felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
apparmor.d/apparmor.d/profiles-s-z/steam-game
Alexandre Pujol b88b8b8c26
refractor(abs): move common and app abstraction to their own abstractions subfolder. 
As the number of abstraction is increasing, it is valuable to separate "base" abstractions to programs specific ones.
2024-03-27 15:11:21 +00:00

214 lines
No EOL
7.4 KiB
Text
Raw Blame History

# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Default profile for steam games
# TODO:
# Split this profile in three:
# - steam-game-native for native linux games
# - steam-runtime for all runtime related task up to the creation of the sandbox
# - steam-game-proton for the sandboxed proton games
# Requirments:
# - AppArmor supports for {*^} regex
# - AppArmor supports change profile from pivot_root
# - Bypass no-new-privs issue
abi <abi/3.0>,
include <tunables/global>
@{runtime} = @{user_share_dirs}/Steam/steamapps/common/SteamLinuxRuntime_soldier
@{steam_lib_dirs} = @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}
@{exec_path} = @{user_share_dirs}/Steam/steamapps/common/*/**
profile steam-game @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/audio-client>
include <abstractions/common/bwrap>
include <abstractions/desktop>
include <abstractions/devices-usb>
include <abstractions/fontconfig-cache-write>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/python>
include <abstractions/ssl_certs>
capability dac_override,
capability dac_read_search,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
signal (receive) peer=steam,
unix (receive) type=stream,
@{exec_path} mrix,
@{sh_path} rix,
@{bin}/bwrap rix,
@{bin}/env rix,
@{bin}/getopt rix,
@{bin}/gzip rix,
@{bin}/localedef rix,
@{bin}/python3.@{int} rix,
@{bin}/readlink rix,
@{bin}/steam-runtime-launcher-interface-* rix,
@{bin}/steam-runtime-system-info rix,
@{bin}/timeout rix,
@{bin}/true rix,
@{bin}/uname rix,
@{bin}/xdg-open rPx,
@{lib}/pressure-vessel/from-host/bin/pressure-vessel-adverb rix,
@{lib}/pressure-vessel/from-host/bin/pressure-vessel-locale-gen rix,
@{lib}/pressure-vessel/from-host/bin/pressure-vessel-try-setlocale rix,
@{lib}/pressure-vessel/from-host/libexec/steam-runtime-tools-*/*-detect-platform rix,
@{lib}/steam-runtime-tools*/* mrix,
@{runtime}/pressure-vessel/bin/pressure-vessel-unruntime rix,
@{runtime}/pressure-vessel/bin/pressure-vessel-wrap rix,
@{runtime}/pressure-vessel/bin/pv-bwrap rix,
@{runtime}/pressure-vessel/bin/steam-runtime-launcher-interface-* rix,
@{runtime}/pressure-vessel/lib{,exec}/ r,
@{runtime}/pressure-vessel/lib{,exec}/** mrix,
@{runtime}/run rix,
@{steam_lib_dirs}/{,**} r,
@{steam_lib_dirs}/**.so* mr,
@{steam_lib_dirs}/reaper rix,
@{steam_lib_dirs}/steam-launch-wrapper rm,
@{steam_lib_dirs}/steam-runtime/{usr/,}lib{exec,}/** mrix,
@{user_share_dirs}/Steam/bin/ r,
@{user_share_dirs}/Steam/bin/* mr,
@{user_share_dirs}/Steam/d3ddriverquery64.dxvk-cache rw,
@{user_share_dirs}/Steam/legacycompat/ r,
@{user_share_dirs}/Steam/legacycompat/** mr,
@{user_share_dirs}/Steam/linux{32,64}/ r,
@{user_share_dirs}/Steam/linux{32,64}/**.so* mr,
@{user_share_dirs}/Steam/standalone_installscript_progress_@{int}.vdf rw,
@{user_share_dirs}/Steam/steamapps/common/*/* mr,
@{user_share_dirs}/Steam/steamapps/common/Proton*/ r,
@{user_share_dirs}/Steam/steamapps/common/Proton*/files/bin/* mrix,
