# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

# Default profile for steam games

# TODO:
# Split this profile in three:
# - steam-game-native for native linux games
# - steam-runtime for all runtime related task up to the creation of the sandbox
# - steam-game-proton for the sandboxed proton games
# Requirments:
# - AppArmor supports for {*^} regex
# - AppArmor supports change profile from pivot_root 
# - Bypass no-new-privs issue

abi <abi/3.0>,

include <tunables/global>

@{runtime} = @{user_share_dirs}/Steam/steamapps/common/SteamLinuxRuntime_soldier
@{steam_lib_dirs} = @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}
@{exec_path} = @{user_share_dirs}/Steam/steamapps/common/*/**
profile steam-game @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/audio-client>
  include <abstractions/common/bwrap>
  include <abstractions/desktop>
  include <abstractions/devices-usb>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/python>
  include <abstractions/ssl_certs>

  capability dac_override,
  capability dac_read_search,

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,

  signal (receive) peer=steam,

  unix (receive) type=stream,

  @{exec_path} mrix,

  @{sh_path}                                 rix,
  @{bin}/bwrap                               rix,
  @{bin}/env                                 rix,
  @{bin}/getopt                              rix,
  @{bin}/gzip                                rix,
  @{bin}/localedef                           rix,
  @{bin}/python3.@{int}                      rix,
  @{bin}/readlink                            rix,
  @{bin}/steam-runtime-launcher-interface-*  rix,
  @{bin}/steam-runtime-system-info           rix,
  @{bin}/timeout                             rix,
  @{bin}/true                                rix,
  @{bin}/uname                               rix,
  @{bin}/xdg-open                            rPx,

  @{lib}/pressure-vessel/from-host/bin/pressure-vessel-adverb rix,
  @{lib}/pressure-vessel/from-host/bin/pressure-vessel-locale-gen rix,
  @{lib}/pressure-vessel/from-host/bin/pressure-vessel-try-setlocale rix,
  @{lib}/pressure-vessel/from-host/libexec/steam-runtime-tools-*/*-detect-platform rix,
  @{lib}/steam-runtime-tools*/* mrix,

  @{runtime}/pressure-vessel/bin/pressure-vessel-unruntime rix,
  @{runtime}/pressure-vessel/bin/pressure-vessel-wrap rix,
  @{runtime}/pressure-vessel/bin/pv-bwrap rix,
  @{runtime}/pressure-vessel/bin/steam-runtime-launcher-interface-* rix,
  @{runtime}/pressure-vessel/lib{,exec}/ r,
  @{runtime}/pressure-vessel/lib{,exec}/** mrix,
  @{runtime}/run rix,

  @{steam_lib_dirs}/{,**} r,
  @{steam_lib_dirs}/**.so*  mr,
  @{steam_lib_dirs}/reaper rix,
  @{steam_lib_dirs}/steam-launch-wrapper rm,
  @{steam_lib_dirs}/steam-runtime/{usr/,}lib{exec,}/** mrix,
  @{user_share_dirs}/Steam/bin/ r,
  @{user_share_dirs}/Steam/bin/* mr,
  @{user_share_dirs}/Steam/d3ddriverquery64.dxvk-cache rw,
  @{user_share_dirs}/Steam/legacycompat/ r,
  @{user_share_dirs}/Steam/legacycompat/** mr,
  @{user_share_dirs}/Steam/linux{32,64}/ r,
  @{user_share_dirs}/Steam/linux{32,64}/**.so* mr,
  @{user_share_dirs}/Steam/standalone_installscript_progress_@{int}.vdf rw,
  @{user_share_dirs}/Steam/steamapps/common/*/* mr,
  @{user_share_dirs}/Steam/steamapps/common/Proton*/ r,
  @{user_share_dirs}/Steam/steamapps/common/Proton*/files/bin/*  mrix,
  @{user_share_dirs}/Steam/steamapps/common/Proton*/files/lib{,32,64}/** mrix,
  @{user_share_dirs}/Steam/steamapps/common/Proton*/proton rix,
  @{user_share_dirs}/Steam/steamapps/compatdata/@{int}/pfx/**.dll rm,

  @{user_games_dirs}/*/* mr,
  @{user_games_dirs}/*/**.dll mr,

  @{run}/host/usr/bin/ldconfig rix,
  @{run}/host/usr/lib{,32,64}/**.so* rm,
  @{run}/host/usr/bin/localedef rix,

