usr.bin.steam

# copied from https://github.com/mk-fg/apparmor-profiles/tree/master/profiles
# adjusted because I'm lazy.

#include <tunables/global>

/usr/bin/steam {

	#include <abstractions/base>
	#include <abstractions/bash>
	#include <abstractions/consoles>
	#include <abstractions/python>
	#include <abstractions/user-tmp>
	#include <abstractions/nameservice>
	#include <abstractions/fonts>
	#include <abstractions/X>
	#include <abstractions/freedesktop.org>
	#include <abstractions/gnome>
	#include <abstractions/user-download>

	audit deny @{HOME}/.gnupg/** mrwkl,
  	audit deny @{HOME}/.ssh/** mrwkl,
  	audit deny /etc/shadow mrwkl,

	# Should always have dedicated uid and home
	#owner @{HOME}/.steam rwkl,
	owner @{HOME}/.steam/** rwkmixl,

	# Steam bootstrap is a bash script
	/ r,
	/usr/@{multiarch}bin/steam mrix,
	/etc/os-release r,

	# Special case - don't restrict dbus session
	/usr/@{multiarch}bin/dbus-daemon Ux,

	# System sound/video configuration and hw
	/etc/pulse/ r,
	/etc/pulse/* r,
	/etc/asound.conf r,
	/usr/share/alsa/** r,
	/etc/drirc r,
	/etc/udev/udev.conf r,
	/run/udev/data/* r,
	/run/udev/queue.bin r,
	/sys/ r,
	/sys/** r,
	/dev/** r,
	/dev/dri/card* m,
	deny /dev/snd/** rw, # alsa should always use pulse plugin

	# Site-local configuration links
	/etc/core/sys/pulse/* r,
	/etc/core/sys/asound.conf r,
	/etc/core/sys/secure/pulse.cookie rk,
	/etc/core/app/X/drirc r,

	# lspci/fontconfig/webkit mess
	deny /usr/@{multiarch}bin/lspci rx,
	deny /var/cache/fontconfig/ w,
	deny /opt/netscape/plugins/ r,

	# DE bits
	/usr/share/zenity/* r,

	# gdb on game crashes
	/usr/share/locale/** m,
	/usr/share/gdb/** r,
	deny /usr/share/gdb/**.pyc w,

	# shm
	/dev/shm/org.chromium.Chromium.* rwmk,
	/dev/shm/.org.chromium.Chromium.* rwmk,
	/dev/shm/steam-* rwmk,
	/dev/shm/mono.* rwmk,
	/dev/shm/mono-* rwmk,
	/dev/shm/pulse-shm-* rwmk,

	# Too much stuff here to bother
	@{PROC}/ r,
	@{PROC}/** r,
	deny @{PROC}/@{pid}/oom_score_adj w,

}