Accepting request 905693 from home:cboltz:branches:KDE:Applications

- update akonadi-apparmor-opensuse.diff: add openSUSE Postgresql
  path in AppArmor profiles (and make it a variable to keep the
  profiles readable) and some more rules for Postgresql

OBS-URL: https://build.opensuse.org/request/show/905693
OBS-URL: https://build.opensuse.org/package/show/KDE:Applications/akonadi-server?expand=0&rev=283
This commit is contained in:
Luca Beltrame 2021-07-12 04:32:38 +00:00 committed by Git OBS Bridge
parent 752521794c
commit d430c9349b
2 changed files with 96 additions and 20 deletions

View File

@ -2,51 +2,111 @@ Subject: Adjust Akonadi AppArmor profiles for openSUSE and AppArmor 3.0
From: Christian Boltz <suse-beta@cboltz.de> From: Christian Boltz <suse-beta@cboltz.de>
- add paths to match the openSUSE file location * add paths to match the openSUSE file location
- add 'abi' rules to enable and enforce all AppArmor features * use @{postgresqlpath} for the various postgresql paths (and add
/usr/lib/postgresql*[0-9]/ for openSUSE)
* add 'abi' rules to enable and enforce all AppArmor features
Index: b/apparmor/mariadbd_akonadi Index: akonadi-21.04.3/apparmor/mariadbd_akonadi
=================================================================== ===================================================================
--- a/apparmor/mariadbd_akonadi 2021-04-22 18:21:40.000000000 +0200 --- akonadi-21.04.3.orig/apparmor/mariadbd_akonadi 2021-06-08 21:02:40.000000000 +0200
+++ b/apparmor/mariadbd_akonadi 2021-06-05 18:47:31.029159467 +0200 +++ akonadi-21.04.3/apparmor/mariadbd_akonadi 2021-07-11 18:47:18.489487989 +0200
@@ -1,3 +1,5 @@ @@ -1,3 +1,5 @@
+abi <abi/3.0>, +abi <abi/3.0>,
+ +
#include <tunables/global> #include <tunables/global>
@{xdg_data_home}=@{HOME}/.local/share @{xdg_data_home}=@{HOME}/.local/share
Index: b/apparmor/mysqld_akonadi Index: akonadi-21.04.3/apparmor/mysqld_akonadi
=================================================================== ===================================================================
--- a/apparmor/mysqld_akonadi 2021-04-22 18:21:40.000000000 +0200 --- akonadi-21.04.3.orig/apparmor/mysqld_akonadi 2021-06-08 21:02:40.000000000 +0200
+++ b/apparmor/mysqld_akonadi 2021-06-05 18:47:36.609147822 +0200 +++ akonadi-21.04.3/apparmor/mysqld_akonadi 2021-07-11 18:47:18.489487989 +0200
@@ -1,3 +1,5 @@ @@ -1,3 +1,5 @@
+abi <abi/3.0>, +abi <abi/3.0>,
+ +
#include <tunables/global> #include <tunables/global>
@{xdg_data_home}=@{HOME}/.local/share @{xdg_data_home}=@{HOME}/.local/share
Index: b/apparmor/postgresql_akonadi Index: akonadi-21.04.3/apparmor/postgresql_akonadi
=================================================================== ===================================================================
--- a/apparmor/postgresql_akonadi 2021-04-22 18:21:40.000000000 +0200 --- akonadi-21.04.3.orig/apparmor/postgresql_akonadi 2021-06-08 21:02:40.000000000 +0200
+++ b/apparmor/postgresql_akonadi 2021-06-05 18:47:38.149144609 +0200 +++ akonadi-21.04.3/apparmor/postgresql_akonadi 2021-07-11 18:47:58.253406613 +0200
@@ -1,3 +1,5 @@ @@ -1,8 +1,12 @@
+abi <abi/3.0>, +abi <abi/3.0>,
+ +
#include <tunables/global> #include <tunables/global>
@{xdg_data_home}=@{HOME}/.local/share @{xdg_data_home}=@{HOME}/.local/share
Index: b/apparmor/usr.bin.akonadiserver
-profile postgresql_akonadi {
+@{postgresqlpath} = /usr/ /usr/lib/postgresql/*/ /usr/lib/postgresql*[0-9]/ /opt/pgsql*/
+
+profile postgresql_akonadi flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
@@ -15,27 +19,30 @@ profile postgresql_akonadi {
signal receive set=kill peer=/usr/bin/akonadiserver,
signal receive set=term peer=/usr/bin/akonadiserver,
+ deny / rw, # disconnected path
+
/etc/passwd r,
/{usr/,}bin/{b,d}ash mrix,
/{usr/,}bin/locale mrix,
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/initdb mrix,
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_ctl mrix,
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/postgres mrix,
+ @{postgresqlpath}/bin/initdb mrix,
+ @{postgresqlpath}/bin/pg_ctl mrix,
+ @{postgresqlpath}/bin/postgres mrix,
/usr/share/postgresql/** r,
