Accepting request 897736 from home:cboltz:branches:KDE:Applications

- Install AppArmor profiles (as -apparmor subpackage) - add akonadi-apparmor-opensuse.diff to adjust the profiles to openSUSE paths, and to add 'abi' rules to the profiles Thanks for the quick review in SR 897569. This SR should fix the issues you noticed. Another diff to SR 897569 is that I added 'abi' rules to the profiles to ensure that all AppArmor features get enforced. Original description (from SR 897569): Note: The akonadi-server-apparmor package will _not_ be installed automatically, so users will have to explicitely install it if they want to use the AppArmor profiles for akonadi-server. I tested the profiles with my setup (which is using the system-wide mariadb with akonadi), other setups might need some adjustments. My proposal is: As soon as this change reaches Tumbleweed, let's send out a call for testing on the factory mailinglist (I can do that, unless you want to do it yourself). I'll update the profiles as needed (as bugreports come in) so that they work with mariadb and postgresql, with the goal to have profiles that "just work". To get started, I added a patch with some profile additions (openSUSE and Debian paths somewhat differ). When the dust/bugreports settles, we should of course get the patch upstream. (I can probably do that, but might need some help - it's been a long time since I last submitted a patch to one of the KDE repos.) If you want to test yourself, note that you'll need to restart akonadi to actually enable the AppArmor confinement. OBS-URL: https://build.opensuse.org/request/show/897736 OBS-URL: https://build.opensuse.org/package/show/KDE:Applications/akonadi-server?expand=0&rev=279
2021-06-08 12:04:10 +00:00 · 2021-06-08 12:04:10 +00:00 · 774828ac6f
commit 774828ac6f
parent 56e417e569
3 changed files with 98 additions and 1 deletions
--- a/akonadi-apparmor-opensuse.diff
+++ b/akonadi-apparmor-opensuse.diff
@ -0,0 +1,70 @@
+Subject: Adjust Akonadi AppArmor profiles for openSUSE and AppArmor 3.0
+
+From: Christian Boltz <suse-beta@cboltz.de>
+
+- add paths to match the openSUSE file location
+- add 'abi' rules to enable and enforce all AppArmor features
+
+
+Index: b/apparmor/mariadbd_akonadi
+===================================================================
+--- a/apparmor/mariadbd_akonadi	2021-04-22 18:21:40.000000000 +0200
+++ b/apparmor/mariadbd_akonadi	2021-06-05 18:47:31.029159467 +0200
+@@ -1,3 +1,5 @@
+abi <abi/3.0>,
+
+ #include <tunables/global>
+ 
+ @{xdg_data_home}=@{HOME}/.local/share
+Index: b/apparmor/mysqld_akonadi
+===================================================================
+--- a/apparmor/mysqld_akonadi	2021-04-22 18:21:40.000000000 +0200
+++ b/apparmor/mysqld_akonadi	2021-06-05 18:47:36.609147822 +0200
+@@ -1,3 +1,5 @@
+abi <abi/3.0>,
+
+ #include <tunables/global>
+ 
+ @{xdg_data_home}=@{HOME}/.local/share
+Index: b/apparmor/postgresql_akonadi
+===================================================================
+--- a/apparmor/postgresql_akonadi	2021-04-22 18:21:40.000000000 +0200
+++ b/apparmor/postgresql_akonadi	2021-06-05 18:47:38.149144609 +0200
+@@ -1,3 +1,5 @@
+abi <abi/3.0>,
+
+ #include <tunables/global>
+ 
+ @{xdg_data_home}=@{HOME}/.local/share
+Index: b/apparmor/usr.bin.akonadiserver
+===================================================================
+--- a/apparmor/usr.bin.akonadiserver	2021-04-22 18:21:40.000000000 +0200
+++ b/apparmor/usr.bin.akonadiserver	2021-06-05 18:47:44.697130942 +0200
+@@ -1,3 +1,5 @@
+abi <abi/3.0>,
+
+ #include <tunables/global>
+ 
+ @{xdg_data_home}=@{HOME}/.local/share
+@@ -37,6 +39,7 @@
+   /etc/xdg/** r,
+   /usr/bin/akonadiserver mr,
+   /usr/lib/x86_64-linux-gnu/libexec/drkonqi PUx,
+  /usr/lib{,64}/libexec/drkonqi PUx,
+   /usr/bin/mariadb-admin PUx -> mariadbd_akonadi,
+   /usr/bin/mariadb-check PUx -> mariadbd_akonadi,
+   /usr/bin/mariadb-install-db PUx -> mariaddbd_akonadi,
+@@ -49,10 +52,12 @@
+   /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_ctl PUx -> postgresql_akonadi,
+   /{usr/,usr/lib/postgresql/*/}bin/pg_upgrade PUx -> postgresql_akonadi,
+   /usr/sbin/mysqld PUx -> mysqld_akonadi,
+  /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
+   /usr/share/mime/mime.cache r,
+   /usr/share/mime/packages/ r,
+   /usr/share/mime/types r,
+-  /usr/share/qt/translations/* r,
+  /usr/share/qt5/qtlogging.ini r,
+  /usr/share/qt{,5}/translations/* r,
+   /usr/share/mysql/** r,
+   @{PROC}/sys/kernel/core_pattern r,
+   @{PROC}/sys/kernel/random/boot_id r,
--- a/akonadi-server.changes
+++ b/akonadi-server.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Jun  3 18:22:09 UTC 2021 - Christian Boltz <suse-beta@cboltz.de>
+
+- Install AppArmor profiles (as -apparmor subpackage)
+- add akonadi-apparmor-opensuse.diff to adjust the profiles to
+  openSUSE paths, and to add 'abi' rules to the profiles
+
 -------------------------------------------------------------------
 Wed May 12 06:06:35 UTC 2021 - Christophe Giboudeaux <christophe@krop.fr>

