From 400532079a4d1764a7c6ff635e0feceb7129fd91 Mon Sep 17 00:00:00 2001 From: R1kaB3rN <100738684+R1kaB3rN@users.noreply.github.com> Date: Fri, 6 Sep 2024 18:01:09 -0700 Subject: [PATCH 1/3] .gitmodules: add gamescope-dbus --- .gitmodules | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitmodules b/.gitmodules index a6452efb..ea1af7c1 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,6 @@ [submodule "subprojects/python-xlib"] path = subprojects/python-xlib url = https://github.com/python-xlib/python-xlib.git +[submodule "subprojects/gamescope-dbus"] + path = subprojects/gamescope-dbus + url = https://github.com/ShadowBlip/gamescope-dbus.git From e5915288b6d37503aced82652c5c734b86b4de43 Mon Sep 17 00:00:00 2001 From: R1kaB3rN <100738684+R1kaB3rN@users.noreply.github.com> Date: Fri, 6 Sep 2024 18:01:31 -0700 Subject: [PATCH 2/3] Makefile: add gamescope-dbus build target --- Makefile.in | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/Makefile.in b/Makefile.in index b82053d9..4da3445d 100644 --- a/Makefile.in +++ b/Makefile.in @@ -148,7 +148,7 @@ $(OBJDIR): .PHONY: clean clean: $(info :: Cleaning source directory ) - @rm -rf -v $(OBJDIR) umu/umu_version.json ./$(RELEASEDIR) $(RELEASEDIR).tar.gz + @rm -rf -v $(OBJDIR) umu/umu_version.json ./$(RELEASEDIR) $(RELEASEDIR).tar.gz subprojects/gamescope-dbus/target RELEASEDIR := $(PROJECT)-$(shell git describe --abbrev=0) @@ -197,4 +197,19 @@ zipapp-install: zipapp install -Dm755 $(ZIPAPP) $(DESTDIR)$(BINDIR) @echo "Standalone application 'umu-run' created at '$(DESTDIR)$(PREFIX)/bin'" + +$(OBJDIR)/.build-gamescope-dbus: | $(OBJDIR) + $(info :: Building gamescope-dbus ) + cd subprojects/gamescope-dbus && \ + cargo update && \ + make build + touch $(@) + +.PHONY: gamescope-dbus +gamescope-dbus: $(OBJDIR)/.build-gamescope-dbus + +gamescope-dbus-install: gamescope-dbus + $(info :: Installing gamescope-dbus ) + PREFIX=$(DESTDIR) make -C subprojects/gamescope-dbus install + # vim: ft=make From 1f5048b2090fd956b0be960caeb38955b07e5e0a Mon Sep 17 00:00:00 2001 From: R1kaB3rN <100738684+R1kaB3rN@users.noreply.github.com> Date: Fri, 6 Sep 2024 18:01:43 -0700 Subject: [PATCH 3/3] units: add gamescope-dbus.service --- systemd/units/gamescope-dbus.service.in | 59 +++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 systemd/units/gamescope-dbus.service.in diff --git a/systemd/units/gamescope-dbus.service.in b/systemd/units/gamescope-dbus.service.in new file mode 100644 index 00000000..d3a4dc36 --- /dev/null +++ b/systemd/units/gamescope-dbus.service.in @@ -0,0 +1,59 @@ +[Unit] +Description=Daemon for interacting with Gamescope over DBus + +[Service] +Type=simple +ExecStart=gamescope-dbus +Restart=always +RestartSec=1 + +# Filesystem lockdown +ProtectHome=true +ProtectSystem=strict +ProtectKernelTunables=true +ProtectControlGroups=true +PrivateTmp=true +ProtectProc=invisible +ProcSubset=pid +UMask=0077 + +# Privilege escalation +NoNewPrivileges=true +RestrictSUIDSGID=true + +# Network +PrivateNetwork=true +IPAddressDeny=any + +# System call interfaces +SystemCallFilter=@system-service +SystemCallFilter=~@resources +SystemCallErrorNumber=EPERM +SystemCallArchitectures=native + +# Kernel +ProtectKernelLogs=true +ProtectKernelModules=true +LockPersonality=true + +# Namespaces +RestrictNamespaces=true + +# Service capabilities +CapabilityBoundingSet=CAP_SYS_ADMIN CAP_CHOWN CAP_SYS_TTY_CONFIG CAP_DAC_OVERRIDE +RestrictAddressFamilies=AF_UNIX +RestrictRealtime=true +MemoryDenyWriteExecute=true +ProtectClock=true +ProtectHostname=true + +# Devices +DevicePolicy=strict +DeviceAllow=char-/dev/console rw +DeviceAllow=char-drm rw +DeviceAllow=char-input rw +DeviceAllow=char-tty rw +DeviceAllow=/dev/null rw + +[Install] +WantedBy=multi-user.target