa.conf r,
/etc/printcap rwl,
/var/cache/cups/ rw,
/var/cache/cups/** rwk,
/var/log/cups/{,*} rw,
/var/spool/cups/{,**} rw,
@{run}/cups/{,**} rw,
@{run}/systemd/notify w,
@{sys}/module/apparmor/parameters/enabled r,
@{PROC}/@{pids}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
owner @{tmp}/*_latest_print_info w,
/dev/tty rw,
include if exists <local/cupsd>
}
# vim:syntax=apparmor

149
apparmor.d/groups/flatpak/flatpak Normal file
View file

@ -0,0 +1,149 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/flatpak
profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) {
include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.Accounts>
include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/desktop>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
userns,
capability dac_override,
capability dac_read_search,
capability net_admin,
capability sys_ptrace,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/,
ptrace (read) peer=flatpak-app,
signal send peer=flatpak-app,
@{exec_path} mr,
@{bin}/bwrap rPx -> flatpak-app,
@{bin}/fusermount{,3} rCx -> fusermount,
@{bin}/gpg rCx -> gpg,
@{bin}/gpgconf rCx -> gpg,
@{bin}/gpgsm rCx -> gpg,
@{lib}/revokefs-fuse rix,
/usr/share/flatpak/{,**} r,
/etc/flatpak/{,**} r,
/etc/pulse/client.conf r,
/ r,
/var/lib/flatpak/{,**} rwlk,
/var/tmp/#@{int} rw,
/var/tmp/flatpak-cache-@{rand6}/{,**/} r,
owner /var/tmp/flatpak-cache-@{rand6}/{,**} rwk,
owner @{HOME}/.var/ w,
owner @{HOME}/.var/app/{,**} rw,
# Can create dotfile directories for any app
owner @{user_cache_dirs}/*/ w,
owner @{user_config_dirs}/*/ w,
owner @{user_share_dirs}/*/ w,
owner @{user_games_dirs}/{,**/} w,
owner @{user_documents_dirs}/ w,
owner @{user_cache_dirs}/flatpak/{,**} rw,
owner @{user_config_dirs}/pulse/client.conf r,
owner @{user_config_dirs}/user-dirs.dirs r,
@{user_share_dirs}/flatpak/{,**} r,
owner @{user_share_dirs}/ r,
owner @{user_share_dirs}/flatpak/{,**} rwl,
owner @{tmp}/#@{int} rw,
owner @{tmp}/ostree-gpg-@{rand6}/{,**} rw,
owner /dev/shm/flatpak*/{,**} rw,
@{run}/.userns r,
@{run}/user/@{uid}/.dbus-proxy/ w,
@{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/.dbus-proxy/* rw,
owner @{run}/user/@{uid}/.flatpak-cache rw,
owner @{run}/user/@{uid}/.flatpak/ rw,
owner @{run}/user/@{uid}/.flatpak/** rwlk -> @{run}/user/@{uid}/.flatpak/**,
owner @{run}/user/@{uid}/app/ w,
owner @{run}/user/@{uid}/app/*/ w,
owner @{run}/user/@{uid}/systemd/private rw,
@{sys}/module/nvidia/version r,
@{PROC}/sys/fs/pipe-max-size r,
owner @{PROC}/@{pid}/fdinfo/@{int} r,
owner @{PROC}/@{pid}/stat r,
/dev/fuse rw,
/dev/tty rw,
/dev/tty@{int} rw,
deny owner @{user_share_dirs}/gvfs-metadata/* r,
profile gpg {
include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search,
@{bin}/gpg{,2} mr,
@{bin}/gpgconf mr,
@{bin}/gpgsm mr,
@{HOME}/@{XDG_GPG_DIR}/*.conf r,
owner @{tmp}/ostree-gpg-@{rand6}/ rw,
owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,
include if exists <local/flatpak_gpg>
}
profile fusermount {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
capability sys_admin,
mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/,
umount /var/tmp/flatpak-cache-*/*/,
@{bin}/fusermount{,3} mr,
/etc/fuse.conf r,
@{PROC}/@{pids}/mounts r,
/dev/fuse rw,
include if exists <local/flatpak_fusermount>
}
include if exists <local/flatpak>
}
# vim:syntax=apparmor

100
apparmor.d/groups/flatpak/flatpak-app Normal file
View file

@ -0,0 +1,100 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Default profile for all flatpak applications. Ideally, this profile should be
# generated by flatpak itself with settings from the flatpak manifest and
# fully separated from bwrap.
# Note: This profile used to be split in two (flatpak-bwrap & flatpak-app) in order
# to separate bwrap from the sandboxed app itself. It was generating issue with
# zypak-sandbox, therefore the profiles have been merged. Meanwhile, to install
# some applications, flatpak needs write access to the sandbox content. This is
# done through bwrap and therefore in this profile.
#
# 1. All of this will have to be improved. However, as of today, it is the only
# way to not break some (major) flatpak app.
# 2. It is not a big deal as flatpak is responsible for the sandbox anyway.
# This this only defence in depth.
# 3. The main purpose of this profile is to ensure all processes are confined.
abi <abi/4.0>,
include <tunables/global>
profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
include <abstractions/base>
include <abstractions/bus-system>
include <abstractions/common/app>
include <abstractions/common/bwrap>
capability dac_override,
capability dac_read_search,
capability setuid, # Needed when bwrap is setup with setuid privileges.
capability sys_resource,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink dgram,
network netlink raw,
network unix stream,
ptrace (read),
ptrace trace peer=flatpak-app,
signal receive peer=flatpak,
signal receive set=(int term) peer=flatpak-portal,
signal receive set=(int) peer=flatpak-session-helper,
@{bin}/** rmix,
@{lib}/** rmix,
/app/** rmix,
/usr/plugins/** rmix,
/usr/share/flatpak/triggers/* rix,
/usr/share/runtime/** rmix,
/var/lib/flatpak/app/*/**/@{bin}/** rmix,
/var/lib/flatpak/app/*/**/@{lib}/** rmix,
@{run}/flatpak/app/*/**so* rm,
@{run}/parent/@{bin}/** rmix,
@{run}/parent/@{lib}/** rmix,
@{run}/parent/app/** rmix,
@{bin}/gtk{,4}-update-icon-cache rPx -> flatpak-app//&gtk-update-icon-cache,
@{bin}/update-desktop-database rPx -> flatpak-app//&update-desktop-database,
@{bin}/update-mime-database rPx -> flatpak-app//&update-mime-database,
@{bin}/xdg-dbus-proxy rPx -> flatpak-app//&xdg-dbus-proxy,
@{lib}/kf5/kioslave5 rPx,
@{lib}/kf6/kioworker rPx,
/etc/**/ rw,
/etc/shells rw,
/app/.ref rk,
/app/extra/** rw,
/app/lib/** rk,
/bindfile@{rand6} rw,
/usr/.ref rk,
/var/lib/flatpak/app/{,**} r,
/var/lib/flatpak/exports/** rw,
/var/tmp/etilqs_@{hex16} rw,
@{run}/.userns r,
@{run}/parent/** r,
@{run}/parent/app/.ref rk,
@{run}/parent/usr/.ref rk,
owner @{run}/flatpak/{,**} rk,
owner @{run}/flatpak/app/** rw,
owner @{run}/flatpak/doc/** rw,
owner @{run}/ld-so-cache-dir/* rw,
owner @{run}/user/ r,
include if exists <usr/flatpak-app.d>
include if exists <local/flatpak-app>
}
# vim:syntax=apparmor