--- a/akonadi-server.spec
+++ b/akonadi-server.spec
@ -34,6 +34,10 @@ Source1:        https://download.kde.org/stable/release-service/%{version}/src/%
 Source2:        applications.keyring
 %endif
 Source99:       akonadi-server-rpmlintrc
+# PATCH-FIX-OPENSUSE akonadi-apparmor-opensuse.diff - adjust AppArmor profiles to work on openSUSE
+Patch:          akonadi-apparmor-opensuse.diff
+BuildRequires:  apparmor-abstractions
+BuildRequires:  apparmor-rpm-macros
 BuildRequires:  extra-cmake-modules >= %{kf5_version}
 BuildRequires:  kf5-filesystem
 BuildRequires:  libQt5Sql-private-headers-devel
@ -161,13 +165,20 @@ Provides:       libKF5AkonadiPrivate-devel = %{version}
 This package contains development files of Akonadi, the KDE PIM storage
 service.

+%package apparmor
+Summary:        AppArmor profiles for Akonadi
+Requires:       apparmor-abstractions
+
+%description apparmor
+This package contains AppArmor profiles for Akonadi.
+
 %lang_package

 %prep
 %autosetup -p1 -n %{rname}-%{version}

 %build
-  %cmake_kf5 -d build -- -DINSTALL_QSQLITE_IN_QT_PREFIX=TRUE -DQT_PLUGINS_DIR=%{_kf5_plugindir} -DINSTALL_APPARMOR=FALSE
+  %cmake_kf5 -d build -- -DINSTALL_QSQLITE_IN_QT_PREFIX=TRUE -DQT_PLUGINS_DIR=%{_kf5_plugindir}
  %cmake_build

 %install
@ -190,6 +201,9 @@ service.
 %post -n libKF5AkonadiXml5 -p /sbin/ldconfig
 %postun -n libKF5AkonadiXml5 -p /sbin/ldconfig

+%post apparmor
+%apparmor_reload %{_sysconfdir}/apparmor.d/mariadbd_akonadi %{_sysconfdir}/apparmor.d/mysqld_akonadi %{_sysconfdir}/apparmor.d/postgresql_akonadi %{_sysconfdir}/apparmor.d/usr.bin.akonadiserver
+
 %files
 %license LICENSES/*
 %doc AUTHORS
@ -263,6 +277,12 @@ service.
 %dir %{_kf5_sharedir}/kdevappwizard/
 %{_kf5_sharedir}/kdevappwizard/templates/

+%files apparmor
+%config(noreplace) %{_sysconfdir}/apparmor.d/mariadbd_akonadi
+%config(noreplace) %{_sysconfdir}/apparmor.d/mysqld_akonadi
+%config(noreplace) %{_sysconfdir}/apparmor.d/postgresql_akonadi
+%config(noreplace) %{_sysconfdir}/apparmor.d/usr.bin.akonadiserver
+
 %if %{with lang}
 %files lang -f %{name}.lang
 %license LICENSES/*