search

roddhjav / apparmor.d

Full set of AppArmor profiles (~ 1500 profiles)
https://apparmor.pujol.io
GNU General Public License v2.0
395 stars 34 forks source link

More Steam breakage from flatpak profiles #377

Open Stoppedpuma opened 3 weeks ago

Stoppedpuma commented 3 weeks ago

This is probably going to be a headache to support.

DENIED  flatpak-app open /dev/input/event2 comm=steam requested_mask=r denied_mask=r
DENIED  flatpak-app open /dev/input/event3 comm=steam requested_mask=r denied_mask=r
DENIED  flatpak-app open /dev/input/event4 comm=steam requested_mask=r denied_mask=r
DENIED  flatpak-app open /dev/input/event5 comm=steam requested_mask=r denied_mask=r
DENIED  flatpak-app open /dev/input/event6 comm=steam requested_mask=r denied_mask=r
DENIED  flatpak-app open /dev/input/event10 comm=steam requested_mask=r denied_mask=r
DENIED  flatpak-app open /dev/input/event13 comm=steam requested_mask=r denied_mask=r
DENIED  flatpak-app open /dev/input/event14 comm=steam requested_mask=r denied_mask=r
DENIED  flatpak-app open /dev/input/event15 comm=steam requested_mask=r denied_mask=r
DENIED  flatpak-app open /dev/input/event16 comm=steam requested_mask=r denied_mask=r
DENIED  flatpak-app open /dev/input/event17 comm=steam requested_mask=r denied_mask=r
DENIED  flatpak-app open /dev/input/event18 comm=steam requested_mask=r denied_mask=r
DENIED  flatpak-app open /dev/input/event19 comm=steam requested_mask=r denied_mask=r
DENIED  flatpak-app file_lock owner /mnt/ss-zpool/SteamLibrary/libraryfolder.vdf comm=IPC:CSteamEngin requested_mask=k denied_mask=k
DENIED  flatpak-portal file_receive owner @{HOME}/.var/app/com.valvesoftware.Steam/.local/share/Steam/logs/steamwebhelper.log comm=gdbus requested_mask=a denied_mask=a
DENIED  flatpak-portal file_receive owner @{HOME}/.var/app/com.valvesoftware.Steam/.local/share/Steam/steamapps/common/SteamLinuxRuntime_sniper/var/tmp-B8NGP2/usr/.ref comm=gdbus requested_mask=wr denied_mask=wr
DENIED  flatpak-portal file_receive owner @{HOME}/.var/app/com.valvesoftware.Steam/.local/share/Steam/steamapps/common/SteamLinuxRuntime_sniper/var/tmp-1RM5O2/usr/.ref comm=gdbus requested_mask=wr denied_mask=wr
DENIED  flatpak-portal file_receive owner @{HOME}/.var/app/com.valvesoftware.Steam/.local/share/Steam/steamapps/common/SteamLinuxRuntime_sniper/var/tmp-0WX0O2/usr/.ref comm=gdbus requested_mask=wr denied_mask=wr
DENIED  flatpak-portal file_receive owner @{HOME}/.var/app/com.valvesoftware.Steam/.local/share/Steam/steamapps/common/SteamLinuxRuntime_sniper/var/tmp-ILKFP2/usr/.ref comm=gdbus requested_mask=wr denied_mask=wr
DENIED  flatpak-portal file_receive owner @{HOME}/.var/app/com.valvesoftware.Steam/.local/share/Steam/steamapps/common/SteamLinuxRuntime_sniper/var/tmp-YQH3O2/usr/.ref comm=gdbus requested_mask=wr denied_mask=wr
DENIED  flatpak-portal file_receive owner @{HOME}/.var/app/com.valvesoftware.Steam/.local/share/Steam/steamapps/common/SteamLinuxRuntime_sniper/var/tmp-FUWVO2/usr/.ref comm=gdbus requested_mask=wr denied_mask=wr

Additional stuff from when the profile is in complain mode:

