I am trying to setup an apparmor profile for wine
so that wine can only read and write inside the .wine directory
i have seen some threads asking about this but none of those questions are detailed.
in those threads This github repo is mentioned for example wine apparmor profile which i tried
i was unsure about modifying my /etc/apparmor.d/tunables and /etc/apparmor.d/abstractions
but i added the site folder and its files site/global and site/de since they were not there already
and added the pulse file in /etc/apparmor.d/ cause it was also not present.
generated blank profile for wine with aa-genprof and used the profile for wine mentioned in the Github repo.
But it had SYS_GIT and HOME_GIT variables in /etc/apparmor.d/site files which i didn't have, not knowing what to do i just commented those includes from the wine profile file.
so my currrent profile looks like this
#include <tunables/global>
profile wine-preloader /usr/bin/wine-preloader {
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/nameservice>
##include <abstractions/site/de>
##include <abstractions/site/base>
#include <abstractions/X>
#include <abstractions/freedesktop.org>
##include <abstractions/pulse>
#include <abstractions/p11-kit>
/usr/bin/wine-preloader rix,
/usr/bin/wineserver px,
/usr/bin/wine mr,
/usr/lib/wine/*.so mr,
/usr/share/wine/fonts/ r,
/usr/share/wine/fonts/* r,
/usr/share/wine/wine.inf r,
/etc/fstab r,
/usr/share/terminfo/** r,
/tmp/.wine-*/ rw,
/tmp/.wine-*/server-*/ rw,
/tmp/.wine-*/server-*/* rwmk,
owner @{HOME}/ r,
owner @{HOME}/.wine/ rw,
owner @{HOME}/.wine/** rwmk,
owner @{HOME}/.local/share/icons/hicolor/** rwk,
owner @{HOME}/.local/share/applications/** rwk,
owner @{HOME}/.config/menus/applications-merged/wine-* rwk,
owner @{HOME}/.local/share/desktop-directories/wine-* rwk,
# Mostly winemenubuilder stuff
deny /usr/bin/update-mime-database x,
deny /usr/bin/update-desktop-database x,
deny @{HOME}/.local/share/mime/** w,
# For winedbg
deny capability sys_ptrace,
# owner /proc/@{pid}/mem rw,
# hw
/etc/udev/udev.conf r,
/run/udev/data/* r,
/run/udev/queue.bin r,
/sys/devices/pci** r,
/dev/video0 rw, # dri?
# for initial ~/.wine creation/updates only
/ r,
/usr/share/wine/** r,
owner @{HOME}/.cache/ r,
owner @{HOME}/.cache/wine/ rwk,
owner @{HOME}/.cache/wine/** rwk,
# Actual apps/games
owner /proc/@{pid}/mounts r,
/etc/machine-id r,
/mnt/iso/ r,
/mnt/iso/** r,
deny @{HOME}/Downloads/ rw,
deny @{HOME}/Downloads/** rw,
deny @{HOME}/.local/share/Trash/ rw,
/usr/bin/dosbox cx -> dosbox,
profile dosbox {
#include <abstractions/base>
#include <abstractions/X>
##include <abstractions/pulse>
##include <abstractions/site/base>
/etc/fstab r,
owner /proc/@{pid}/mounts r,
# DosBox seem to use these directly
/dev/input/event[0-9]* r,
/dev/input/js[0-9]* r,
owner @{HOME}/ r,
owner @{HOME}/.wine/ rw,
owner @{HOME}/.wine/** rwmk,
# Actual apps/games
/mnt/iso/ r,
/mnt/iso/** r,
}
}
profile wineserver /usr/bin/wineserver {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/freedesktop.org>
/usr/bin/wineserver r,
/tmp/.wine-*/ rw,
/tmp/.wine-*/server-*/ rw,
/tmp/.wine-*/server-*/* rwmk,
owner @{HOME}/ r,
owner @{HOME}/.wine/ rw,
owner @{HOME}/.wine/** rwmk,
owner @{HOME}/.local/share/icons/hicolor/** rwk,
# For winedbg
deny capability sys_ptrace,
# owner /proc/@{pid}/mem rw,
# for initial ~/.wine creation only
/ r,
/usr/share/wine/** rk,
owner @{HOME}/.cache/ r,
owner @{HOME}/.cache/wine/ rwk,
owner @{HOME}/.cache/wine/** rwk,
# Actual apps/games
network ipx dgram, # IPX, wow ;)
/etc/machine-id r,
/etc/ld.so.preload r,
/mnt/iso/ r,
/mnt/iso/** r,
deny @{HOME}/Downloads/ rw,
deny @{HOME}/.local/share/Trash/ rw,
}
apparmor service works just fine but when i try to run something in wine, now it shows me permission denied
what am i doing wrong here ? any hits to the right direction would be really helpful, thanks