21
apparmor.d/groups/flatpak/flatpak-oci-authenticator Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/flatpak-oci-authenticator
profile flatpak-oci-authenticator @{exec_path} {
include <abstractions/base>
include <abstractions/bus-session>
#aa:dbus own bus=session name=org.flatpak.Authenticator.Oci
@{exec_path} mr,
include if exists <local/flatpak-oci-authenticator>
}
# vim:syntax=apparmor

49
apparmor.d/groups/flatpak/flatpak-portal Normal file
View file

@ -0,0 +1,49 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/flatpak-portal
profile flatpak-portal @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/nameservice-strict>
capability sys_ptrace,
network netlink raw,
ptrace read,
signal send,
#aa:dbus own bus=session name=org.freedesktop.portal.Flatpak
@{exec_path} mr,
@{bin}/flatpak rPx,
/usr/share/mime/mime.cache r,
/usr/share/xdg-desktop-portal/portals/{,*.portal} r,
/var/lib/flatpak/exports/share/mime/mime.cache r,
owner @{att}/ r,
owner @{att}/.flatpak-info r,
owner @{HOME}/.var/app/*/**/.ref rw,
owner @{HOME}/.var/app/*/**/logs/* rw,
owner @{user_config_dirs}/user-dirs.dirs r,
owner @{user_share_dirs}/mime/mime.cache r,
owner @{run}/user/@{uid}/.flatpak/@{int}/* r,
owner @{run}/user/@{uid}/.flatpak/@{int}-private/* r,
include if exists <local/flatpak-portal>
}
# vim:syntax=apparmor

61
apparmor.d/groups/flatpak/flatpak-session-helper Normal file
View file

@ -0,0 +1,61 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/flatpak-session-helper
profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/p11-kit>
include <abstractions/ssl_certs>
signal send set=(hup int) peer=user_unconfined,
signal send set=(int) peer=@{p_systemd},
signal send set=(int) peer=flatpak-app,
#aa:dbus own bus=session name=org.freedesktop.Flatpak
@{exec_path} mr,
@{shells_path} rUx -> user_unconfined,
@{bin}/dbus-monitor rPUx,
@{bin}/env rix,
@{bin}/flatpak rPx,
@{bin}/getent rix,
@{bin}/p11-kit rix,
@{bin}/pkexec rCx -> pkexec,
@{bin}/printenv rix,
@{bin}/ps rPx,
@{bin}/test rix,
@{bin}/touch rix,
@{lib}/p11-kit/p11-kit-remote rix,
@{lib}/p11-kit/p11-kit-server rix,
/var/lib/flatpak/app/*/**/@{bin}/** rPx -> flatpak-app,
/var/lib/flatpak/app/*/**/@{lib}/** rPx -> flatpak-app,
owner @{user_config_dirs}/mimeapps.list w,
owner @{run}/user/@{uid}/.flatpak-helper/{,**} rw,
owner @{run}/user/@{uid}/.flatpak-helper/pkcs11-flatpak-@{int} rw,
owner @{PROC}/@{pids}/fd/ r,
/dev/ptmx rw,
profile pkexec {
include <abstractions/base>
include <abstractions/app/pkexec>
include if exists <local/flatpak-session-helper_pkexec>
}
include if exists <local/flatpak-session-helper>
}
# vim:syntax=apparmor

78
apparmor.d/groups/flatpak/flatpak-system-helper Normal file
View file

@ -0,0 +1,78 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/flatpak-system-helper
profile flatpak-system-helper @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/p11-kit>
include <abstractions/ssl_certs>
capability chown,
capability dac_override,
capability fowner,
capability net_admin,
capability setgid,
capability setuid,
capability sys_nice,
capability sys_ptrace,
ptrace (read),
#aa:dbus own bus=system name=org.freedesktop.Flatpak.SystemHelper
@{exec_path} mr,
@{bin}/bwrap rPUx,
@{bin}/gpg{,2} rCx -> gpg,
@{bin}/gpgconf rCx -> gpg,
@{bin}/gpgsm rCx -> gpg,
@{lib}/revokefs-fuse rix,
/etc/flatpak/{,**} r,
/etc/machine-id r,
/usr/share/flatpak/remotes.d/ r,
/usr/share/flatpak/triggers/ r,
/usr/share/mime/mime.cache r,
/var/lib/flatpak/{,**} rwkl,
/var/tmp/flatpak-cache-*/{,**} rw,
owner /{var/,}tmp/#@{int} rw,
owner /{var/,}tmp/ostree-gpg-@{rand6}/ rw,
owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,
@{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/fdinfo/@{int} r,
profile gpg {
include <abstractions/base>
include <abstractions/nameservice-strict>
@{bin}/gpg{,2} mr,
@{bin}/gpgconf mr,
@{bin}/gpgsm mr,
@{lib}/{,gnupg/}scdaemon rix,
@{bin}/gpg-agent rix,
owner @{tmp}/ostree-gpg-@{rand6}/ r,
owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
include if exists <local/flatpak-system-helper_gpg>
}
include if exists <local/flatpak-system-helper>
}
# vim:syntax=apparmor

18
apparmor.d/groups/flatpak/flatpak-validate-icon Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/flatpak-validate-icon
profile flatpak-validate-icon @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/flatpak-validate-icon>
}
# vim:syntax=apparmor

