feat(profiles): general update.

2022-08-21 20:16:29 +01:00 · 2022-08-21 20:16:29 +01:00 · 9d4956df0d
commit 9d4956df0d
parent e6e0ef9067
23 changed files with 147 additions and 104 deletions
--- a/apparmor.d/profiles-s-z/snapd
+++ b/apparmor.d/profiles-s-z/snapd
@ -69,15 +69,15 @@ profile snapd @{exec_path} {
  /{usr/,}bin/unsquashfs               rix,
  /{usr/,}bin/update-desktop-database  rPx,

+  /{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache-*             mr,
+  /{snap/snapd/[0-9]*/,}{usr/,}bin/snap                   rPx,
+  /{snap/snapd/[0-9]*/,}{usr/,}bin/xdelta3                rix, # TODO: rPx ?
  /{snap/snapd/[0-9]*/,}{usr/,}lib/@{multiarch}/**        mr,
  /{snap/snapd/[0-9]*/,}{usr/,}lib/@{multiarch}/ld-*.so   rix,
-  /{snap/snapd/[0-9]*/,}{usr/,}bin/snap                   rPx,
  /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-discard-ns  rPx,
  /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-seccomp     rPx,
  /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-update-ns   rPx,
  /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snapd            rix,
-  /{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache-*             rPx -> fc-cache,
-  /{snap/snapd/[0-9]*/,}{usr/,}bin/xdelta3                rix, # TODO: rPx ?

  /usr/share/bash-completion/completions/{,**} r,
  /usr/share/dbus-1/{system,session}.d/{,snapd*} r,
@ -133,7 +133,6 @@ profile snapd @{exec_path} {
  @{sys}/kernel/security/apparmor/features/ r,
  @{sys}/kernel/security/apparmor/profiles r,

-  owner @{PROC}/@{pids}/mountinfo r,
        @{PROC}/@{pids}/cgroup r,
        @{PROC}/@{pids}/stat r,
        @{PROC}/cgroups r,
@ -141,6 +140,7 @@ profile snapd @{exec_path} {
        @{PROC}/sys/kernel/random/boot_id r,
        @{PROC}/sys/kernel/seccomp/actions_avail r,
        @{PROC}/version r,
+  owner @{PROC}/@{pids}/mountinfo r,

  /dev/loop-control rw,

--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@ -32,7 +32,7 @@ profile steam @{exec_path} {
  network inet6 stream,
  network netlink raw,

-  ptrace (read) peer=steam-*,
+  ptrace (read),

  signal (send) peer=steam-game,
  signal (read),
--- a/apparmor.d/profiles-s-z/steam-game
+++ b/apparmor.d/profiles-s-z/steam-game
@ -91,6 +91,8 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
  @{steamruntime}/pressure-vessel/lib{,exec}/** mrix,
  @{steamruntime}/run rix,

+  @{user_share_dirs}/Steam/bin/ r,
+  @{user_share_dirs}/Steam/bin/* mr,
  @{user_share_dirs}/Steam/legacycompat/ r,
  @{user_share_dirs}/Steam/legacycompat/** mr,
  @{user_share_dirs}/Steam/linux{32,64}/ r,
@ -139,6 +141,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/Steam/ r,
  owner @{user_share_dirs}/Steam/* r,
  owner @{user_share_dirs}/Steam/*log* rw,
+  owner @{user_share_dirs}/Steam/shader_cache_temp*/fozpipelinesv*/{,**} rw,
  owner @{user_share_dirs}/Steam/steamapps/ r,
  owner @{user_share_dirs}/Steam/steamapps/common/ r,
  owner @{user_share_dirs}/Steam/steamapps/common/*/ r,