With the recent high profile Team Fortress 2 source code leak, I considered it necessary to lock down my TF2 servers as much as possible. Below is the full AppArmor profile I used to protect srcds_linux.
Complications such as SourceMod and auto-update are supported. /YOUR-SRCDS-LOCATION/ should be updated as necessary. To support replays, add whatever folder(s) used for replays using the /** rwk suffix.
The following goes into /etc/apparmor.d/your.srcds.location.tf.srcds_linux
#include <tunables/global>
/YOUR-SRCDS-LOCATION/tf/srcds_run {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
#include <abstractions/dbus-session-strict>
#include <abstractions/nameservice>
#include <abstractions/opencl-pocl>
#include <abstractions/ssl_certs>
#include <abstractions/user-tmp>
#include <abstractions/xdg-desktop>
/dev/disk/by-id/ r,
/YOUR-SRCDS-LOCATION/.steam/steamcmd/linux32/steamcmd mrix,
/YOUR-SRCDS-LOCATION/.steam/steamcmd/steamcmd.sh mrix,
/YOUR-SRCDS-LOCATION/tf/srcds_linux mrix,
/YOUR-SRCDS-LOCATION/tf/srcds_run mrix,
/proc/@{pid}/** rwk,
/proc/version r,
/sys/class/net/ r,
/sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq r,
/usr/ r,
/usr/bin/basename mrix,
/usr/bin/bash mrix,
/usr/bin/dash ix,
/usr/bin/date mrix,
/usr/bin/dirname mrix,
/usr/bin/env ix,
/usr/bin/id mrix,
/usr/bin/sleep mrix,
/usr/bin/uname mrix,
/usr/local/ r,
owner /YOUR-SRCDS-LOCATION/ r,
owner /YOUR-SRCDS-LOCATION/.steam r,
owner /YOUR-SRCDS-LOCATION/.steam/ r,
owner /YOUR-SRCDS-LOCATION/.steam/** rwk,
owner /YOUR-SRCDS-LOCATION/.steam/steamcmd/linux32/* mr,
owner /YOUR-SRCDS-LOCATION/tf r,
owner /YOUR-SRCDS-LOCATION/tf/ r,
owner /YOUR-SRCDS-LOCATION/tf/** rwk,
owner /YOUR-SRCDS-LOCATION/tf/bin/* mr,
owner /YOUR-SRCDS-LOCATION/tf/tf/addons/**/*.so m,
owner /YOUR-SRCDS-LOCATION/tf/tf/bin/* mr,
}
Leave a Reply