134
apparmor.d/groups/snap/snap Normal file
View file

@ -0,0 +1,134 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin}
@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib}
@{exec_path} = @{bin_dirs}/snap
profile snap @{exec_path} {
include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.systemd1>
include <abstractions/consoles>
include <abstractions/disks-read>
include <abstractions/nameservice-strict>
capability dac_read_search,
capability setuid,
capability sys_admin,
network netlink raw,
ptrace read peer=snap.snap-store.snap-store,
unix (send, receive) type=stream peer=(label=apt),
mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/,
#aa:dbus own bus=session name=io.snapcraft.Launcher
#aa:dbus own bus=session name=io.snapcraft.SessionAgent
#aa:dbus own bus=session name=io.snapcraft.Settings
#aa:dbus talk bus=session name=io.snapcraft.PrivilegedDesktopLauncher label=snap.snap-store.snap-store
#aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}"
dbus send bus=session path=/org/freedesktop/portal/documents
interface=org.freedesktop.portal.Documents
member=GetMountPoint
peer=(name=org.freedesktop.portal.Documents, label="{xdg-document-portal,unconfined}"),
dbus receive bus=session
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=@{busname}, label=gnome-shell),
@{exec_path} mrix,
@{bin}/mount rix,
@{bin}/getent rix,
@{bin}/gpg{,2} rCx -> gpg,
@{bin}/systemctl rCx -> systemctl,
@{lib_dirs}/** mr,
@{lib_dirs}/snapd/snap-confine rPx,
@{lib_dirs}/snapd/snap-seccomp rPx,
@{lib_dirs}/snapd/snapd rPx,
/etc/fstab r,
/var/lib/snapd/{,**} rwk,
/var/cache/snapd/commands.db rwk,
/var/cache/snapd/names r,
@{DESKTOP_HOME}/snap/{,**} rw,
@{HOME}/snap/{,**} rw,
/snap/{,**} rw,
owner @{tmp}/snapd-auto-import-mount-@{int}/ rw,
@{run}/user/@{uid}/bus rw,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/snapd-session-agent.socket rw,
owner @{run}/user/@{uid}/systemd/notify rw,
@{run}/mount/utab r,
@{run}/snapd.socket rw,
@{sys}/fs/cgroup/cgroup.controllers r,
@{sys}/kernel/security/apparmor/features/{,**} r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/mountinfo r,
@{PROC}/cgroups r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/random/uuid r,
@{PROC}/sys/kernel/seccomp/actions_avail r,
@{PROC}/version r,
owner @{PROC}/@{pid}/attr/apparmor/current r,
owner @{PROC}/@{pid}/mounts r,
/dev/tty@{int} rw,
/dev/ttyS@{int} rw,
deny @{user_share_dirs}/gvfs-metadata/* r,
profile gpg {
include <abstractions/base>
@{bin}/gpg{,2} mr,
@{bin}/dirmngr rix,
@{bin}/gpg-agent rix,
@{bin}/gpg-connect-agent rix,
owner @{HOME}/.snap/gnupg/ rw,
owner @{HOME}/.snap/gnupg/** rwkl,
include if exists <local/snap_gpg>
}
profile systemctl {
include <abstractions/base>
include <abstractions/app/systemctl>
include <abstractions/bus/org.freedesktop.systemd1>
network unix stream,
owner @{run}/user/@{uid}/systemd/notify rw,
owner @{run}/user/@{uid}/systemd/private rw,
include if exists <local/snap_systemctl>
}
include if exists <local/snap>
}
# vim:syntax=apparmor

18
apparmor.d/groups/snap/snap-bootstrap Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/snapd/snap-bootstrap
profile snap-bootstrap @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/snap-bootstrap>
}
# vim:syntax=apparmor

25
apparmor.d/groups/snap/snap-device-helper Normal file
View file

@ -0,0 +1,25 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/snapd/snap-device-helper
profile snap-device-helper @{exec_path} {
include <abstractions/base>
capability bpf,
capability dac_read_search,
capability setgid,
capability sys_resource,
@{exec_path} mr,
@{sys}/fs/bpf/snap/ w,
include if exists <local/snap-device-helper>
}
# vim:syntax=apparmor

35
apparmor.d/groups/snap/snap-discard-ns Normal file
View file

@ -0,0 +1,35 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib}
@{exec_path} = @{lib_dirs}/snapd/snap-discard-ns
profile snap-discard-ns @{exec_path} {
include <abstractions/base>
capability setgid,
capability sys_admin,
network netlink raw,
umount @{run}/snapd/ns/*.mnt,
@{exec_path} mr,
/ r,
@{run}/ r,
@{run}/snapd/ r,
@{run}/snapd/lock/ r,
@{run}/snapd/lock/*.lock rwk,
@{run}/snapd/ns/ r,
@{run}/snapd/ns/* rw,
include if exists <local/snap-discard-ns>
}
# vim:syntax=apparmor

34
apparmor.d/groups/snap/snap-failure Normal file
View file

@ -0,0 +1,34 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib}
@{exec_path} = @{lib_dirs}/snapd/snap-failure
profile snap-failure @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
@{bin}/systemctl rCx -> systemctl,
@{lib_dirs}/snapd/snapd rPx,
/var/lib/snapd/sequence/snapd.json r,
@{PROC}/cmdline r,
profile systemctl {
include <abstractions/base>
include <abstractions/app/systemctl>
include if exists <local/snap-failure_systemctl>
}
include if exists <local/snap-failure>
}
# vim:syntax=apparmor

18
apparmor.d/groups/snap/snap-repair Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/snapd/snap-repair
profile snap-repair @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/snap-repair>
}
# vim:syntax=apparmor

36
apparmor.d/groups/snap/snap-seccomp Normal file
View file

@ -0,0 +1,36 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib}
@{exec_path} = @{lib_dirs}/snapd/snap-seccomp
profile snap-seccomp @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
capability dac_read_search,
network netlink raw,
@{exec_path} mr,
@{lib_dirs}/**.so* mr,
@{bin}/getent rix,
/var/lib/snapd/seccomp/bpf/{,**} rw,
owner @{PROC}/@{pids}/mountinfo r,
deny @{user_share_dirs}/gvfs-metadata/* r,
include if exists <local/snap-seccomp>
}
# vim:syntax=apparmor

64
apparmor.d/groups/snap/snap-update-ns Normal file
View file

@ -0,0 +1,64 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib}
@{exec_path} = @{lib_dirs}/snapd/snap-update-ns
profile snap-update-ns @{exec_path} {
include <abstractions/base>
capability dac_override,
capability sys_admin,
capability sys_chroot,
network netlink raw,
mount -> /boot/,
mount -> /snap/**,
mount -> /tmp/.snap/**,
mount -> /usr/**,
mount -> /var/lib/dhcp/,
umount /snap/**,
umount /var/lib/dhcp/,
umount @{lib}/@{multiarch}/webkit2gtk-@{version}/,
umount /usr/share/xml/iso-codes/,
@{exec_path} mr,
@{lib}/@{multiarch}/webkit2gtk-@{version}/ w,
/usr/share/xml/iso-codes/ w,
/var/lib/snapd/mount/{,*} r,
/ r,
/tmp/ r,
owner /snap/{,**} rw,
owner /var/ rw,
owner /var/snap/ rw,
owner /var/snap/**/ rw,
owner @{tmp}/.snap/{,**} rwk,
@{run}/snapd/lock/*.lock rwk,
@{run}/snapd/ns/{,**} rw,
@{sys}/fs/cgroup/{,**/} r,
@{sys}/fs/cgroup/system.slice/snap.*.service/cgroup.freeze rw,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.freeze rw,
@{PROC}/@{pids}/cgroup r,
@{PROC}/cmdline r,
@{PROC}/version r,
include if exists <local/snap-update-ns>
}
# vim:syntax=apparmor