  /usr/share/terminfo/** r,

  /etc/machine-id r,
  /etc/udev/udev.conf r,
  /var/lib/dbus/machine-id r,

  /var/cache/ldconfig/aux-cache* rw,

  / r,
  /{usr/,}{local/,} r,
  /{usr/,}{local/,}lib{,32,64}/ r,
  /bindfile@{rand6} rw,
  /home/ r,
  /tmp/ r,

  owner @{HOME}/ r,
  owner @{HOME}/.steam/steam.pid r,
  owner @{HOME}/.steam/steam.pipe r,

  owner @{user_games_dirs}/{,*/} r,
  owner @{user_games_dirs}/*/{,**} rwkl,

  owner @{user_config_dirs}/unity3d/{,**} rwk,

  owner @{user_share_dirs}/ r,
  owner @{user_share_dirs}/Steam/ r,
  owner @{user_share_dirs}/Steam/* r,
  owner @{user_share_dirs}/Steam/*log* rw,
  owner @{user_share_dirs}/Steam/config/config.vdf* rw,
  owner @{user_share_dirs}/Steam/logs/{,*} rw,
  owner @{user_share_dirs}/Steam/shader_cache_temp*/fozpipelinesv*/{,**} rw,
  owner @{user_share_dirs}/Steam/steamapps/ r,
  owner @{user_share_dirs}/Steam/steamapps/common/ r,
  owner @{user_share_dirs}/Steam/steamapps/common/*/ r,
  owner @{user_share_dirs}/Steam/steamapps/common/*/** rwkl,
  owner @{user_share_dirs}/Steam/steamapps/common/Proton*/files/share/{,**} r,
  owner @{user_share_dirs}/Steam/steamapps/compatdata/{,**} rwk,
  owner @{user_share_dirs}/Steam/steamapps/shadercache/{,**} rwk,
  owner @{user_share_dirs}/Steam/userdata/**/remotecache.vdf rw,

        @{run}/host/ r,
        @{run}/host/container-manager r,
        @{run}/host/fonts/{,**} r,
        @{run}/host/share/{,**} r,
        @{run}/host/usr/{,**} r,
  owner @{run}/pressure-vessel/{,**} rw,
  owner @{run}/user/@{uid}/ r,
  owner @{run}/user/@{uid}/orcexec.* mrw,  # gstreamer

  owner /dev/shm/#@{int} rw,
  owner /dev/shm/mono.* rw,
  owner /dev/shm/u@{uid}-Shm_@{hex} rw,
  owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
  owner /dev/shm/ValveIPCSHM_@{uid} rw,
  owner /dev/shm/wine-*-fsync rw,

  owner /tmp/.wine-@{uid}/server-*/* rwk,
  owner /tmp/** rw,
  owner /tmp/miles_image_* mr,
  owner /tmp/pressure-vessel-*/{,**} rwl,

  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad

  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
  @{run}/udev/data/c116:@{int} r,         # for ALSA
  @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511

  @{sys}/ r,
  @{sys}/bus/ r,
  @{sys}/class/ r,
  @{sys}/class/hidraw/ r,
  @{sys}/class/input/ r,
  @{sys}/devices/**/input@{int}/ r,
  @{sys}/devices/**/input@{int}/**/{vendor,product} r,
  @{sys}/devices/**/input@{int}/capabilities/* r,
  @{sys}/devices/**/input/input@{int}/ r,
  @{sys}/devices/**/uevent r,
  @{sys}/devices/@{pci}/sound/card@{int}/** r,
  @{sys}/devices/@{pci}/usb@{int}/{manufacturer,product,bcdDevice,bInterfaceNumber} r,
  @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r,
  @{sys}/devices/system/cpu/** r,
  @{sys}/devices/system/node/node[0-9]/cpumap r,
  @{sys}/devices/system/node/online r,
  @{sys}/devices/virtual/dmi/id/* r,
  @{sys}/kernel/ r,

        @{PROC}/@{pids}/net/dev r,
        @{PROC}/@{pids}/net/route r,
        @{PROC}/uptime r,
        @{PROC}/version r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/task/ r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  owner @{PROC}/@{pid}/task/@{tid}/stat r,

  /dev/hidraw@{int} rw,
  /dev/input/ r,
  /dev/input/* rw,
  /dev/tty rw,
  /dev/uinput rw,

  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,

  include if exists <local/steam-game>
}