Dirk Stoecker
43dcf61be2
* Lutris downloads the latest GE-Proton build for Wine if any Wine version is installed * Use dark theme by default * Display cover-art rather than banners by default * Add 'Uncategorized' view to sidebar * Preference options that do not work on Wayland will be hidden when on Wayland * Game searches can now use fancy tags like 'installed:yes' or 'source:gog', with explanatory tool-tip * A new filter button on the search box can build many of these fancy tags for you * Runner searches can use 'installed:yes' as well, but no other fancy searches or anything * Updated the Flathub and Amazon source to new APIs, restoring integration * Itch.io source integration will load a collection named 'Lutris' if present * GOG and Itch.io sources can now offer Linux and Windows installers for the same game * Added support for the 'foot' terminal * Support for DirectX 8 in DXVK v2.4 * Support for Ayatana Application Indicators * Additional options for Ruffle runner * Updated download links for the Atari800 and MicroM8 runners * No longer re-download cached installation files even when some are missing * Lutris log is included in the 'System' tab of the Preferences window * Improved error reporting, with the Lutris log included in the error details * Add AppArmor profile for Ubuntu versions >= 23.10 * Add Duckstation runner - add apparmor profile in it's seperate package - remove BR update-desktop-files OBS-URL: https://build.opensuse.org/package/show/games:tools/lutris?expand=0&rev=105
69 lines
1.9 KiB
Plaintext
69 lines
1.9 KiB
Plaintext
# This profile allows almost everything and only exists to allow
|
|
# bwrap to work on a system with user namespace restrictions
|
|
# being enforced.
|
|
# bwrap is allowed access to user namespaces and capabilities
|
|
# within the user namespace, but its children do not have
|
|
# capabilities, blocking bwrap from being able to be used to
|
|
# arbitrarily by-pass the user namespace restrictions.
|
|
#
|
|
# Note: the bwrap child is stacked against the bwrap profile due to
|
|
# bwraps use of no-new-privs
|
|
|
|
# disabled by default as it can break some use cases on a system that
|
|
# doesn't have or has disable user namespace restrictions for unconfined
|
|
# use aa-enforce to enable it
|
|
|
|
abi <abi/4.0>,
|
|
|
|
include <tunables/global>
|
|
|
|
profile bwrap /usr/bin/bwrap flags=(attach_disconnected,mediate_deleted) {
|
|
allow capability,
|
|
# not allow all, to allow for pix stack
|
|
# sadly we have to allow m every where to allow children to work under
|
|
# stacking.
|
|
allow file rwlkm /{**,},
|
|
allow network,
|
|
allow unix,
|
|
allow ptrace,
|
|
allow signal,
|
|
allow mqueue,
|
|
allow io_uring,
|
|
allow userns,
|
|
allow mount,
|
|
allow umount,
|
|
allow pivot_root,
|
|
allow dbus,
|
|
allow px /** -> bwrap//&unpriv_bwrap,
|
|
|
|
# the local include should not be used without understanding the userns
|
|
# restriction.
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
include if exists <local/bwrap-userns-restrict>
|
|
}
|
|
|
|
profile unpriv_bwrap flags=(attach_disconnected,mediate_deleted) {
|
|
# not allow all, to allow for pix stack
|
|
allow file rwlkm /{**,},
|
|
allow network,
|
|
allow unix,
|
|
allow ptrace,
|
|
allow signal,
|
|
allow mqueue,
|
|
allow io_uring,
|
|
allow userns,
|
|
allow mount,
|
|
allow umount,
|
|
allow pivot_root,
|
|
allow dbus,
|
|
|
|
allow pix /** -> &unpriv_bwrap,
|
|
|
|
audit deny capability,
|
|
|
|
# the local include should not be used without understanding the userns
|
|
# restriction.
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
include if exists <local/unpriv_bwrap>
|
|
}
|