diff --git a/packaging/deb/debian/apparmor/bwrap-userns-restrict-umu b/packaging/deb/debian/apparmor/bwrap-userns-restrict-umu deleted file mode 100644 index 28613162..00000000 --- a/packaging/deb/debian/apparmor/bwrap-userns-restrict-umu +++ /dev/null @@ -1,68 +0,0 @@ -# This profile allows almost everything and only exists to allow -# bwrap to work on a system with user namespace restrictions -# being enforced. -# bwrap is allowed access to user namespaces and capabilities -# within the user namespace, but its children do not have -# capabilities, blocking bwrap from being able to be used to -# arbitrarily by-pass the user namespace restrictions. -# -# Note: the bwrap child is stacked against the bwrap profile due to -# bwraps use of no-new-privs - -# disabled by default as it can break some use cases on a system that -# doesn't have or has disable user namespace restrictions for unconfined -# use aa-enforce to enable it - -abi , - -include - -profile bwrap /usr/bin/bwrap flags=(attach_disconnected,mediate_deleted) { - allow capability, - # not allow all, to allow for pix stack - # sadly we have to allow m every where to allow children to work under - # stacking. - allow file rwlkm /{**,}, - allow network, - allow unix, - allow ptrace, - allow signal, - allow mqueue, - allow io_uring, - allow userns, - allow mount, - allow umount, - allow pivot_root, - allow dbus, - allow px /** -> bwrap//&unpriv_bwrap, - - # the local include should not be used without understanding the userns - # restriction. - # Site-specific additions and overrides. See local/README for details. - include if exists -} - -profile unpriv_bwrap flags=(attach_disconnected,mediate_deleted) { - # not allow all, to allow for pix stack - allow file rwlkm /{**,}, - allow network, - allow unix, - allow ptrace, - allow signal, - allow mqueue, - allow io_uring, - allow userns, - allow mount, - allow umount, - allow pivot_root, - allow dbus, - - allow pix /** -> &unpriv_bwrap, - - audit deny capability, - - # the local include should not be used without understanding the userns - # restriction. - # Site-specific additions and overrides. See local/README for details. - include if exists -} diff --git a/packaging/deb/debian/control b/packaging/deb/debian/control index cf648960..be8878ea 100644 --- a/packaging/deb/debian/control +++ b/packaging/deb/debian/control @@ -35,5 +35,6 @@ Depends: ${misc:Depends}, python3, python3-xlib (>= 0.33), - python3-filelock (>= 3.9.0) + python3-filelock (>= 3.9.0), + apparmor-profiles Description: A tool for launching non-steam games with proton. diff --git a/packaging/deb/debian/python3-umu-launcher.install b/packaging/deb/debian/python3-umu-launcher.install index 70421fb4..46d25be0 100644 --- a/packaging/deb/debian/python3-umu-launcher.install +++ b/packaging/deb/debian/python3-umu-launcher.install @@ -2,4 +2,3 @@ usr/bin/umu-run usr/share/man/* usr/share/steam/compatibilitytools.d/umu-launcher/ usr/lib/python3/dist-packages/umu* -debian/apparmor/bwrap-userns-restrict-umu etc/apparmor.d/ diff --git a/packaging/deb/debian/python3-umu-launcher.postinst b/packaging/deb/debian/python3-umu-launcher.postinst index 49aa12f5..fad7d5c1 100644 --- a/packaging/deb/debian/python3-umu-launcher.postinst +++ b/packaging/deb/debian/python3-umu-launcher.postinst @@ -1,3 +1,4 @@ #! /bin/bash +ln -s /usr/share/apparmor/extra-profiles/bwrap-userns-restrict /etc/apparmor.d/bwrap-userns-restrict-umu systemctl restart apparmor.service || true diff --git a/packaging/deb/debian/python3-umu-launcher.postrm b/packaging/deb/debian/python3-umu-launcher.postrm index 49aa12f5..c4c33556 100644 --- a/packaging/deb/debian/python3-umu-launcher.postrm +++ b/packaging/deb/debian/python3-umu-launcher.postrm @@ -1,3 +1,4 @@ #! /bin/bash +rm /etc/apparmor.d/bwrap-userns-restrict-umu systemctl restart apparmor.service || true