Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dconf-write, games, vulkan-strict abstractions #577

Open
odomingao opened this issue Oct 23, 2024 · 2 comments
Open

dconf-write, games, vulkan-strict abstractions #577

odomingao opened this issue Oct 23, 2024 · 2 comments

Comments

@odomingao
Copy link
Contributor

odomingao commented Oct 23, 2024

  • Regarding dconf-write, it should have write permissions to @{user_config_dirs}/glib-2.0/ and settings directories, because these are not created by default at least in Arch

  • About vulkan-strict, some games want to write to owner @{user_cache_dirs}/radv_builtin_shaders*.

  • About the games abstraction:

  • I believe that it should have rw in @{user_games_dirs}/*/ because of installers.

  • owner @{user_games_dirs}/*/** rwlk, should have m. too

  • also consider adding /mnt/ r, @{MOUNTS}/ r, to the profile, as owner @{HOME}/ r, is already granted

  • consider removing rpx transitions from the profile as that breaks profiles with no new privs that include the game abstraction

  • should wine things like owner /tmp/.wine-@{uid}/ also be included in the profile? Maybe we should create an abstraction for it.

  • If so, I'm thinking that maybe we should also create an abstraction for gamescope?

  • What about mangohud configuration?

For reference here's the profile I've been working on, maybe some other stuff that I included in it should be moved to abstractions:

# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2024 odomingao
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{terminals} = alacritty foot konsole* gnome-terminal
@{term_path} = @{bin}/@{terminals}
@{term_config_dir} = /etc/xdg/foot @{user_config_dirs}/@{terminals}
@{term_data_dir} = @{lib}/@{terminals}

@{exec_path} = @{bin}/bottles
profile bottles @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/common/game>
  include <abstractions/consoles>
  include <abstractions/dconf-write>

  network inet  dgram,
  network inet6 dgram,
  network inet  stream,
  network inet6 stream,
  network netlink raw,

  @{exec_path} mr,

  @{coreutils_path} ix,
  @{shells_path} ix,

  @{term_path} rix,
  @{term_data_dir}/{,**} r,
  @{term_config_dir}/{,**} r,

  @{bin}/ r,
  @{bin}/cabextract ix,
  @{bin}/gamemoderun rix,
  @{bin}/gamescope ix,
  @{bin}/gamescopereaper ix,
  @{bin}/kill ix,
  @{bin}/kmod ix,
  @{bin}/lsmod ix,
  @{bin}/lspci ix,
  @{bin}/mangoapp ix,
  @{bin}/mangohud rix,
  @{bin}/pgrep ix,
  @{bin}/xkbcomp ix,
  @{bin}/Xwayland ix,

  # System WINE
  @{bin}/msidb ix,
  @{bin}/msiexec ix,
  @{bin}/notepad ix,
  @{bin}/regedit ix,
  @{bin}/regsvr32 ix,
  @{bin}/wine* rix,

  @{lib}/utempter/utempter ix,
  @{lib}/wine/ r,
  @{lib}/wine/** m,

  /usr/share/bottles/{,**} r,
  /usr/share/hwdata/pci.ids r,
  /usr/share/wine/{,**} r,
  /usr/share/wine/** m,

  /etc/ r,
  /etc/arch-release r,
  /etc/fstab r,
  /etc/lsb-release r,
  /etc/mime.types r,
  /etc/shells r,

  /var/cache/ w,

  /mnt/ r,
  @{MOUNTS}/ r,

  owner @{HOME}/@{rand8} rw,

  # Unfortunately,  a few games like to clutter $HOME :(
  owner @{HOME}/NBGI/{,**} rw, # Dark Souls Remastered

  owner @{user_games_dirs}/** m,

  owner @{user_cache_dirs}/gstreamer-@{int}.@{int}/registry.@{arch}.bin{,.tmp*} rw,
  owner @{user_cache_dirs}/radv_builtin_shaders* rw,

  owner @{user_config_dirs}/glib-2.0/{,**} rw,
  owner @{user_config_dirs}/MangoHud/{,**} r,

