Dark's Code Dump

Possibly useful

AppArmor profile for TF2 SRCDS servers

With the recent high profile Team Fortress 2 source code leak, I considered it necessary to lock down my TF2 servers as much as possible. Below is the full AppArmor profile I used to protect srcds_linux.

Complications such as SourceMod, replays and auto-update are supported. /YOUR-SRCDS-LOCATION/ and /tmp/replays should be updated as necessary.

The following goes into /etc/apparmor.d/your.srcds.location.tf.srcds_linux


#include <tunables/global>

/YOUR-SRCDS-LOCATION/tf/srcds_run {
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/consoles>
  #include <abstractions/dbus-session-strict>
  #include <abstractions/nameservice>
  #include <abstractions/opencl-pocl>
  #include <abstractions/ssl_certs>
  #include <abstractions/user-tmp>
  #include <abstractions/xdg-desktop>

  /dev/disk/by-id/ r,
  /YOUR-SRCDS-LOCATION/.steam/steamcmd/linux32/steamcmd mrix,
  /YOUR-SRCDS-LOCATION/.steam/steamcmd/steamcmd.sh mrix,
  /YOUR-SRCDS-LOCATION/tf/srcds_linux mrix,
  /YOUR-SRCDS-LOCATION/tf/srcds_run r,
  /proc/*/net/dev r,
  /proc/version r,
  /sys/class/net/ r,
  /sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq r,
  /tmp/replays/ r,
  /usr/ r,
  /usr/bin/basename mrix,
  /usr/bin/bash mrix,
  /usr/bin/dash ix,
  /usr/bin/date mrix,
  /usr/bin/dirname mrix,
  /usr/bin/env ix,
  /usr/bin/id mrix,
  /usr/bin/sleep mrix,
  /usr/bin/uname mrix,
  /usr/local/ r,
  owner /YOUR-SRCDS-LOCATION/ r,
  owner /YOUR-SRCDS-LOCATION/.steam r,
  owner /YOUR-SRCDS-LOCATION/.steam/ r,
  owner /YOUR-SRCDS-LOCATION/.steam/** rwk,
  owner /YOUR-SRCDS-LOCATION/.steam/steamcmd/linux32/* mr,
  owner /YOUR-SRCDS-LOCATION/tf r,
  owner /YOUR-SRCDS-LOCATION/tf/ r,
  owner /YOUR-SRCDS-LOCATION/tf/** rwk,
  owner /YOUR-SRCDS-LOCATION/tf/bin/* mr,
  owner /YOUR-SRCDS-LOCATION/tf/tf/addons/**/*.so m,
  owner /YOUR-SRCDS-LOCATION/tf/tf/bin/* mr,
  owner /proc/*/cmdline r,

}

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.