I am trying to write apparmor profile for Wine... but wineboot is failing to load idk why and i am not familiar with Wine components to know which permission or abstraction is needed for wine... please do you have any suggestion, or can you help me ?? please note that i am using wine 9.0 (on my Ubuntu 22.04 machine) 0024:err:environ:run_wineboot failed to start wineboot c000000d
Code: Select all
#include <tunables/global>
profile wine /opt/wine-stable/bin/wine flags=(audit, complain) {
# Core Abstractions
# Base, multimedia, graphics, networking, and printing support
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/nameservice>
#include <abstractions/X>
#include <abstractions/freedesktop.org>
#include <abstractions/p11-kit>
#include <abstractions/vulkan>
#include <abstractions/cups-client>
# File and Library Access
/opt/wine-stable/bin/wine rix,
/opt/wine-stable/bin/wine64 rix,
/opt/wine-stable/bin/wine64-preloader rix,
/opt/wine-stable/lib64/wine/*.so mr,
/opt/wine-stable/lib64/wine/x86_64-unix/** mr,
/opt/wine-stable/lib/wine/i386-unix/** mr,
/opt/wine-stable/lib64/wine/x86_64-windows/** r,
/opt/wine-stable/lib/wine/i386-windows/** r,
/opt/wine-stable/share/wine/** r,
/etc/machine-id r,
/run/udev/data/* r,
/sys/devices/pci** r,
/run/udev/queue.bin r,
/etc/fstab r,
# Temp Directories for Wine Runtime and Server Instances
/tmp/.wine-*/ rw,
/tmp/.wine-*/server-*/ rw,
/tmp/.wine-*/server-*/* rwmk,
# User Directories for Wine Configuration and Caches
owner /home/johnm/.wine/ rw,
owner /home/johnm/.wine/** rwmk,
owner /home/johnm/.cache/wine/ rwk,
owner /home/johnm/.config/wine/ rwk,
owner /home/johnm/.local/share/icons/hicolor/** rwk,
owner /home/johnm/.local/share/applications/** rwk,
owner /home/johnm/.config/menus/applications-merged/wine-* rwk,
owner /home/johnm/.local/share/desktop-directories/wine-* rwk,
# IPC and Network Permissions
network inet stream,
network inet6 stream,
network ipx dgram,
# Multimedia and Video Access
/dev/video* rw,
/dev/snd/* rw,
# Security: Restricting Sensitive Areas
deny capability sys_ptrace,
deny /etc/ld.so.preload r,
# Shared Memory for Gaming
owner /dev/shm/* rw,
# Specific Denials for Security
deny /home/johnm/.local/share/Trash/ rw,
# Debugging and Auxiliary Tools in Wine
/opt/wine-stable/bin/wineboot Px,
/opt/wine-stable/bin/wineconsole Px,
/opt/wine-stable/bin/winedump Px,
/opt/wine-stable/bin/winegcc Px,
/opt/wine-stable/bin/winepath Px,
/opt/wine-stable/bin/winebuild Px,
/opt/wine-stable/bin/winecpp Px,
/opt/wine-stable/bin/winefile Px,
/opt/wine-stable/bin/winemaker Px,
/opt/wine-stable/bin/winecfg Px,
/opt/wine-stable/bin/winedbg Px,
/opt/wine-stable/bin/wineg++ Px,
/opt/wine-stable/bin/winemine Px,
/opt/wine-stable/bin/wineserver Px,
/home/johnm/.linuxbrew/Homebrew/bin/winetricks Px,
}
profile wineserver /opt/wine-stable/bin/wineserver flags=(audit, complain) {
# Profile for wineserver which handles inter-process communication for Wine
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/freedesktop.org>
/opt/wine-stable/bin/wineserver r,
/run/user/*/.wine-*/ rw,
/run/user/*/.wine-*/server-*/ rw,
/run/user/*/.wine-*/server-*/* rwmk,
owner /home/johnm/.wine/ rw,
owner /home/johnm/.wine/** rwmk,
owner /home/johnm/.local/share/icons/hicolor/** rwk,
owner /home/johnm/.cache/wine/** rwk,
deny /home/johnm/.local/share/Trash/ rw,
# Deny tracing of other processes for added security
deny capability sys_ptrace,
network ipx dgram,
# IPC and Network Permissions
network inet stream,
network inet6 stream,
#/etc/ld.so.preload r,
# Temp Directories for Wine Runtime and Server Instances
/tmp/.wine-*/ rw,
/tmp/.wine-*/server-*/ rw,
/tmp/.wine-*/server-*/* rwmk,
/opt/wine-stable/share/wine/** r,
/opt/wine-stable/bin/wineboot Px,
}