  owner @{user_share_dirs}/bottles/ rw,
  owner @{user_share_dirs}/bottles/** mrwixkl,

  owner /tmp/@{rand8} rw,
  owner /tmp/tmp*.sh rwix,
  owner /tmp/tmp@{rand8}.sh rwix,
  owner /tmp/v_@{rand6} rw,
  owner /tmp/.wine-@{uid}/{,**} rw,
  owner /tmp/.wine-@{uid}/** mk,
  owner @{run}/user/@{uid}/gamescope-@{int} w,
  owner @{run}/user/@{uid}/gamescope-@{int}.lock rwk,
  owner @{run}/user/@{uid}/gamescope-@{int}-ei w,
  owner @{run}/user/@{uid}/gamescope-@{int}-ei.lock rwk,
  owner @{run}/user/@{uid}/gamescope-limiter-@{rand8} rw,
  owner @{run}/user/@{uid}/gamescope-shm-@{rand8} rw,
  owner @{run}/user/@{uid}/server-@{int}.xkm rw,
  owner /dev/shm/wine-* rw,

        @{sys}/devices/@{pci}/**/abs r,
        @{sys}/devices/@{pci}/**/ev r,
        @{sys}/devices/@{pci}/**/key r,
        @{sys}/devices/@{pci}/**/rel r,

        @{PROC}/ r,
        @{PROC}/@{pid}/cgroup r,
        @{PROC}/@{pid}/cmdline r,
        @{PROC}/@{pid}/map_files/ r,
        @{PROC}/@{pid}/net/dev r,
        @{PROC}/@{pid}/net/ipv6_route r,
        @{PROC}/@{pid}/net/route r,
        @{PROC}/@{pid}/stat r,
        @{PROC}/bus/pci/@{int}/{,**} r,
        @{PROC}/bus/pci/devices r,
        @{PROC}/cmdline r,
        @{PROC}/sys/net/core/bpf_jit_enable r,
        @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
        @{PROC}/tty/drivers r,
  owner @{PROC}/@{pid}/environ r,
  owner @{PROC}/@{pid}/mountinfo r,

  owner /dev/pts/ptmx rw,
  owner /dev/tty@{int} rw, # file_inherit

  include if exists <local/bottles>
}
@roddhjav
Copy link
Owner

roddhjav commented Oct 23, 2024

In general, bottle is a mess to confine (it support handle sanbox with bwrap) so you might need something similar to what I did with steam. Regarding this profile, you should try to split it in two: bottles and bottles-game.

About vulkan-strict, some games want to write to owner @{user_cache_dirs}/radv_builtin_shaders*.

Can you precise more the value of: * in this context

I believe that it should have rw in @{user_games_dirs}/*/ because of installers

Not directly in the abstraction. Ideally this folder should be in read only in the game profile. The general idea (in steam, but that could apply in bottles too) is that steam handle game update and install so that the game file can be fully in RO in the game profile.

owner @{user_games_dirs}/*/** rwlk, should have m. too

Not in the abstraction, that is set in the calling profile if needed (see the steam games profile as example).

consider removing rpx transitions from the profile as that breaks profiles with no new privs that include the game abstraction

Removing Px from the abs is a good idea. In general ix, Ux, Px rules are best avoided in abstraction that can be used for various purpose.

owner @{HOME}/NBGI/{,**} rw, # Dark Souls Remastered

This is the purpose of the XDG_GAMESSTUDIO_DIR variable.

should wine things like owner /tmp/.wine-@{uid}/ also be included in the profile? Maybe we should create an abstraction for it.

so, I'm thinking that maybe we should also create an abstraction for gamescope?

What about mangohud configuration?

I did not tested gamescope and mangohud so I don't know, however, I do agree with the general idea to create abstraction for it (and wine).

@odomingao
Copy link
Contributor Author

Thanks for the reply!

Can you precise more the value of: * in this context

Things like:

DENIED cemu mknod owner @{user_cache_dirs}/radv_builtin_shaders64NdS0BV comm=LatteThread requested_mask=c denied_mask=c

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants