From d430c9349b13528b11db3b560544ecc4855549f2b76a124aba443cf1564859dc Mon Sep 17 00:00:00 2001 From: Luca Beltrame Date: Mon, 12 Jul 2021 04:32:38 +0000 Subject: [PATCH] Accepting request 905693 from home:cboltz:branches:KDE:Applications - update akonadi-apparmor-opensuse.diff: add openSUSE Postgresql path in AppArmor profiles (and make it a variable to keep the profiles readable) and some more rules for Postgresql OBS-URL: https://build.opensuse.org/request/show/905693 OBS-URL: https://build.opensuse.org/package/show/KDE:Applications/akonadi-server?expand=0&rev=283 --- akonadi-apparmor-opensuse.diff | 109 +++++++++++++++++++++++++++------ akonadi-server.changes | 7 +++ 2 files changed, 96 insertions(+), 20 deletions(-) diff --git a/akonadi-apparmor-opensuse.diff b/akonadi-apparmor-opensuse.diff index fe4763e..44cafad 100644 --- a/akonadi-apparmor-opensuse.diff +++ b/akonadi-apparmor-opensuse.diff @@ -2,51 +2,111 @@ Subject: Adjust Akonadi AppArmor profiles for openSUSE and AppArmor 3.0 From: Christian Boltz -- add paths to match the openSUSE file location -- add 'abi' rules to enable and enforce all AppArmor features +* add paths to match the openSUSE file location +* use @{postgresqlpath} for the various postgresql paths (and add + /usr/lib/postgresql*[0-9]/ for openSUSE) +* add 'abi' rules to enable and enforce all AppArmor features -Index: b/apparmor/mariadbd_akonadi +Index: akonadi-21.04.3/apparmor/mariadbd_akonadi =================================================================== ---- a/apparmor/mariadbd_akonadi 2021-04-22 18:21:40.000000000 +0200 -+++ b/apparmor/mariadbd_akonadi 2021-06-05 18:47:31.029159467 +0200 +--- akonadi-21.04.3.orig/apparmor/mariadbd_akonadi 2021-06-08 21:02:40.000000000 +0200 ++++ akonadi-21.04.3/apparmor/mariadbd_akonadi 2021-07-11 18:47:18.489487989 +0200 @@ -1,3 +1,5 @@ +abi , + #include @{xdg_data_home}=@{HOME}/.local/share -Index: b/apparmor/mysqld_akonadi +Index: akonadi-21.04.3/apparmor/mysqld_akonadi =================================================================== ---- a/apparmor/mysqld_akonadi 2021-04-22 18:21:40.000000000 +0200 -+++ b/apparmor/mysqld_akonadi 2021-06-05 18:47:36.609147822 +0200 +--- akonadi-21.04.3.orig/apparmor/mysqld_akonadi 2021-06-08 21:02:40.000000000 +0200 ++++ akonadi-21.04.3/apparmor/mysqld_akonadi 2021-07-11 18:47:18.489487989 +0200 @@ -1,3 +1,5 @@ +abi , + #include @{xdg_data_home}=@{HOME}/.local/share -Index: b/apparmor/postgresql_akonadi +Index: akonadi-21.04.3/apparmor/postgresql_akonadi =================================================================== ---- a/apparmor/postgresql_akonadi 2021-04-22 18:21:40.000000000 +0200 -+++ b/apparmor/postgresql_akonadi 2021-06-05 18:47:38.149144609 +0200 -@@ -1,3 +1,5 @@ +--- akonadi-21.04.3.orig/apparmor/postgresql_akonadi 2021-06-08 21:02:40.000000000 +0200 ++++ akonadi-21.04.3/apparmor/postgresql_akonadi 2021-07-11 18:47:58.253406613 +0200 +@@ -1,8 +1,12 @@ +abi , + #include @{xdg_data_home}=@{HOME}/.local/share -Index: b/apparmor/usr.bin.akonadiserver + +-profile postgresql_akonadi { ++@{postgresqlpath} = /usr/ /usr/lib/postgresql/*/ /usr/lib/postgresql*[0-9]/ /opt/pgsql*/ ++ ++profile postgresql_akonadi flags=(attach_disconnected) { + #include + #include + #include +@@ -15,27 +19,30 @@ profile postgresql_akonadi { + signal receive set=kill peer=/usr/bin/akonadiserver, + signal receive set=term peer=/usr/bin/akonadiserver, + ++ deny / rw, # disconnected path ++ + /etc/passwd r, + /{usr/,}bin/{b,d}ash mrix, + /{usr/,}bin/locale mrix, +- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/initdb mrix, +- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_ctl mrix, +- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/postgres mrix, ++ @{postgresqlpath}/bin/initdb mrix, ++ @{postgresqlpath}/bin/pg_ctl mrix, ++ @{postgresqlpath}/bin/postgres mrix, + /usr/share/postgresql/** r, ++ /usr/share/postgresql*[0-9]/timezonesets/Default r, # use globbing? + owner /dev/shm/PostgreSQL.