@{user_share_dirs}/Steam/steamapps/common/Proton*/files/lib{,32,64}/** mrix,
@{user_share_dirs}/Steam/steamapps/common/Proton*/proton rix,
@{user_share_dirs}/Steam/steamapps/compatdata/@{int}/pfx/**.dll rm,
@{user_games_dirs}/*/* mr,
@{user_games_dirs}/*/**.dll mr,
@{run}/host/usr/bin/ldconfig rix,
@{run}/host/usr/lib{,32,64}/**.so* rm,
@{run}/host/usr/bin/localedef rix,
/usr/share/terminfo/** r,
/etc/machine-id r,
/etc/udev/udev.conf r,
/var/lib/dbus/machine-id r,
/var/cache/ldconfig/aux-cache* rw,
/ r,
/{usr/,}{local/,} r,
/{usr/,}{local/,}lib{,32,64}/ r,
/bindfile@{rand6} rw,
/home/ r,
/tmp/ r,
owner @{HOME}/ r,
owner @{HOME}/.steam/steam.pid r,
owner @{HOME}/.steam/steam.pipe r,
owner @{user_games_dirs}/{,*/} r,
owner @{user_games_dirs}/*/{,**} rwkl,
owner @{user_config_dirs}/unity3d/{,**} rwk,
owner @{user_share_dirs}/ r,
owner @{user_share_dirs}/Steam/ r,
owner @{user_share_dirs}/Steam/* r,
owner @{user_share_dirs}/Steam/*log* rw,
owner @{user_share_dirs}/Steam/config/config.vdf* rw,
owner @{user_share_dirs}/Steam/logs/{,*} rw,
owner @{user_share_dirs}/Steam/shader_cache_temp*/fozpipelinesv*/{,**} rw,
owner @{user_share_dirs}/Steam/steamapps/ r,
owner @{user_share_dirs}/Steam/steamapps/common/ r,
owner @{user_share_dirs}/Steam/steamapps/common/*/ r,
owner @{user_share_dirs}/Steam/steamapps/common/*/** rwkl,
owner @{user_share_dirs}/Steam/steamapps/common/Proton*/files/share/{,**} r,
owner @{user_share_dirs}/Steam/steamapps/compatdata/{,**} rwk,
owner @{user_share_dirs}/Steam/steamapps/shadercache/{,**} rwk,
owner @{user_share_dirs}/Steam/userdata/**/remotecache.vdf rw,
@{run}/host/ r,
@{run}/host/container-manager r,
@{run}/host/fonts/{,**} r,
@{run}/host/share/{,**} r,
@{run}/host/usr/{,**} r,
owner @{run}/pressure-vessel/{,**} rw,
owner @{run}/user/@{uid}/ r,
owner @{run}/user/@{uid}/orcexec.* mrw, # gstreamer
owner /dev/shm/#@{int} rw,
owner /dev/shm/mono.* rw,
owner /dev/shm/u@{uid}-Shm_@{hex} rw,
owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
owner /dev/shm/ValveIPCSHM_@{uid} rw,
owner /dev/shm/wine-*-fsync rw,
owner /tmp/.wine-@{uid}/server-*/* rwk,
owner /tmp/** rw,
owner /tmp/miles_image_* mr,
owner /tmp/pressure-vessel-*/{,**} rwl,
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
@{run}/udev/data/c116:@{int} r, # for ALSA
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{sys}/ r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/hidraw/ r,
@{sys}/class/input/ r,
@{sys}/devices/**/input@{int}/ r,
@{sys}/devices/**/input@{int}/**/{vendor,product} r,
@{sys}/devices/**/input@{int}/capabilities/* r,
@{sys}/devices/**/input/input@{int}/ r,
@{sys}/devices/**/uevent r,
@{sys}/devices/@{pci}/sound/card@{int}/** r,
@{sys}/devices/@{pci}/usb@{int}/{manufacturer,product,bcdDevice,bInterfaceNumber} r,
@{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r,
@{sys}/devices/system/cpu/** r,
@{sys}/devices/system/node/node[0-9]/cpumap r,
@{sys}/devices/system/node/online r,
@{sys}/devices/virtual/dmi/id/* r,
@{sys}/kernel/ r,
@{PROC}/@{pids}/net/dev r,
@{PROC}/@{pids}/net/route r,
@{PROC}/uptime r,
@{PROC}/version r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/stat r,
/dev/hidraw@{int} rw,
/dev/input/ r,
/dev/input/* rw,
/dev/tty rw,
/dev/uinput rw,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
include if exists <local/steam-game>
}
Reference in a new issue View git blame Copy permalink