akonadi-server/akonadi-apparmor-opensuse.diff

Subject: Adjust Akonadi AppArmor profiles for openSUSE and AppArmor 3.0

From: Christian Boltz <suse-beta@cboltz.de>

* add paths to match the openSUSE file location
* use @{postgresqlpath} for the various postgresql paths (and add
  /usr/lib/postgresql*[0-9]/ for openSUSE)
* add 'abi' rules to enable and enforce all AppArmor features


Index: akonadi-21.04.3/apparmor/mariadbd_akonadi
===================================================================
--- akonadi-21.04.3.orig/apparmor/mariadbd_akonadi	2021-06-08 21:02:40.000000000 +0200
+++ akonadi-21.04.3/apparmor/mariadbd_akonadi	2021-07-11 18:47:18.489487989 +0200
@@ -1,3 +1,5 @@
+abi <abi/3.0>,
+
 #include <tunables/global>
 
 @{xdg_data_home}=@{HOME}/.local/share
Index: akonadi-21.04.3/apparmor/mysqld_akonadi
===================================================================
--- akonadi-21.04.3.orig/apparmor/mysqld_akonadi	2021-06-08 21:02:40.000000000 +0200
+++ akonadi-21.04.3/apparmor/mysqld_akonadi	2021-07-11 18:47:18.489487989 +0200
@@ -1,3 +1,5 @@
+abi <abi/3.0>,
+
 #include <tunables/global>
 
 @{xdg_data_home}=@{HOME}/.local/share
Index: akonadi-21.04.3/apparmor/postgresql_akonadi
===================================================================
--- akonadi-21.04.3.orig/apparmor/postgresql_akonadi	2021-06-08 21:02:40.000000000 +0200
+++ akonadi-21.04.3/apparmor/postgresql_akonadi	2021-07-11 18:47:58.253406613 +0200
@@ -1,8 +1,12 @@
+abi <abi/3.0>,
+
 #include <tunables/global>
 
 @{xdg_data_home}=@{HOME}/.local/share
 
-profile postgresql_akonadi {
+@{postgresqlpath} = /usr/ /usr/lib/postgresql/*/ /usr/lib/postgresql*[0-9]/ /opt/pgsql*/
+
+profile postgresql_akonadi flags=(attach_disconnected) {
   #include <abstractions/base>
   #include <abstractions/bash>
   #include <abstractions/consoles>
@@ -15,27 +19,30 @@ profile postgresql_akonadi {
   signal receive set=kill peer=/usr/bin/akonadiserver,
   signal receive set=term peer=/usr/bin/akonadiserver,
 
+  deny / rw,  # disconnected path
+
   /etc/passwd r,
   /{usr/,}bin/{b,d}ash mrix,
   /{usr/,}bin/locale mrix,
-  /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/initdb mrix,
-  /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_ctl mrix,
-  /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/postgres mrix,
+  @{postgresqlpath}/bin/initdb mrix,
+  @{postgresqlpath}/bin/pg_ctl mrix,
+  @{postgresqlpath}/bin/postgres mrix,
   /usr/share/postgresql/** r,
+  /usr/share/postgresql*[0-9]/timezonesets/Default r,  # use globbing?
   owner /dev/shm/PostgreSQL.* rw,
   owner @{xdg_data_home}/akonadi/** rwlk,
   owner @{xdg_data_home}/akonadi/db_data/** l,
   owner /{,var/}run/user/@{uid}/akonadi** rwk,
 
   # pg_upgrade
-  /{usr/,usr/lib/postgresql/*/}bin/pg_upgrade mrix,
+  @{postgresqlpath}/bin/pg_upgrade mrix,
   /opt/pgsql*/** mr,
-  /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_controldata mrix,
-  /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_resetwal mrix,
-  /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_dumpall mrix,
-  /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_dump mrix,
-  /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/vacuumdb mrix,
-  /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/psql mrix,
-  /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_restore mrix,
+  @{postgresqlpath}/bin/pg_controldata mrix,
+  @{postgresqlpath}/bin/pg_resetwal mrix,
+  @{postgresqlpath}/bin/pg_dumpall mrix,
+  @{postgresqlpath}/bin/pg_dump mrix,
+  @{postgresqlpath}/bin/vacuumdb mrix,
+  @{postgresqlpath}/bin/psql mrix,
+  @{postgresqlpath}/bin/pg_restore mrix,
   /{usr/,}bin/cp mrix,
 }
Index: akonadi-21.04.3/apparmor/usr.bin.akonadiserver
===================================================================
--- akonadi-21.04.3.orig/apparmor/usr.bin.akonadiserver	2021-06-08 21:02:40.000000000 +0200
+++ akonadi-21.04.3/apparmor/usr.bin.akonadiserver	2021-07-11 18:49:46.837184405 +0200
@@ -1,9 +1,13 @@
+abi <abi/3.0>,
+
 #include <tunables/global>
 
 @{xdg_data_home}=@{HOME}/.local/share
 
 @{xdg_config_home}=@{HOME}/.config
 
+@{postgresqlpath} = /usr/ /usr/lib/postgresql/*/ /usr/lib/postgresql*[0-9]/ /opt/pgsql*/
+
 /usr/bin/akonadiserver {
   #include <abstractions/base>
   #include <abstractions/consoles>
@@ -37,6 +41,7 @@
   /etc/xdg/** r,
   /usr/bin/akonadiserver mr,
   /usr/lib/x86_64-linux-gnu/libexec/drkonqi PUx,
+  /usr/lib{,64}/libexec/drkonqi PUx,
   /usr/bin/mariadb-admin PUx -> mariadbd_akonadi,
   /usr/bin/mariadb-check PUx -> mariadbd_akonadi,
   /usr/bin/mariadb-install-db PUx -> mariaddbd_akonadi,
@@ -45,14 +50,18 @@
   /usr/bin/mysqladmin PUx -> mysqld_akonadi,
   /usr/bin/mysqlcheck PUx -> mysqld_akonadi,
   /usr/{,s}bin/mysqld PUx -> mysqld_akonadi,
-  /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/initdb PUx -> postgresql_akonadi,
-  /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_ctl PUx -> postgresql_akonadi,
-  /{usr/,usr/lib/postgresql/*/}bin/pg_upgrade PUx -> postgresql_akonadi,
+  @{postgresqlpath}/bin/initdb PUx -> postgresql_akonadi,
+  @{postgresqlpath}/bin/pg_ctl PUx -> postgresql_akonadi,
+  @{postgresqlpath}/bin/pg_upgrade PUx -> postgresql_akonadi,
+  /usr/local/share/mime/mime.cache r,
+  /usr/local/share/mime/types r,
   /usr/sbin/mysqld PUx -> mysqld_akonadi,
+  /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
   /usr/share/mime/mime.cache r,
   /usr/share/mime/packages/ r,
   /usr/share/mime/types r,
-  /usr/share/qt/translations/* r,
+  /usr/share/qt5/qtlogging.ini r,
+  /usr/share/qt{,5}/translations/* r,
   /usr/share/mysql/** r,
   @{PROC}/sys/kernel/core_pattern r,
   @{PROC}/sys/kernel/random/boot_id r,