+ /usr/share/postgresql*[0-9]/timezonesets/Default r, # use globbing?
owner /dev/shm/PostgreSQL.* rw,
owner @{xdg_data_home}/akonadi/** rwlk,
owner @{xdg_data_home}/akonadi/db_data/** l,
owner /{,var/}run/user/@{uid}/akonadi** rwk,
# pg_upgrade
- /{usr/,usr/lib/postgresql/*/}bin/pg_upgrade mrix,
+ @{postgresqlpath}/bin/pg_upgrade mrix,
/opt/pgsql*/** mr,
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_controldata mrix,
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_resetwal mrix,
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_dumpall mrix,
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_dump mrix,
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/vacuumdb mrix,
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/psql mrix,
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_restore mrix,
+ @{postgresqlpath}/bin/pg_controldata mrix,
+ @{postgresqlpath}/bin/pg_resetwal mrix,
+ @{postgresqlpath}/bin/pg_dumpall mrix,
+ @{postgresqlpath}/bin/pg_dump mrix,
+ @{postgresqlpath}/bin/vacuumdb mrix,
+ @{postgresqlpath}/bin/psql mrix,
+ @{postgresqlpath}/bin/pg_restore mrix,
/{usr/,}bin/cp mrix,
}
Index: akonadi-21.04.3/apparmor/usr.bin.akonadiserver
=================================================================== ===================================================================
--- a/apparmor/usr.bin.akonadiserver 2021-04-22 18:21:40.000000000 +0200 --- akonadi-21.04.3.orig/apparmor/usr.bin.akonadiserver 2021-06-08 21:02:40.000000000 +0200
+++ b/apparmor/usr.bin.akonadiserver 2021-06-05 18:47:44.697130942 +0200 +++ akonadi-21.04.3/apparmor/usr.bin.akonadiserver 2021-07-11 18:49:46.837184405 +0200
@@ -1,3 +1,5 @@ @@ -1,9 +1,13 @@
+abi <abi/3.0>, +abi <abi/3.0>,
+ +
#include <tunables/global> #include <tunables/global>
@{xdg_data_home}=@{HOME}/.local/share @{xdg_data_home}=@{HOME}/.local/share
@@ -37,6 +39,7 @@
@{xdg_config_home}=@{HOME}/.config
+@{postgresqlpath} = /usr/ /usr/lib/postgresql/*/ /usr/lib/postgresql*[0-9]/ /opt/pgsql*/
+
/usr/bin/akonadiserver {
#include <abstractions/base>
#include <abstractions/consoles>
@@ -37,6 +41,7 @@
/etc/xdg/** r, /etc/xdg/** r,
/usr/bin/akonadiserver mr, /usr/bin/akonadiserver mr,
/usr/lib/x86_64-linux-gnu/libexec/drkonqi PUx, /usr/lib/x86_64-linux-gnu/libexec/drkonqi PUx,
@ -54,9 +114,18 @@ Index: b/apparmor/usr.bin.akonadiserver
/usr/bin/mariadb-admin PUx -> mariadbd_akonadi, /usr/bin/mariadb-admin PUx -> mariadbd_akonadi,
/usr/bin/mariadb-check PUx -> mariadbd_akonadi, /usr/bin/mariadb-check PUx -> mariadbd_akonadi,
/usr/bin/mariadb-install-db PUx -> mariaddbd_akonadi, /usr/bin/mariadb-install-db PUx -> mariaddbd_akonadi,
@@ -49,10 +52,12 @@ @@ -45,14 +50,18 @@
/{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_ctl PUx -> postgresql_akonadi, /usr/bin/mysqladmin PUx -> mysqld_akonadi,
/{usr/,usr/lib/postgresql/*/}bin/pg_upgrade PUx -> postgresql_akonadi, /usr/bin/mysqlcheck PUx -> mysqld_akonadi,
/usr/{,s}bin/mysqld PUx -> mysqld_akonadi,
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/initdb PUx -> postgresql_akonadi,
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_ctl PUx -> postgresql_akonadi,
- /{usr/,usr/lib/postgresql/*/}bin/pg_upgrade PUx -> postgresql_akonadi,
+ @{postgresqlpath}/bin/initdb PUx -> postgresql_akonadi,
+ @{postgresqlpath}/bin/pg_ctl PUx -> postgresql_akonadi,
+ @{postgresqlpath}/bin/pg_upgrade PUx -> postgresql_akonadi,
+ /usr/local/share/mime/mime.cache r,
+ /usr/local/share/mime/types r,
/usr/sbin/mysqld PUx -> mysqld_akonadi, /usr/sbin/mysqld PUx -> mysqld_akonadi,
+ /usr/share/icu/[0-9]*.[0-9]*/*.dat r, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
/usr/share/mime/mime.cache r, /usr/share/mime/mime.cache r,

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Sun Jul 11 16:59:05 UTC 2021 - Christian Boltz <suse-beta@cboltz.de>
- update akonadi-apparmor-opensuse.diff: add openSUSE Postgresql
path in AppArmor profiles (and make it a variable to keep the
profiles readable) and some more rules for Postgresql
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Jul 7 08:56:32 UTC 2021 - Christophe Giboudeaux <christophe@krop.fr> Wed Jul 7 08:56:32 UTC 2021 - Christophe Giboudeaux <christophe@krop.fr>