190
apparmor.d/groups/snap/snapd Normal file
View file

@ -0,0 +1,190 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin}
@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib}
@{exec_path} = @{lib_dirs}/snapd/snapd
profile snapd @{exec_path} {
include <abstractions/base>
include <abstractions/authentication>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.PolicyKit1>
include <abstractions/bus/org.freedesktop.timedate1>
include <abstractions/disks-write>
include <abstractions/fontconfig-cache-write>
include <abstractions/fonts>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
capability audit_write,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability mac_admin,
capability net_admin,
capability setgid,
capability setuid,
capability sys_admin,
capability sys_ptrace,
capability sys_resource,
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
network netlink raw,
network unix stream,
mount fstype=squashfs /dev/loop@{int} -> /tmp/syscheck-mountpoint-@{int}/,
umount /tmp/syscheck-mountpoint-@{int}/,
umount /snap/*/*/,
ptrace read peer=@{p_systemd},
ptrace read peer=snap{,.*},
unix (bind) type=stream addr=@@{udbus}/bus/systemctl/,
dbus send bus=system path=/org/freedesktop/
interface=org.freedesktop.login1.Manager
member={SetWallMessage,ScheduleShutdown}
peer=(name=org.freedesktop.login1, label=systemd-logind),
@{exec_path} mrix,
@{bin}/adduser rPx,
@{bin}/groupadd rPx,
@{bin}/hostnamectl rPx,
@{bin}/ssh-keygen rPx,
@{bin}/useradd rPx,
@{sh_path} rix,
@{bin}/apparmor_parser rPx,
@{bin}/cp rix,
@{bin}/getent rix,
@{bin}/gzip rix,
@{bin}/journalctl rPx,
@{bin}/kmod rPx,
@{bin}/mount rix,
@{bin}/runuser rCx -> runuser,
@{bin}/sync rix,
@{bin}/systemctl rix,
@{bin}/systemd-detect-virt rPx,
@{bin}/tar rix,
@{bin}/udevadm rPx,
@{bin}/umount rix,
@{bin}/unsquashfs rix,
@{bin}/update-desktop-database rPx,
@{bin_dirs}/fc-cache-* mr,
@{bin_dirs}/snap rPUx,
@{bin_dirs}/xdelta3 rix,
@{lib_dirs}/@{multiarch}/** mr,
@{lib_dirs}/@{multiarch}/ld-*.so rix,
@{lib_dirs}/snapd/apparmor_parser rPx,
@{lib_dirs}/snapd/snap-discard-ns rPx,
@{lib_dirs}/snapd/snap-seccomp rPx,
@{lib_dirs}/snapd/snap-update-ns rPx,
/usr/share/bash-completion/{,**} r,
/usr/share/dbus-1/{system,session}.d/{,snapd*} rw,
/usr/share/dbus-1/services/*snap* r,
/usr/share/polkit-1/actions/{,**/} r,
@{etc_ro}/environment r,
/etc/apparmor.d/*snapd.snap* r,
/etc/dbus-1/system.d/{,**/} r,
/etc/fstab r,
/etc/mime.types r,
/etc/modprobe.d/{,**/} r,
/etc/modules-load.d/{,**/} r,
/etc/modules-load.d/*snap* rw,
/etc/systemd/system/{,**/} r,
/etc/systemd/system/snap* rw,
/etc/systemd/user/{,**/} r,
/etc/systemd/user/**/*snap* rw,
/etc/systemd/user/*snap* rw,
/etc/udev/rules.d/{,*snap*} rw,
/snap/{,**} rw,
/var/cache/snapd/{,**} rwlk,
/var/lib/snapd/{,**} rwlk,
/var/snap/{,**} rw,
/var/cache/apparmor/{,*/} r,
/var/cache/apparmor/*/snap* rw,
/tmp/ r,
/tmp/read-file@{int}/{,**} rw,
/tmp/snapd@{int}/ rw,
/tmp/snapd@{int}/** rw,
/tmp/syscheck-mountpoint-@{int}/{,**} rw,
/tmp/syscheck-squashfs-@{int} rw,
/boot/ r,
/boot/grub/grubenv r,
/ r,
/home/ r,
@{HOME}/ r,
@{HOME}/snap/{,**} rw,
@{HOME}/.snap*/{,**} rw,
owner @{run}/mount/ rw,
owner @{run}/mount/utab{,.*} rw,
owner @{run}/mount/utab.lock wk,
@{run}/user/ r,
@{run}/user/@{uid}/ r,
@{run}/user/@{uid}/snapd-session-agent.socket rw,
@{run}/user/snap.*/{,**} rw,
@{run}/snapd*.socket rw,
@{run}/snapd/{,**} rw,
@{run}/snapd/lock/*.lock rwk,
@{run}/systemd/notify rw,
@{run}/systemd/private rw,
@{sys}/fs/cgroup/{,*/} r,
@{sys}/fs/cgroup/cgroup.controllers r,
@{sys}/fs/cgroup/system.slice/{,**/} r,
@{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r,
@{sys}/fs/cgroup/user.slice/ r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r,
@{sys}/kernel/kexec_loaded r,
@{sys}/kernel/security/apparmor/.notify r,
@{sys}/kernel/security/apparmor/features/{,**} r,
@{sys}/kernel/security/apparmor/profiles r,
@{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/mounts r,
@{PROC}/@{pid}/stat r,
@{PROC}/cgroups r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/seccomp/actions_avail r,
@{PROC}/version r,
owner @{PROC}/@{pids}/cmdline r,
owner @{PROC}/@{pids}/mountinfo r,
/dev/loop-control rw,
profile runuser {
include <abstractions/base>
@{bin}/runuser mr,
include if exists <local/snapd_runuser>
}
include if exists <local/snapd>
}
# vim:syntax=apparmor

24
apparmor.d/groups/snap/snapd-aa-prompt-listener Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib}
@{exec_path} = @{lib_dirs}/snapd/snapd-aa-prompt-listener
profile snapd-aa-prompt-listener @{exec_path} {
include <abstractions/base>
@{exec_path} mrix,
@{lib_dirs}/snapd/info r,
@{PROC}/cmdline r,
include if exists <local/snapd-aa-prompt-listener>
}
# vim:syntax=apparmor

