Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
80 lines (66 sloc) 1.71 KB
#include <tunables/global>
/usr/bin/steam {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
#include <abstractions/python>
#include <abstractions/user-tmp>
#include <abstractions/nameservice>
#include <abstractions/fonts>
#include <abstractions/X>
#include <abstractions/freedesktop.org>
#include <abstractions/gnome>
#include <abstractions/user-download>
#include <abstractions/site/base>
# Should always have dedicated uid and home
owner @{HOME}/ rwkl,
owner @{HOME}/** rwkmixl,
# Steam bootstrap is a bash script
/ r,
/usr/bin/steam mrix,
/usr/bin/* rix,
/etc/os-release r,
# Special case - don't restrict dbus session
/usr/bin/dbus-daemon Ux,
# System sound/video configuration and hw
/etc/pulse/ r,
/etc/pulse/* r,
/etc/asound.conf r,
/usr/share/alsa/** r,
/etc/drirc r,
/etc/udev/udev.conf r,
/run/udev/data/* r,
/run/udev/queue.bin r,
/sys/ r,
/sys/** r,
/dev/** r,
/dev/dri/card* m,
deny /dev/snd/** rw, # alsa should always use pulse plugin
# Site-local configuration links
@{SYS_GIT}/sys/pulse/* r,
@{SYS_GIT}/sys/asound.conf r,
@{SYS_GIT}/sys/secure/pulse.cookie rk,
@{SYS_GIT}/app/X/drirc r,
# lspci/fontconfig/webkit mess
deny /usr/bin/lspci rx,
deny /var/cache/fontconfig/ w,
deny /opt/netscape/plugins/ r,
# DE bits
/usr/share/zenity/* r,
# gdb on game crashes
/usr/share/locale/** m,
/usr/share/gdb/** r,
deny /usr/share/gdb/**.pyc w,
# shm
/dev/shm/org.chromium.Chromium.* rwmk,
/dev/shm/.org.chromium.Chromium.* rwmk,
/dev/shm/steam-* rwmk,
/dev/shm/mono.* rwmk,
/dev/shm/mono-* rwmk,
/dev/shm/pulse-shm-* rwmk,
# Too much stuff here to bother
@{PROC}/ r,
@{PROC}/** r,
deny @{PROC}/@{pid}/oom_score_adj w,
network,
}