pool/akonadi-server
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 897736 from home:cboltz:branches:KDE:Applications

Browse Source 
- Install AppArmor profiles (as -apparmor subpackage)
- add akonadi-apparmor-opensuse.diff to adjust the profiles to
  openSUSE paths, and to add 'abi' rules to the profiles



Thanks for the quick review in SR 897569. This SR should fix the issues you
noticed.

Another diff to SR 897569 is that I added 'abi' rules to the profiles to ensure
that all AppArmor features get enforced.



Original description (from SR 897569):

Note: The akonadi-server-apparmor package will _not_ be installed
automatically, so users will have to explicitely install it if they want
to use the AppArmor profiles for akonadi-server.

I tested the profiles with my setup (which is using the system-wide
mariadb with akonadi), other setups might need some adjustments.

My proposal is: As soon as this change reaches Tumbleweed, let's send
out a call for testing on the factory mailinglist (I can do that, unless
you want to do it yourself).

I'll update the profiles as needed (as bugreports come in) so that they
work with mariadb and postgresql, with the goal to have profiles that
"just work".

To get started, I added a patch with some profile additions (openSUSE
and Debian paths somewhat differ). When the dust/bugreports settles, we
should of course get the patch upstream. (I can probably do that, but
might need some help - it's been a long time since I last submitted a
patch to one of the KDE repos.)

If you want to test yourself, note that you'll need to restart akonadi
to actually enable the AppArmor confinement.

OBS-URL: https://build.opensuse.org/request/show/897736
OBS-URL: https://build.opensuse.org/package/show/KDE:Applications/akonadi-server?expand=0&rev=279
This commit is contained in:
Luca Beltrame 2021-06-08 12:04:10 +00:00 committed by Git OBS Bridge
parent 56e417e569
commit 774828ac6f
3 changed files with 98 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
akonadi-apparmor-opensuse.diff Normal file
View File

@ -0,0 +1,70 @@
Subject: Adjust Akonadi AppArmor profiles for openSUSE and AppArmor 3.0
From: Christian Boltz <suse-beta@cboltz.de>
- add paths to match the openSUSE file location
- add 'abi' rules to enable and enforce all AppArmor features
Index: b/apparmor/mariadbd_akonadi
===================================================================
--- a/apparmor/mariadbd_akonadi 2021-04-22 18:21:40.000000000 +0200
+++ b/apparmor/mariadbd_akonadi 2021-06-05 18:47:31.029159467 +0200
@@ -1,3 +1,5 @@
+abi <abi/3.0>,
+
#include <tunables/global>
@{xdg_data_home}=@{HOME}/.local/share
Index: b/apparmor/mysqld_akonadi
===================================================================
--- a/apparmor/mysqld_akonadi 2021-04-22 18:21:40.000000000 +0200
+++ b/apparmor/mysqld_akonadi 2021-06-05 18:47:36.609147822 +0200
@@ -1,3 +1,5 @@
+abi <abi/3.0>,
+
#include <tunables/global>
@{xdg_data_home}=@{HOME}/.local/share
Index: b/apparmor/postgresql_akonadi
===================================================================
--- a/apparmor/postgresql_akonadi 2021-04-22 18:21:40.000000000 +0200
+++ b/apparmor/postgresql_akonadi 2021-06-05 18:47:38.149144609 +0200
@@ -1,3 +1,5 @@
+abi <abi/3.0>,
+
#include <tunables/global>
@{xdg_data_home}=@{HOME}/.local/share
Index: b/apparmor/usr.bin.akonadiserver
===================================================================
--- a/apparmor/usr.bin.akonadiserver 2021-04-22 18:21:40.000000000 +0200
+++ b/apparmor/usr.bin.akonadiserver 2021-06-05 18:47:44.697130942 +0200
@@ -1,3 +1,5 @@
+abi <abi/3.0>,
+
#include <tunables/global>
@{xdg_data_home}=@{HOME}/.local/share
@@ -37,6 +39,7 @@
/etc/xdg/** r,
/usr/bin/akonadiserver mr,
/usr/lib/x86_64-linux-gnu/libexec/drkonqi PUx,
+ /usr/lib{,64}/libexec/drkonqi PUx,
/usr/bin/mariadb-admin PUx -> mariadbd_akonadi,
/usr/bin/mariadb-check PUx -> mariadbd_akonadi,
/usr/bin/mariadb-install-db PUx -> mariaddbd_akonadi,
@@ -49,10 +52,12 @@
/{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_ctl PUx -> postgresql_akonadi,
/{usr/,usr/lib/postgresql/*/}bin/pg_upgrade PUx -> postgresql_akonadi,
/usr/sbin/mysqld PUx -> mysqld_akonadi,
+ /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
/usr/share/mime/mime.cache r,
/usr/share/mime/packages/ r,
/usr/share/mime/types r,
- /usr/share/qt/translations/* r,
+ /usr/share/qt5/qtlogging.ini r,
+ /usr/share/qt{,5}/translations/* r,
/usr/share/mysql/** r,
@{PROC}/sys/kernel/core_pattern r,
@{PROC}/sys/kernel/random/boot_id r,