24
apparmor.d/groups/snap/snapd-aa-prompt-ui Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib}
@{exec_path} = @{lib_dirs}/snapd/snapd-aa-prompt-ui
profile snapd-aa-prompt-ui @{exec_path} {
include <abstractions/base>
@{exec_path} mrix,
@{lib_dirs}/snapd/info r,
@{PROC}/cmdline r,
include if exists <local/snapd-aa-prompt-ui>
}
# vim:syntax=apparmor

31
apparmor.d/groups/snap/snapd-apparmor Normal file
View file

@ -0,0 +1,31 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib}
@{exec_path} = @{lib_dirs}/snapd/snapd-apparmor
profile snapd-apparmor @{exec_path} {
include <abstractions/base>
@{exec_path} mrix,
@{bin}/systemd-detect-virt rPx,
@{bin}/apparmor_parser rPx,
@{lib_dirs}/** mr,
@{lib_dirs}/snapd/apparmor_parser rPx -> apparmor_parser,
@{lib_dirs}/snapd/info r,
/var/lib/snapd/apparmor/profiles/ r,
@{PROC}/cmdline r,
include if exists <local/snapd-apparmor>
}
# vim:syntax=apparmor

18
apparmor.d/groups/snap/snapd-core-fixup Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/snapd/snapd.core-fixup.sh
profile snapd-core-fixup @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/snapd-core-fixup>
}
# vim:syntax=apparmor