ALLOWED flatpak-app open /dev/input/event2 comm=winedevice.exe requested_mask=r denied_mask=r
ALLOWED flatpak-app open /dev/input/event3 comm=winedevice.exe requested_mask=r denied_mask=r
ALLOWED flatpak-app open /dev/input/event4 comm=winedevice.exe requested_mask=r denied_mask=r
ALLOWED flatpak-app open /dev/input/event5 comm=winedevice.exe requested_mask=r denied_mask=r
ALLOWED flatpak-app open /dev/input/event6 comm=winedevice.exe requested_mask=r denied_mask=r
ALLOWED flatpak-app open /dev/input/event10 comm=winedevice.exe requested_mask=r denied_mask=r
ALLOWED flatpak-app open /dev/input/event13 comm=winedevice.exe requested_mask=r denied_mask=r
ALLOWED flatpak-app open /dev/input/event14 comm=winedevice.exe requested_mask=r denied_mask=r
ALLOWED flatpak-app open /dev/input/event15 comm=winedevice.exe requested_mask=r denied_mask=r
ALLOWED flatpak-app open /dev/input/event16 comm=winedevice.exe requested_mask=r denied_mask=r
ALLOWED flatpak-app open /dev/input/event17 comm=winedevice.exe requested_mask=r denied_mask=r
ALLOWED flatpak-app open /dev/input/event18 comm=winedevice.exe requested_mask=r denied_mask=r
ALLOWED flatpak-app open /dev/input/event19 comm=winedevice.exe requested_mask=r denied_mask=r
ALLOWED flatpak-app open /dev/input/event2 comm=winedevice.exe requested_mask=wr denied_mask=wr
ALLOWED flatpak-app open /dev/input/event3 comm=winedevice.exe requested_mask=wr denied_mask=wr
ALLOWED flatpak-app open /dev/input/event4 comm=winedevice.exe requested_mask=wr denied_mask=wr
ALLOWED flatpak-app open /dev/input/event5 comm=winedevice.exe requested_mask=wr denied_mask=wr
ALLOWED flatpak-app open /dev/input/event6 comm=winedevice.exe requested_mask=wr denied_mask=wr
ALLOWED flatpak-app open /dev/input/event10 comm=winedevice.exe requested_mask=wr denied_mask=wr
ALLOWED flatpak-app open /dev/input/event13 comm=winedevice.exe requested_mask=wr denied_mask=wr
ALLOWED flatpak-app open /dev/input/event14 comm=winedevice.exe requested_mask=wr denied_mask=wr
ALLOWED flatpak-app open /dev/input/event15 comm=winedevice.exe requested_mask=wr denied_mask=wr
ALLOWED flatpak-app open /dev/input/event16 comm=winedevice.exe requested_mask=wr denied_mask=wr
ALLOWED flatpak-app open /dev/input/event17 comm=winedevice.exe requested_mask=wr denied_mask=wr
ALLOWED flatpak-app open /dev/input/event18 comm=winedevice.exe requested_mask=wr denied_mask=wr
ALLOWED flatpak-app open /dev/input/event19 comm=winedevice.exe requested_mask=wr denied_mask=wr
ALLOWED flatpak-app open owner @{PROC}/@{pid}/pagemap comm=wine requested_mask=r denied_mask=r
ALLOWED flatpak-app open @{PROC}/sys/net/core/bpf_jit_enable comm=steam.exe requested_mask=r denied_mask=r
Stoppedpuma commented 3 weeks ago

@roddhjav Is the goal for flatpak applications to be supported or just more of a "if it works, it works" type of thing?

roddhjav commented 2 weeks ago

Dam, I need to test steam over flatpak much more. Meanwhile I recognize some log as I have done something similar for the steam profile.

No, flatpak app are fully supported. It is even a full requirement of this project because on a long term basis, more an more applications will run inside flatpak (or similar). The flatpak-app profile has been extensively tested, and works fine for most (more classic) program. Meanwhile, it is hard to write the flatpak-app profile is a way that is both meaningful in term of security and is compatible with any flatpak app.

NB: You will also have to set user_games_dirs to /mnt/ss-zpool/SteamLibrary in your local tunable

Stoppedpuma commented 2 weeks ago

It might be a good idea to separate flatpak-app into two different profiles such as flatpak-app and flatpak-app-strict. flatpak-app-strict is meant to be locked down and uses the case above where "if it works, it works" type of things where-as the more relaxed flatpak-app has better support for the odd app? I would say it might be worth doing if changes to flatpak-app weaken security too much.

roddhjav commented 2 weeks ago

That is not possible because there is no way to select profile to use. (it would be flatpak work to do on they own side, it is out of scope of flatpak)

Stoppedpuma commented 2 weeks ago

@roddhjav Unrelated to flatpak but I have a question, installing apparmor.d seems to break waydroid without leaving any denial logs? Closest I get to a log is the errors from my terminal when starting waydroid: [gbinder] ERROR: Can't open /dev/binder: No such file or directory Failed to add presence handler: None

How would I go about debugging this?