7
akonadi-server.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Thu Jun 3 18:22:09 UTC 2021 - Christian Boltz <suse-beta@cboltz.de>
- Install AppArmor profiles (as -apparmor subpackage)
- add akonadi-apparmor-opensuse.diff to adjust the profiles to
openSUSE paths, and to add 'abi' rules to the profiles
------------------------------------------------------------------- -------------------------------------------------------------------
Wed May 12 06:06:35 UTC 2021 - Christophe Giboudeaux <christophe@krop.fr> Wed May 12 06:06:35 UTC 2021 - Christophe Giboudeaux <christophe@krop.fr>

22
akonadi-server.spec
View File

@ -34,6 +34,10 @@ Source1: https://download.kde.org/stable/release-service/%{version}/src/%
Source2: applications.keyring Source2: applications.keyring
%endif %endif
Source99: akonadi-server-rpmlintrc Source99: akonadi-server-rpmlintrc
# PATCH-FIX-OPENSUSE akonadi-apparmor-opensuse.diff - adjust AppArmor profiles to work on openSUSE
Patch: akonadi-apparmor-opensuse.diff
BuildRequires: apparmor-abstractions
BuildRequires: apparmor-rpm-macros
BuildRequires: extra-cmake-modules >= %{kf5_version} BuildRequires: extra-cmake-modules >= %{kf5_version}
BuildRequires: kf5-filesystem BuildRequires: kf5-filesystem
BuildRequires: libQt5Sql-private-headers-devel BuildRequires: libQt5Sql-private-headers-devel
@ -161,13 +165,20 @@ Provides: libKF5AkonadiPrivate-devel = %{version}
This package contains development files of Akonadi, the KDE PIM storage This package contains development files of Akonadi, the KDE PIM storage
service. service.
%package apparmor
Summary: AppArmor profiles for Akonadi
Requires: apparmor-abstractions
%description apparmor
This package contains AppArmor profiles for Akonadi.
%lang_package %lang_package
%prep %prep
%autosetup -p1 -n %{rname}-%{version} %autosetup -p1 -n %{rname}-%{version}
%build %build
%cmake_kf5 -d build -- -DINSTALL_QSQLITE_IN_QT_PREFIX=TRUE -DQT_PLUGINS_DIR=%{_kf5_plugindir} -DINSTALL_APPARMOR=FALSE %cmake_kf5 -d build -- -DINSTALL_QSQLITE_IN_QT_PREFIX=TRUE -DQT_PLUGINS_DIR=%{_kf5_plugindir}
%cmake_build %cmake_build
%install %install
@ -190,6 +201,9 @@ service.
%post -n libKF5AkonadiXml5 -p /sbin/ldconfig %post -n libKF5AkonadiXml5 -p /sbin/ldconfig
%postun -n libKF5AkonadiXml5 -p /sbin/ldconfig %postun -n libKF5AkonadiXml5 -p /sbin/ldconfig
%post apparmor
%apparmor_reload %{_sysconfdir}/apparmor.d/mariadbd_akonadi %{_sysconfdir}/apparmor.d/mysqld_akonadi %{_sysconfdir}/apparmor.d/postgresql_akonadi %{_sysconfdir}/apparmor.d/usr.bin.akonadiserver
%files %files
%license LICENSES/* %license LICENSES/*
%doc AUTHORS %doc AUTHORS
@ -263,6 +277,12 @@ service.
%dir %{_kf5_sharedir}/kdevappwizard/ %dir %{_kf5_sharedir}/kdevappwizard/
%{_kf5_sharedir}/kdevappwizard/templates/ %{_kf5_sharedir}/kdevappwizard/templates/
%files apparmor
%config(noreplace) %{_sysconfdir}/apparmor.d/mariadbd_akonadi
%config(noreplace) %{_sysconfdir}/apparmor.d/mysqld_akonadi
%config(noreplace) %{_sysconfdir}/apparmor.d/postgresql_akonadi
%config(noreplace) %{_sysconfdir}/apparmor.d/usr.bin.akonadiserver
%if %{with lang} %if %{with lang}
%files lang -f %{name}.lang %files lang -f %{name}.lang
%license LICENSES/* %license LICENSES/*