434
apparmor.d/groups/steam/steam Normal file
View file

@ -0,0 +1,434 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Security objectives of the steam profiles:
# - Ensure no user data is accessed by either steam or steam games
# - Limit what steam/games can access to the host
#
# Overall architecture of the steam profiles:
# steam
# ├── steam//check # Requirements check (sandboxed)
# ├── steam//web # steamwebhelper (sandboxed)
# ├── steam-fossilize # Update shader cache
# ├── steam-runtime # Launcher tasks up to the creation of the sandbox
# │ ├── steam-game-native # Native games
# │ └── steam-game-proton # Proton games (sandboxed)
# ├── steam-gameoverlayui # Steam game overlay
# └── steamerrorreporter # Error reporter
abi <abi/4.0>,
include <tunables/global>
@{runtime} = SteamLinuxRuntime_sniper
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@{app_dirs} = @{share_dirs}/steamapps/common/
@{exec_path} = @{share_dirs}/steam.sh
profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/desktop>
include <abstractions/disks-read>
include <abstractions/fontconfig-cache-write>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
include <abstractions/video>
capability sys_ptrace,
network inet dgram,
network inet stream,
network inet6 dgram,
network inet6 stream,
network netlink raw,
network unix,
ptrace read,
ptrace trace peer=steam,
signal send peer=steam-game-{native,proton},
signal send peer=steam-launcher,
signal send peer=steam//journalctl,
signal send peer=steam//web,
unix,
@{exec_path} mrix,
@{sh_path} rix,
@{coreutils_path} rix,
@{open_path} rPx -> child-open,
@{bin}/getopt rix,
@{bin}/journalctl rPx -> systemctl,
@{bin}/ldconfig rix,
@{bin}/ldd rix,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsof rix,
@{bin}/lspci rCx -> lspci,
@{bin}/tar rix,
@{bin}/which{,.debianutils} rix,
@{bin}/xdg-icon-resource rPx,
@{bin}/xdg-user-dir rix,
@{bin}/xz rix,
@{bin}/zenity rix,
@{lib}/@{multiarch}/ld-*.so* rix,
@{lib}/ld-linux.so* rix,
@{lib_dirs}/** mr,
@{lib_dirs}/*driverquery rix,
@{lib_dirs}/fossilize_replay rpx, # steam-fossilize
@{lib_dirs}/gameoverlayui rpx, # steam-gameoverlayui
@{lib_dirs}/reaper rpx, # steam-runtime
@{lib_dirs}/steam* rix,
@{app_dirs}/@{runtime}/*entry-point rpx -> steam-runtime,
@{share_dirs}/linux{32,64}/steamerrorreporter rpx, # steamerrorreporter
@{runtime_dirs}/*entry-point rix,
@{runtime_dirs}/@{arch}/@{bin}/srt-logger rix,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements rcx -> check,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-dialog{,-ui} rix,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-identify-library-abi rix,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-input-monitor rix,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launch-* rix,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-interface-@{int} rix,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-service rpx, # steam-launcher
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-libcurl-* rix,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote rix,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-supervisor rix,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-system-info rix,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-urlopen rix,
@{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix,
@{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-logger rix,
@{runtime_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix,
@{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix,
@{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rcx -> web,
@{runtime_dirs}/run{,.sh} rix,
@{runtime_dirs}/setup.sh rix,
@{lib}/os-release rk,
/usr/share/fonts/** rk,
/etc/lsb-release r,
/etc/machine-id r,
/etc/timezone r,
/var/lib/dbus/machine-id r,
/ r,
@{bin}/ r,
@{lib}/ r,
/etc/ r,
/home/ r,
/usr/ r,
/usr/local/ r,
/usr/local/lib/ r,
/var/ r,
/var/tmp/ r,
owner @{HOME}/ r,
owner @{HOME}/.steam/{,**} rw,
owner @{HOME}/.steam/registry.vdf rwk,
owner @{HOME}/.steampath rw,
owner @{HOME}/.steampid rw,
owner @{share_dirs}/ rw,
owner @{share_dirs}/** rwlk -> @{share_dirs}/**,
owner @{user_games_dirs}/ rw,
owner @{user_games_dirs}/** rwlk -> @{user_games_dirs}/**,
owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
owner @{user_config_dirs}/autostart/ r,
owner @{user_config_dirs}/cef_user_data/{,**} r,
owner @{user_config_dirs}/cef_user_data/Dictionaries/* rw,
owner @{user_config_dirs}/cef_user_data/WidevineCdm/** mrw,
owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
owner @{user_share_dirs}/applications/*.desktop w,
owner @{user_share_dirs}/icons/hicolor/**/apps/steam*.png rw,
owner @{user_share_dirs}/vulkan/implicit_layer.d/steam*.json rwk,
@{tmp}/ r,
owner @{tmp}/#@{int} rw,
owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw,
owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
owner @{tmp}/dumps/ rw,
owner @{tmp}/dumps/** rwk,
owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw,
owner @{tmp}/glx-icds-@{rand6}/{,**} rw,
owner @{tmp}/runtime-info.txt.@{rand6} rwk,
owner @{tmp}/steam/ rw,
owner @{tmp}/steam/** rwk,
owner @{tmp}/steam@{rand6}/{,**} rw,
owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,
owner @{att}/dev/shm/ValveIPCSHM_@{uid} rw,
owner /dev/shm/fossilize-*-@{int}-@{int} rw,
owner /dev/shm/u@{uid}-Shm_@{hex6} rw,
owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw,
owner /dev/shm/u@{uid}-Shm_@{hex8} rw,
owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
owner @{run}/user/@{uid}/ r,
owner @{run}/user/@{uid}/srt-fifo.@{rand6}/{,*} rw,
@{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{run}/udev/data/n@{int} r,
@{sys}/ r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/hidraw/ r,
@{sys}/class/input/ r,
@{sys}/class/net/ r,
@{sys}/class/power_supply/ r,
@{sys}/devices/ r,
@{sys}/devices/**/input/input@{int}/ r,
@{sys}/devices/**/input/input@{int}/properties r,
@{sys}/devices/**/input@{int}/ r,
@{sys}/devices/**/input@{int}/capabilities/* r,
@{sys}/devices/**/power_supply/{AC,BAT@{int},hidpp_battery_@{int}}/{,*} r,
@{sys}/devices/**/report_descriptor r,
@{sys}/devices/**/uevent r,
@{sys}/devices/@{pci}/boot_vga r,
@{sys}/devices/@{pci}/sound/card@{int}/input@{int}/properties r,
@{sys}/devices/system/ r,
@{sys}/devices/system/cpu/cpu@{int}/ r,
@{sys}/devices/virtual/dmi/id/bios_vendor r,
@{sys}/devices/virtual/dmi/id/bios_version r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/devices/virtual/net/*/ r,
@{sys}/kernel/ r,
@{sys}/power/suspend_stats/success rk,
@{PROC}/ r,
@{PROC}/@{pid}/comm rk,
@{PROC}/@{pid}/fdinfo/@{int} r,
@{PROC}/@{pid}/net/* r,
@{PROC}/@{pid}/stat r,
@{PROC}/1/cgroup r,
@{PROC}/locks r,
@{PROC}/sys/kernel/sched_autogroup_enabled r,
@{PROC}/sys/kernel/unprivileged_userns_clone r,
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
@{PROC}/sys/user/max_user_namespaces r,
@{PROC}/version r,
owner @{PROC}/@{pid}/autogroup rw,
owner @{PROC}/@{pid}/cmdline rk,
owner @{PROC}/@{pid}/environ r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/fd/@{int} rw,
owner @{PROC}/@{pid}/mem r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/children r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/dev/input/ r,
/dev/uinput w,
deny /opt/** r,
profile web flags=(attach_disconnected,mediate_deleted,complain) {
include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/common/bwrap>
include <abstractions/common/chromium>
include <abstractions/dconf-write>
include <abstractions/desktop>
include <abstractions/fontconfig-cache-write>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/video>
capability dac_override,
capability dac_read_search,
capability sys_chroot,
network inet dgram,
network inet stream,
network inet6 dgram,
network inet6 stream,
network netlink raw,
ptrace trace peer=steam//web,
signal receive set=(cont kill term) peer=steam,
unix receive type=stream,
@{bin}/getopt rix,
@{bin}/gzip rix,
@{bin}/ldconfig rix,
@{bin}/localedef rix,
@{bin}/readlink rix,
@{bin}/true rix,
@{lib_dirs}/** mr,
@{lib_dirs}/steamwebhelper rix,
@{lib_dirs}/steamwebhelper_sniper_wrap.sh rix,
@{runtime_dirs}/pressure-vessel/@{bin}/steam-runtime-launcher-interface-@{int} rix,
@{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap mr,
@{lib}/pressure-vessel/from-host/** rix,
@{run}/host/@{bin}/* rix,
@{run}/host/@{lib}/** rix,
@{share_dirs}/config/cefdata/WidevineCdm/**/linux_*/libwidevinecdm.so mr,
@{runtime_dirs}/var/tmp-@{rand6}/usr/.ref w,
@{run}/host/{,**} r,
/etc/machine-id r,
@{lib}/ r,
/usr/local/lib/ r,
/var/tmp/ r,
owner /bindfile@{rand6} rw,
owner /var/cache/ldconfig/aux-cache* rw,
owner /var/pressure-vessel/ldso/* rw,
owner @{lib_dirs}/.cef-* wk,
owner @{share_dirs}/{,**} r,
owner @{share_dirs}/clientui/** k,
owner @{share_dirs}/config/** rwk,
owner @{share_dirs}/logs/** rwk,
owner @{share_dirs}/public/** k,
@{tmp}/ r,
owner @{tmp}/.com.valvesoftware.Steam.@{rand6} rw,
owner @{tmp}/.com.valvesoftware.Steam.@{rand6}/{,**} rw,
owner @{tmp}/#@{int} rw,
owner @{tmp}/dumps/ rw,
owner @{tmp}/dumps/** rwk,
owner @{tmp}/pressure-vessel-*-@{rand6}/ rw,
owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**,
owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw,
owner /dev/shm/.com.valvesoftware.Steam.@{rand6} rw,
owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw,
owner /dev/shm/u@{uid}-Shm_@{hex6} rw,
owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw,
owner /dev/shm/u@{uid}-Shm_@{hex8} rw,
owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
owner /dev/shm/ValveIPCSHM_@{uid} rw,
owner @{run}/pressure-vessel/** r,
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{sys}/bus/ r,
@{sys}/bus/*/devices/ r,
@{sys}/class/*/ r,
@{sys}/devices/**/report_descriptor r,
@{sys}/devices/**/uevent r,
@{sys}/devices/@{pci}/usb@{int}/**/{idVendor,idProduct,interface} r,
@{sys}/devices/system/cpu/kernel_max r,
@{sys}/devices/virtual/tty/tty@{int}/active r,
@{PROC}/ r,
@{PROC}/@{pid}/stat r,
@{PROC}/sys/fs/inotify/max_user_watches r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/mem r,
owner @{PROC}/@{pid}/oom_score_adj w,
owner @{PROC}/@{pid}/statm r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm r,
owner @{PROC}/@{pid}/task/@{tid}/status r,
/dev/ r,
/dev/hidraw@{int} rw,
/dev/tty rw,
include if exists <local/steam_web>
}
profile check flags=(attach_disconnected,mediate_deleted,complain) {
include <abstractions/base>
include <abstractions/common/bwrap>
include <abstractions/nameservice-strict>
capability dac_override,
capability dac_read_search,
unix receive type=stream,
@{bin}/true rix,
@{lib_dirs}/** mr,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements mr,
@{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rix,
/ r,
owner @{HOME}/.steam/root r,
owner @{HOME}/.steam/steam r,
owner @{share_dirs}/ r,
@{PROC}/1/cgroup r,
include if exists <local/steam_check>
}
profile lspci flags=(attach_disconnected,mediate_deleted,complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
unix receive type=stream,
@{bin}/lspci mr,
owner @{HOME}/.steam/steam.pipe r,
@{sys}/bus/pci/devices/ r,
@{sys}/bus/pci/slots/ r,
@{sys}/bus/pci/slots/@{int}/address r,
@{sys}/devices/@{pci}/** r,
owner /dev/shm/ValveIPCSHM_@{uid} rw,
include if exists <local/steam_lspci>
}
profile systemctl {
include <abstractions/base>
include <abstractions/app/systemctl>
/{run,var}/log/journal/ r,
/{run,var}/log/journal/@{hex32}/ r,
/{run,var}/log/journal/@{hex32}/system.journal* r,
/{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r,
/{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r,
include if exists <local/steam_systemctl>
}
include if exists <local/steam>
}
# vim:syntax=apparmor

