felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): update steam profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2025-04-26 17:23:30 +02:00
parent 3295a1334a
commit b3da8d4be7
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
10 changed files with 49 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

9
apparmor.d/groups/steam/steam
View file

@ -21,7 +21,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{runtime} = SteamLinuxRuntime_sniper @{runtime} = SteamLinuxRuntime_{sniper,soldier}
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@ -174,6 +174,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
owner @{tmp}/steam/** rwk, owner @{tmp}/steam/** rwk,
owner @{tmp}/steam@{rand6}/{,**} rw, owner @{tmp}/steam@{rand6}/{,**} rw,
owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,
owner @{tmp}/steam@{rand6} rwk,
owner @{att}/dev/shm/ValveIPCSHM_@{uid} rw, owner @{att}/dev/shm/ValveIPCSHM_@{uid} rw,
owner /dev/shm/fossilize-*-@{int}-@{int} rw, owner /dev/shm/fossilize-*-@{int}-@{int} rw,
@ -292,6 +293,8 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{run}/host/@{lib}/** rix, @{run}/host/@{lib}/** rix,
@{share_dirs}/config/cefdata/WidevineCdm/**/linux_*/libwidevinecdm.so mr, @{share_dirs}/config/cefdata/WidevineCdm/**/linux_*/libwidevinecdm.so mr,
@{share_dirs}/config/htmlcache/WidevineCdm/**/linux_*/libwidevinecdm.so mr,
@{share_dirs}/linux{32,64}/steamclient.so mr,
@{runtime_dirs}/var/tmp-@{rand6}/usr/.ref w, @{runtime_dirs}/var/tmp-@{rand6}/usr/.ref w,
@ -302,12 +305,15 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{lib}/ r, @{lib}/ r,
/usr/local/lib/ r, /usr/local/lib/ r,
/var/tmp/ r, /var/tmp/ r,
/home/ r,
owner /bindfile@{rand6} rw, owner /bindfile@{rand6} rw,
owner /var/cache/ldconfig/aux-cache* rw, owner /var/cache/ldconfig/aux-cache* rw,
owner /var/pressure-vessel/ldso/* rw, owner /var/pressure-vessel/ldso/* rw,
owner @{HOME}/ r,
owner @{lib_dirs}/.cef-* wk, owner @{lib_dirs}/.cef-* wk,
owner @{share_dirs}/{,**} r, owner @{share_dirs}/{,**} r,
@ -348,6 +354,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{sys}/devices/virtual/tty/tty@{int}/active r, @{sys}/devices/virtual/tty/tty@{int}/active r,
@{PROC}/ r, @{PROC}/ r,
@{PROC}/version r,
@{PROC}/@{pid}/stat r, @{PROC}/@{pid}/stat r,
@{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/fs/inotify/max_user_watches r,
@{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/sys/kernel/yama/ptrace_scope r,

6
apparmor.d/groups/steam/steam-fossilize
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{runtime} = SteamLinuxRuntime_sniper @{runtime} = SteamLinuxRuntime_{sniper,soldier}
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@ -39,11 +39,13 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/devices/system/node/node@{int}/cpumap r,
@{PROC}/@{pids}/statm r, @{PROC}/@{pid}/statm r,
@{PROC}/pressure/io r, @{PROC}/pressure/io r,
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw,
deny network inet stream,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
include if exists <local/steam-fossilize> include if exists <local/steam-fossilize>

2
apparmor.d/groups/steam/steam-game-native
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{runtime} = SteamLinuxRuntime_sniper @{runtime} = SteamLinuxRuntime_{sniper,soldier}
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}