* rw, + owner @{xdg_data_home}/akonadi/** rwlk, + owner @{xdg_data_home}/akonadi/db_data/** l, + owner /{,var/}run/user/@{uid}/akonadi** rwk, + + # pg_upgrade +- /{usr/,usr/lib/postgresql/*/}bin/pg_upgrade mrix, ++ @{postgresqlpath}/bin/pg_upgrade mrix, + /opt/pgsql*/** mr, +- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_controldata mrix, +- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_resetwal mrix, +- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_dumpall mrix, +- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_dump mrix, +- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/vacuumdb mrix, +- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/psql mrix, +- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_restore mrix, ++ @{postgresqlpath}/bin/pg_controldata mrix, ++ @{postgresqlpath}/bin/pg_resetwal mrix, ++ @{postgresqlpath}/bin/pg_dumpall mrix, ++ @{postgresqlpath}/bin/pg_dump mrix, ++ @{postgresqlpath}/bin/vacuumdb mrix, ++ @{postgresqlpath}/bin/psql mrix, ++ @{postgresqlpath}/bin/pg_restore mrix, + /{usr/,}bin/cp mrix, + } +Index: akonadi-21.04.3/apparmor/usr.bin.akonadiserver =================================================================== ---- a/apparmor/usr.bin.akonadiserver 2021-04-22 18:21:40.000000000 +0200 -+++ b/apparmor/usr.bin.akonadiserver 2021-06-05 18:47:44.697130942 +0200 -@@ -1,3 +1,5 @@ +--- akonadi-21.04.3.orig/apparmor/usr.bin.akonadiserver 2021-06-08 21:02:40.000000000 +0200 ++++ akonadi-21.04.3/apparmor/usr.bin.akonadiserver 2021-07-11 18:49:46.837184405 +0200 +@@ -1,9 +1,13 @@ +abi , + #include @{xdg_data_home}=@{HOME}/.local/share -@@ -37,6 +39,7 @@ + + @{xdg_config_home}=@{HOME}/.config + ++@{postgresqlpath} = /usr/ /usr/lib/postgresql/*/ /usr/lib/postgresql*[0-9]/ /opt/pgsql*/ ++ + /usr/bin/akonadiserver { + #include + #include +@@ -37,6 +41,7 @@ /etc/xdg/** r, /usr/bin/akonadiserver mr, /usr/lib/x86_64-linux-gnu/libexec/drkonqi PUx, @@ -54,9 +114,18 @@ Index: b/apparmor/usr.bin.akonadiserver /usr/bin/mariadb-admin PUx -> mariadbd_akonadi, /usr/bin/mariadb-check PUx -> mariadbd_akonadi, /usr/bin/mariadb-install-db PUx -> mariaddbd_akonadi, -@@ -49,10 +52,12 @@ - /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_ctl PUx -> postgresql_akonadi, - /{usr/,usr/lib/postgresql/*/}bin/pg_upgrade PUx -> postgresql_akonadi, +@@ -45,14 +50,18 @@ + /usr/bin/mysqladmin PUx -> mysqld_akonadi, + /usr/bin/mysqlcheck PUx -> mysqld_akonadi, + /usr/{,s}bin/mysqld PUx -> mysqld_akonadi, +- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/initdb PUx -> postgresql_akonadi, +- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_ctl PUx -> postgresql_akonadi, +- /{usr/,usr/lib/postgresql/*/}bin/pg_upgrade PUx -> postgresql_akonadi, ++ @{postgresqlpath}/bin/initdb PUx -> postgresql_akonadi, ++ @{postgresqlpath}/bin/pg_ctl PUx -> postgresql_akonadi, ++ @{postgresqlpath}/bin/pg_upgrade PUx -> postgresql_akonadi, ++ /usr/local/share/mime/mime.cache r, ++ /usr/local/share/mime/types r, /usr/sbin/mysqld PUx -> mysqld_akonadi, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /usr/share/mime/mime.cache r, diff --git a/akonadi-server.changes b/akonadi-server.changes index 9f979d9..0e69ca7 100644 --- a/akonadi-server.changes +++ b/akonadi-server.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Sun Jul 11 16:59:05 UTC 2021 - Christian Boltz + +- update akonadi-apparmor-opensuse.diff: add openSUSE Postgresql + path in AppArmor profiles (and make it a variable to keep the + profiles readable) and some more rules for Postgresql + ------------------------------------------------------------------- Wed Jul 7 08:56:32 UTC 2021 - Christophe Giboudeaux