52
apparmor.d/groups/steam/steam-fossilize Normal file
View file

@ -0,0 +1,52 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{runtime} = SteamLinuxRuntime_sniper
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@{app_dirs} = @{share_dirs}/steamapps/common/
@{exec_path} = @{lib_dirs}/fossilize_replay
profile steam-fossilize @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/graphics>
include <abstractions/wayland>
include <abstractions/X-strict>
signal receive peer=steam,
@{exec_path} mr,
@{lib_dirs}/** mr,
owner @{HOME}/.steam/steam.pipe r,
owner @{share_dirs}/logs/container-runtime-info.txt.@{rand6} rw,
owner @{share_dirs}/steamapps/shadercache/@{int}/fozpipelinesv@{int}/{,**} rw,
owner @{share_dirs}/steamapps/shadercache/@{int}/mesa_shader_cache_sf/{,**} rwk,
owner @{share_dirs}/steamapps/shadercache/@{int}/nvidiav@{int}/GLCache/ rw,
owner @{share_dirs}/steamapps/shadercache/@{int}/nvidiav@{int}/GLCache/** rwk,
owner @{tmp}/runtime-info.txt.@{rand6} rw,
owner /dev/shm/fossilize-*-@{int}-@{int} rw,
@{sys}/devices/system/node/node@{int}/cpumap r,
@{PROC}/@{pids}/statm r,
@{PROC}/pressure/io r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
include if exists <local/steam-fossilize>
}
# vim:syntax=apparmor

39
apparmor.d/groups/steam/steam-game-native Normal file
View file

@ -0,0 +1,39 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{runtime} = SteamLinuxRuntime_sniper
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@{app_dirs} = @{share_dirs}/steamapps/common/
@{exec_path} = @{app_dirs}/*/**
profile steam-game-native @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/common/steam-game>
network inet dgram,
network inet stream,
network inet6 dgram,
network inet6 stream,
network netlink raw,
network unix stream,
signal receive peer=steam,
@{exec_path} mrix,
@{sh_path} rix,
@{app_dirs}/** mr,
@{lib_dirs}/** mr,
include if exists <local/steam-game-native>
}
# vim:syntax=apparmor

103
apparmor.d/groups/steam/steam-game-proton Normal file
View file

@ -0,0 +1,103 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{runtime} = SteamLinuxRuntime_sniper
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@{app_dirs} = @{share_dirs}/steamapps/common/
@{exec_path} = @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap
profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) {
include <abstractions/base>
include <abstractions/common/bwrap>
include <abstractions/common/steam-game>
include <abstractions/python>
include <abstractions/wine>
capability dac_override,
capability dac_read_search,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network unix stream,
signal receive peer=steam,
unix,
@{exec_path} mr,
@{bin}/bwrap mrix,
@{bin}/chmod rix,
@{bin}/fc-match rix,
@{bin}/getopt rix,
@{bin}/gzip rix,
@{bin}/ldconfig rix,
@{bin}/localedef rix,
@{bin}/python3.@{int} rix,
@{bin}/readlink rix,
@{bin}/steam-runtime-launcher-interface-@{int} rix,
@{bin}/steam-runtime-system-info rix,
@{bin}/steam-runtime-urlopen rix,
@{bin}/true rix,
@{open_path} rix,
@{lib_dirs}/** mr,
@{lib}/pressure-vessel/from-host/@{bin}/* rix,
@{lib}/pressure-vessel/from-host/@{lib}/** rix,
@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix,
@{app_dirs}/** mrix,
@{run}/host/@{bin}/ldconfig rix,
@{run}/host/@{bin}/localedef rix,
@{run}/host/@{lib}/** mr,
@{share_dirs}/bin/d3ddriverquery64.exe mr,
@{share_dirs}/steamapps/compatdata/@{int}/pfx/** mr,
@{user_games_dirs}/** mr,
owner /bindfile@{rand6} rw,
owner /var/pressure-vessel/** rw,
owner /var/cache/ldconfig/aux-cache* rw,
owner "@{app_dirs}/Steamworks Shared/runasadmin.vdf" rw,
owner @{app_dirs}/@{runtime}/var/tmp-@{rand6}/usr/.ref rwk,
owner @{app_dirs}/Proton*/** rwkl,
owner @{share_dirs}/*.dll r,
owner @{share_dirs}/bin/ r,
owner @{share_dirs}/installscriptevalutor_log.txt rw,
owner @{share_dirs}/legacycompat/ r,
owner @{share_dirs}/legacycompat/** mr,
owner @{share_dirs}/steamapps/compatdata/{,**} rwk,
owner @{tmp}/glx-icds-@{rand6}/{,**} w,
owner @{tmp}/pressure-vessel-*-@{rand6}/ rw,
owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**,
owner @{tmp}/vdpau-drivers-@{rand6}/{,**} w,
@{run}/host/fonts/{,**} r,
@{run}/host/share/{,**} r,
@{run}/host/usr/{,**} r,
owner @{run}/pressure-vessel/{,**} r,
@{sys}/devices/system/node/node@{int}/cpumap r,
@{sys}/devices/system/node/online r,
@{PROC}/@{pids}/net/* r,
@{PROC}/sys/net/core/bpf_jit_enable r,
include if exists <local/steam-game-proton>
}
# vim:syntax=apparmor