20
apparmor.d/groups/steam/steam-game-proton
View file

@ -6,7 +6,8 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{runtime} = SteamLinuxRuntime_sniper @{runtime_name} = sniper soldier
@{runtime} = SteamLinuxRuntime_@{runtime_name}
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@ -35,18 +36,24 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) {
@{exec_path} mr, @{exec_path} mr,
@{bin}/bwrap mrix, @{bin}/bwrap mrix,
@{sh_path} rix,
@{bin}/cat rix,
@{bin}/env rix,
@{bin}/chmod rix, @{bin}/chmod rix,
@{bin}/fc-match rix, @{bin}/fc-match rix,
@{bin}/getopt rix, @{bin}/getopt rix,
@{bin}/gzip rix, @{bin}/gzip rix,
@{bin}/ldconfig rix, @{bin}/ldconfig rix,
@{bin}/ln rix,
@{bin}/localedef rix, @{bin}/localedef rix,
@{python_path} rix, @{bin}/mkdir rix,
@{bin}/readlink rix, @{bin}/readlink rix,
@{bin}/rm rix,
@{bin}/steam-runtime-launcher-interface-@{int} rix, @{bin}/steam-runtime-launcher-interface-@{int} rix,
@{bin}/steam-runtime-system-info rix, @{bin}/steam-runtime-system-info rix,
@{bin}/steam-runtime-urlopen rix, @{bin}/steam-runtime-urlopen rix,
@{bin}/true rix, @{bin}/true rix,
@{python_path} rix,
@{open_path} rix, @{open_path} rix,
@{lib_dirs}/** mr, @{lib_dirs}/** mr,
@ -54,6 +61,14 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) {
@{lib}/pressure-vessel/from-host/@{lib}/** rix, @{lib}/pressure-vessel/from-host/@{lib}/** rix,
@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, @{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix,
# TODO stack with steam ? rpx -> steam-game-proton&//steam,
@{runtime_dirs}/run.sh rix,
@{runtime_dirs}/@{arch}@{bin}/steam-runtime-identify-library-abi rix,
@{runtime_dirs}/@{arch}@{bin}/steam-runtime-launcher-interface-@{int} rix,
@{app_dirs}/SteamLinuxRuntime/var/steam-runtime/run.sh rix,
@{app_dirs}/SteamLinuxRuntime/var/steam-runtime/@{arch}@{bin}/steam-runtime-identify-library-abi rix,
@{app_dirs}/SteamLinuxRuntime/var/steam-runtime/@{arch}@{bin}/steam-runtime-launcher-interface-@{int} rix,
@{app_dirs}/** mrix, @{app_dirs}/** mrix,
@{run}/host/@{bin}/ldconfig rix, @{run}/host/@{bin}/ldconfig rix,
@ -72,6 +87,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) {
owner "@{app_dirs}/Steamworks Shared/runasadmin.vdf" rw, owner "@{app_dirs}/Steamworks Shared/runasadmin.vdf" rw,
owner @{app_dirs}/@{runtime}/var/tmp-@{rand6}/usr/.ref rwk, owner @{app_dirs}/@{runtime}/var/tmp-@{rand6}/usr/.ref rwk,
owner @{app_dirs}/SteamLinuxRuntime/var/steam-runtime/* rw,
owner @{app_dirs}/Proton*/** rwkl, owner @{app_dirs}/Proton*/** rwkl,
owner @{share_dirs}/*.dll r, owner @{share_dirs}/*.dll r,

4
apparmor.d/groups/steam/steam-gameoverlayui
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{runtime} = SteamLinuxRuntime_sniper @{runtime} = SteamLinuxRuntime_{sniper,soldier}
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@ -49,6 +49,8 @@ profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) {
owner @{share_dirs}/resource/{,**} rk, owner @{share_dirs}/resource/{,**} rk,
owner @{share_dirs}/userdata/@{int}/{,**} rk, owner @{share_dirs}/userdata/@{int}/{,**} rk,
owner @{att}/dev/shm/ValveIPCSHM_@{uid} rw,
owner /dev/shm/u@{uid}-Shm_@{hex} rw, owner /dev/shm/u@{uid}-Shm_@{hex} rw,
owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
owner /dev/shm/ValveIPCSHM_@{uid} rw, owner /dev/shm/ValveIPCSHM_@{uid} rw,

