sec-policy/apparmor-profile-deepinwine: new package, add 1.0.0

Signed-off-by: Huang Rui <vowstar@gmail.com>
2025-04-19 15:58:56 -04:00 · 2023-10-13 21:05:44 +08:00 · 2023-10-13 21:05:44 +08:00 · db144bb3fc
commit db144bb3fc
parent cd496bda57
3 changed files with 137 additions and 0 deletions
--- a/sec-policy/apparmor-profile-deepinwine/apparmor-profile-deepinwine-1.0.0.ebuild
+++ b/sec-policy/apparmor-profile-deepinwine/apparmor-profile-deepinwine-1.0.0.ebuild
@ -0,0 +1,24 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DESCRIPTION="A collection of AppArmor profiles for Deepinwine6"
+HOMEPAGE="https://gitlab.com/apparmor/apparmor/wikis/home"
+SRC_URI=""
+
+LICENSE="MIT"
+SLOT="0"
+KEYWORDS="~amd64"
+
+RESTRICT="test"
+
+RDEPEND="sec-policy/apparmor-profiles"
+DEPEND="${RDEPEND}"
+
+S="${WORKDIR}"
+
+src_install() {
+	insinto /etc/apparmor.d
+	doins -r "${FILESDIR}"/opt.deepinwine6
+}
--- a/sec-policy/apparmor-profile-deepinwine/files/opt.deepinwine6
+++ b/sec-policy/apparmor-profile-deepinwine/files/opt.deepinwine6
@ -0,0 +1,92 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+profile deepin-wine6 /opt/deepin-wine6-stable/bin/* {
+    include <abstractions/base>
+    include <abstractions/fonts>
+    include <abstractions/gnome>
+    include <abstractions/kde>
+    include <abstractions/nameservice>
+    include <abstractions/ssl_certs>
+    include <abstractions/user-tmp>
+    include <abstractions/private-files-strict>
+
+    network inet stream,
+    network inet6 stream,
+    @{PROC}/@{pid}/net/if_inet6 r,
+    @{PROC}/@{pid}/net/ipv6_route r,
+
+    /opt/deepin-wine6-stable/** rmix,
+
+    /etc/fstab r,
+    /usr/share/terminfo/** r,
+
+    /tmp/.wine-*/ rw,
+    /tmp/.wine-*/server-*/ rw,
+    /tmp/.wine-*/server-*/* rwmk,
+
+    owner @{HOME}/ r,
+    owner @{HOME}/.wine/ rw,
+    owner @{HOME}/.wine/** rwmk,
+    owner @{HOME}/.local/share/icons/hicolor/** rwk,
+    owner @{HOME}/.local/share/applications/** rwk,
+    owner @{HOME}/.config/menus/applications-merged/wine-* rwk,
+    owner @{HOME}/.local/share/desktop-directories/wine-* rwk,
+
+    # Mostly winemenubuilder stuff
+    deny /usr/bin/update-mime-database x,
+    deny /usr/bin/update-desktop-database x,
+    deny @{HOME}/.local/share/mime/** w,
+
+    # For winedbg
+    ##deny capability sys_ptrace,
+
+    # Hardware
+    /etc/udev/udev.conf r,
+    /run/udev/data/* r,
+    /run/udev/queue.bin r,
+    /sys/devices/pci** r,
+    /sys/devices/system/** r,
+    /dev r,
+    /dev/video* rw,
+    /dev/tty* rw,
+    /dev/pts/* r,
+    /dev/hidraw2 rw,
+
+    # For initial ~/.wine creation/updates only
+    / r,
+    /usr/share/wine/** r,
+    owner @{HOME}/.cache/ r,
+    owner @{HOME}/.cache/wine/ rwk,
+    owner @{HOME}/.cache/wine/** rwk,
+
+    # Actual apps/games
+    owner /proc/@{pid}/mounts r,
+    owner @{HOME}/.cups/ r,
+    /etc/machine-id r,
+    /mnt/iso/ r,
+    /mnt/iso/** r,
+
+    # Deepin wine
+    @{PROC}/uptime r,
+    /bin/dirname ix,
+    /bin/uname ix,
+    /usr/bin/ntlm_auth ix,
+    owner @{HOME}/.deepinwine/** mrwkl,
+    owner @{HOME}/Documents/** mrwkl,
+    owner @{HOME}/Downloads/** mrwkl,
+    owner @{HOME}/** r,
+    ##/sys/** r,
+    ##/dev/** r,
+    @{PROC}/@{pid}/** r,
+    /usr/share/fonts/** mrl,
+    ptrace (trace, tracedby) peer=deepin-wine6,
+    # Wechat
+    /opt/apps/com.qq.weixin.deepin/** rmix,
+    # Wecom (Wechat work)
+    /opt/apps/com.qq.weixin.work.deepin/** rmix,
+    # Site-specific additions and overrides. See local/README for details.
+    include if exists <local/deepin-wine6>
+}
--- a/sec-policy/apparmor-profile-deepinwine/metadata.xml
+++ b/sec-policy/apparmor-profile-deepinwine/metadata.xml
@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>vowstar@gmail.com</email>
+		<name>Huang Rui</name>
+	</maintainer>
+	<upstream>
+		<remote-id type="launchpad">apparmor</remote-id>
+		<remote-id type="gitlab">apparmor/apparmor</remote-id>
+	</upstream>
+	<longdescription lang="en">
+		This is the AppArmor security policy written for deepinwine. It mainly
+		limits the access of Windows programs based on deepinwine6 to the system
+		directory and plays a certain protective role.
+	</longdescription>
+	<longdescription lang="zh">
+		这是针对 deepinwine 编写的 AppArmor 安全策略，主要限制基于 deepinwine6
+		的 windows 程序对系统目录的访问，起到一定保护作用。
+	</longdescription>
+</pkgmetadata>