74
apparmor.d/groups/steam/steam-gameoverlayui Normal file
View file

@ -0,0 +1,74 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{runtime} = SteamLinuxRuntime_sniper
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@{app_dirs} = @{share_dirs}/steamapps/common/
@{exec_path} = @{lib_dirs}/gameoverlayui
profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/desktop>
include <abstractions/fontconfig-cache-write>
include <abstractions/graphics>
network inet stream,
network inet6 stream,
unix,
@{exec_path} mr,
@{lib_dirs}/**.so* mr,
@{runtime_dirs}/@{lib}/**.so* mr,
@{lib_dirs}/steamerrorreporter rpx,
/usr/share/fonts/{,**} rk,
/ r,
/home/ r,
/tmp/ r,
owner @{HOME}/ r,
owner @{HOME}/.steam/registry.vdf rk,
owner @{HOME}/.steam/steam.pipe r,
owner @{lib_dirs}/fontconfig/{,**} rwl,
owner @{share_dirs}/{,**} r,
owner @{share_dirs}/config/DialogConfigOverlay*.vdf rw,
owner @{share_dirs}/public/* rk,
owner @{share_dirs}/resource/{,**} rk,
owner @{share_dirs}/userdata/@{int}/{,**} rk,
owner /dev/shm/u@{uid}-Shm_@{hex} rw,
owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
owner /dev/shm/ValveIPCSHM_@{uid} rw,
owner @{tmp}/gameoverlayui.log* rw,
owner @{tmp}/miles_image_@{rand6} mrw,
owner @{tmp}/runtime-info.txt.@{rand6} rw,
owner @{tmp}/steam_chrome_overlay_uid@{uid}_spid@{pids} rw,
@{sys}/ r,
@{sys}/kernel/ r,
@{sys}/devices/ r,
@{sys}/devices/system/ r,
@{sys}/devices/system/cpu/cpu@{int}/ r,
@{PROC}/version r,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
include if exists <local/steam-gameoverlayui>
}
# vim:syntax=apparmor

50
apparmor.d/groups/steam/steam-launch Normal file
View file

@ -0,0 +1,50 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{runtime} = SteamLinuxRuntime_sniper
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@{app_dirs} = @{share_dirs}/steamapps/common/
@{exec_path} = @{bin}/steam @{bin}/steam-runtime
profile steam-launch @{exec_path} {
include <abstractions/base>
include <abstractions/python>
network unix stream,
@{exec_path} mr,
@{sh_path} rix,
@{bin}/cmp rix,
@{bin}/cp rix,
@{bin}/dirname rix,
@{bin}/env rix,
@{bin}/id rix,
@{bin}/readlink rix,
@{lib}/steam/steam rix,
@{lib}/steam/bin_steam.sh rix,
@{share_dirs}/steam.sh rPx,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote rPx,
/usr/ r,
/usr/local/ r,
owner @{share_dirs}/bootstrap.tar.xz rw,
/dev/tty rw,
deny /opt/** r,
include if exists <local/steam-launch>
}
# vim:syntax=apparmor

30
apparmor.d/groups/steam/steam-launcher Normal file
View file

@ -0,0 +1,30 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{runtime} = SteamLinuxRuntime_sniper
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@{app_dirs} = @{share_dirs}/steamapps/common/
@{exec_path} = @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-service
profile steam-launcher @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
network unix stream,
signal receive peer=steam,
@{exec_path} mr,
@{lib_dirs}/** mr,
include if exists <local/steam-launcher>
}
# vim:syntax=apparmor

87
apparmor.d/groups/steam/steam-runtime Normal file
View file

@ -0,0 +1,87 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{runtime} = SteamLinuxRuntime_sniper
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@{app_dirs} = @{share_dirs}/steamapps/common/
@{exec_path} = @{lib_dirs}/reaper
profile steam-runtime @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/wayland>
include <abstractions/X-strict>
network inet stream,
network inet6 stream,
network unix stream,
@{exec_path} mr,
@{sh_path} rix,
@{bin}/getopt rix,
@{bin}/readlink rix,
@{lib_dirs}/** mr,
@{lib_dirs}/steam-launch-wrapper rix,
# Native linux games (steam-game-native)
@{app_dirs}/[^S]*/** rpx -> steam-game-native, # Only for @{app_dirs}/@{runtime}/**
# Proton games, sandboxed (steam-game-proton)
@{app_dirs}/@{runtime}/*entry-point rmix,
@{app_dirs}/@{runtime}/pressure-vessel/@{bin}/pressure-vessel-* rix,
@{app_dirs}/@{runtime}/pressure-vessel/@{lib}/** mr,
@{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix,
@{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rpx -> steam-game-proton,
@{app_dirs}/@{runtime}/run rix,
@{bin}/bwrap rpx -> steam-game-proton,
/ r,
@{lib}/ r,
@{lib_dirs}/ r,
owner @{HOME}/.steam/steam.pipe r,
owner @{app_dirs}/*/ r,
owner @{app_dirs}/config/config.vdf{,.*} rw,
owner @{app_dirs}/@{runtime}/** r,
owner @{app_dirs}/@{runtime}/pressure-vessel/** rwk,
owner @{app_dirs}/@{runtime}/sniper_platform_*/** rwk,
owner @{app_dirs}/@{runtime}/var/** rwk,
owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/pressure-vessel/**,
owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/sniper_platform_*/**,
owner @{share_dirs}/config/config.vdf{,.*} rw,
owner @{share_dirs}/steamapps/appmanifest_* rw,
owner @{tmp}/ r,
owner @{tmp}/#@{int} rw,
owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,
owner @{run}/user/@{uid}/ r,
owner /dev/shm/u@{uid}-Shm_@{hex6} rw,
owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw,
owner /dev/shm/u@{uid}-Shm_@{hex8} rw,
owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/comm r,
owner @{PROC}/@{pid}/fd/ r,
/dev/tty rw,
include if exists <local/steam-runtime>
}
# vim:syntax=apparmor

28
apparmor.d/groups/steam/steam-runtime-steam-remote Normal file
View file

@ -0,0 +1,28 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{runtime} = SteamLinuxRuntime_sniper
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@{app_dirs} = @{share_dirs}/steamapps/common/
@{exec_path} = @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote
profile steam-runtime-steam-remote @{exec_path} flags=(attach_disconnected,complain) {
include <abstractions/base>
@{exec_path} mr,
@{runtime_dirs}/** mr,
owner @{HOME}/.steam/steam.pipe rw,
include if exists <local/steam-runtime-steam-remote>
}
# vim:syntax=apparmor

42
apparmor.d/groups/steam/steamerrorreporter Normal file
View file

@ -0,0 +1,42 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{runtime} = SteamLinuxRuntime_sniper
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@{app_dirs} = @{share_dirs}/steamapps/common/
@{exec_path} = @{lib_dirs}/steamerrorreporter
profile steamerrorreporter @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
network inet dgram,
network inet stream,
network inet6 dgram,
network inet6 stream,
network unix stream,
@{exec_path} mr,
owner @{HOME}/.steam/steam.pipe r,
owner @{lib_dirs}/{,**} r,
owner @{runtime_dirs}/pinned_libs_{32,64}/ r,
owner @{share_dirs}/ r,
owner @{tmp}/dumps/ r,
owner @{tmp}/dumps/*_log.txt rw,
owner @{PROC}/@{pid}/status r,
include if exists <local/steamerrorreporter>
}
# vim:syntax=apparmor