7
apparmor.d/groups/steam/steam-launch
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{runtime} = SteamLinuxRuntime_sniper @{runtime} = SteamLinuxRuntime_{sniper,soldier}
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@ -36,6 +36,8 @@ profile steam-launch @{exec_path} {
@{lib}/steam/bin_steam.sh rix, @{lib}/steam/bin_steam.sh rix,
@{share_dirs}/steam.sh rPx, @{share_dirs}/steam.sh rPx,
@{lib_dirs}/** mr,
@{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote rPx, @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote rPx,
@{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/* r, @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/* r,
@{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-logger rix, @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-logger rix,
@ -44,7 +46,10 @@ profile steam-launch @{exec_path} {
/usr/local/ r, /usr/local/ r,
owner @{share_dirs}/bootstrap.tar.xz rw, owner @{share_dirs}/bootstrap.tar.xz rw,
owner @{share_dirs}/logs/ r,
owner @{share_dirs}/logs/* rwk,
owner @{run}/user/@{uid}/srt-fifo.@{rand6}/ rw,
owner @{run}/user/@{uid}/srt-fifo.@{rand6}/fifo rw, owner @{run}/user/@{uid}/srt-fifo.@{rand6}/fifo rw,
owner @{PROC}/@{pid}/fd/@{int} rw, owner @{PROC}/@{pid}/fd/@{int} rw,

2
apparmor.d/groups/steam/steam-launcher
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{runtime} = SteamLinuxRuntime_sniper @{runtime} = SteamLinuxRuntime_{sniper,soldier}
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}

9
apparmor.d/groups/steam/steam-runtime
View file

@ -6,7 +6,8 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{runtime} = SteamLinuxRuntime_sniper @{runtime_name} = sniper soldier
@{runtime} = SteamLinuxRuntime_@{runtime_name}
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@ -50,16 +51,17 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) {
@{lib}/ r, @{lib}/ r,
@{lib_dirs}/ r, @{lib_dirs}/ r,
owner @{HOME}/ r,
owner @{HOME}/.steam/steam.pipe r, owner @{HOME}/.steam/steam.pipe r,
owner @{app_dirs}/*/ r, owner @{app_dirs}/*/ r,
owner @{app_dirs}/config/config.vdf{,.*} rw, owner @{app_dirs}/config/config.vdf{,.*} rw,
owner @{app_dirs}/@{runtime}/** r, owner @{app_dirs}/@{runtime}/** r,
owner @{app_dirs}/@{runtime}/pressure-vessel/** rwk, owner @{app_dirs}/@{runtime}/pressure-vessel/** rwk,
owner @{app_dirs}/@{runtime}/sniper_platform_*/** rwk, owner @{app_dirs}/@{runtime}/@{runtime_name}_platform_*/** rwk,
owner @{app_dirs}/@{runtime}/var/** rwk, owner @{app_dirs}/@{runtime}/var/** rwk,
owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/pressure-vessel/**, owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/pressure-vessel/**,
owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/sniper_platform_*/**, owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/@{runtime_name}_platform_*/**,
owner @{share_dirs}/config/config.vdf{,.*} rw, owner @{share_dirs}/config/config.vdf{,.*} rw,
owner @{share_dirs}/steamapps/appmanifest_* rw, owner @{share_dirs}/steamapps/appmanifest_* rw,
@ -78,6 +80,7 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/comm r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/stat r,
/dev/tty rw, /dev/tty rw,

2
apparmor.d/groups/steam/steam-runtime-steam-remote
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{runtime} = SteamLinuxRuntime_sniper @{runtime} = SteamLinuxRuntime_{sniper,soldier}
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}

2
apparmor.d/groups/steam/steamerrorreporter
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{runtime} = SteamLinuxRuntime_sniper @{runtime} = SteamLinuxRuntime_{sniper,soldier}
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}