Accepting request 905693 from home:cboltz:branches:KDE:Applications
- update akonadi-apparmor-opensuse.diff: add openSUSE Postgresql path in AppArmor profiles (and make it a variable to keep the profiles readable) and some more rules for Postgresql OBS-URL: https://build.opensuse.org/request/show/905693 OBS-URL: https://build.opensuse.org/package/show/KDE:Applications/akonadi-server?expand=0&rev=283
This commit is contained in:
parent
752521794c
commit
d430c9349b
@ -2,51 +2,111 @@ Subject: Adjust Akonadi AppArmor profiles for openSUSE and AppArmor 3.0
|
||||
|
||||
From: Christian Boltz <suse-beta@cboltz.de>
|
||||
|
||||
- add paths to match the openSUSE file location
|
||||
- add 'abi' rules to enable and enforce all AppArmor features
|
||||
* add paths to match the openSUSE file location
|
||||
* use @{postgresqlpath} for the various postgresql paths (and add
|
||||
/usr/lib/postgresql*[0-9]/ for openSUSE)
|
||||
* add 'abi' rules to enable and enforce all AppArmor features
|
||||
|
||||
|
||||
Index: b/apparmor/mariadbd_akonadi
|
||||
Index: akonadi-21.04.3/apparmor/mariadbd_akonadi
|
||||
===================================================================
|
||||
--- a/apparmor/mariadbd_akonadi 2021-04-22 18:21:40.000000000 +0200
|
||||
+++ b/apparmor/mariadbd_akonadi 2021-06-05 18:47:31.029159467 +0200
|
||||
--- akonadi-21.04.3.orig/apparmor/mariadbd_akonadi 2021-06-08 21:02:40.000000000 +0200
|
||||
+++ akonadi-21.04.3/apparmor/mariadbd_akonadi 2021-07-11 18:47:18.489487989 +0200
|
||||
@@ -1,3 +1,5 @@
|
||||
+abi <abi/3.0>,
|
||||
+
|
||||
#include <tunables/global>
|
||||
|
||||
@{xdg_data_home}=@{HOME}/.local/share
|
||||
Index: b/apparmor/mysqld_akonadi
|
||||
Index: akonadi-21.04.3/apparmor/mysqld_akonadi
|
||||
===================================================================
|
||||
--- a/apparmor/mysqld_akonadi 2021-04-22 18:21:40.000000000 +0200
|
||||
+++ b/apparmor/mysqld_akonadi 2021-06-05 18:47:36.609147822 +0200
|
||||
--- akonadi-21.04.3.orig/apparmor/mysqld_akonadi 2021-06-08 21:02:40.000000000 +0200
|
||||
+++ akonadi-21.04.3/apparmor/mysqld_akonadi 2021-07-11 18:47:18.489487989 +0200
|
||||
@@ -1,3 +1,5 @@
|
||||
+abi <abi/3.0>,
|
||||
+
|
||||
#include <tunables/global>
|
||||
|
||||
@{xdg_data_home}=@{HOME}/.local/share
|
||||
Index: b/apparmor/postgresql_akonadi
|
||||
Index: akonadi-21.04.3/apparmor/postgresql_akonadi
|
||||
===================================================================
|
||||
--- a/apparmor/postgresql_akonadi 2021-04-22 18:21:40.000000000 +0200
|
||||
+++ b/apparmor/postgresql_akonadi 2021-06-05 18:47:38.149144609 +0200
|
||||
@@ -1,3 +1,5 @@
|
||||
--- akonadi-21.04.3.orig/apparmor/postgresql_akonadi 2021-06-08 21:02:40.000000000 +0200
|
||||
+++ akonadi-21.04.3/apparmor/postgresql_akonadi 2021-07-11 18:47:58.253406613 +0200
|
||||
@@ -1,8 +1,12 @@
|
||||
+abi <abi/3.0>,
|
||||
+
|
||||
#include <tunables/global>
|
||||
|
||||
@{xdg_data_home}=@{HOME}/.local/share
|
||||
Index: b/apparmor/usr.bin.akonadiserver
|
||||
|
||||
-profile postgresql_akonadi {
|
||||
+@{postgresqlpath} = /usr/ /usr/lib/postgresql/*/ /usr/lib/postgresql*[0-9]/ /opt/pgsql*/
|
||||
+
|
||||
+profile postgresql_akonadi flags=(attach_disconnected) {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/bash>
|
||||
#include <abstractions/consoles>
|
||||
@@ -15,27 +19,30 @@ profile postgresql_akonadi {
|
||||
signal receive set=kill peer=/usr/bin/akonadiserver,
|
||||
signal receive set=term peer=/usr/bin/akonadiserver,
|
||||
|
||||
+ deny / rw, # disconnected path
|
||||
+
|
||||
/etc/passwd r,
|
||||
/{usr/,}bin/{b,d}ash mrix,
|
||||
/{usr/,}bin/locale mrix,
|
||||
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/initdb mrix,
|
||||
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_ctl mrix,
|
||||
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/postgres mrix,
|
||||
+ @{postgresqlpath}/bin/initdb mrix,
|
||||
+ @{postgresqlpath}/bin/pg_ctl mrix,
|
||||
+ @{postgresqlpath}/bin/postgres mrix,
|
||||
/usr/share/postgresql/** r,
|
||||
+ /usr/share/postgresql*[0-9]/timezonesets/Default r, # use globbing?
|
||||
owner /dev/shm/PostgreSQL.* rw,
|
||||
owner @{xdg_data_home}/akonadi/** rwlk,
|
||||
owner @{xdg_data_home}/akonadi/db_data/** l,
|
||||
owner /{,var/}run/user/@{uid}/akonadi** rwk,
|
||||
|
||||
# pg_upgrade
|
||||
- /{usr/,usr/lib/postgresql/*/}bin/pg_upgrade mrix,
|
||||
+ @{postgresqlpath}/bin/pg_upgrade mrix,
|
||||
/opt/pgsql*/** mr,
|
||||
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_controldata mrix,
|
||||
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_resetwal mrix,
|
||||
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_dumpall mrix,
|
||||
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_dump mrix,
|
||||
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/vacuumdb mrix,
|
||||
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/psql mrix,
|
||||
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_restore mrix,
|
||||
+ @{postgresqlpath}/bin/pg_controldata mrix,
|
||||
+ @{postgresqlpath}/bin/pg_resetwal mrix,
|
||||
+ @{postgresqlpath}/bin/pg_dumpall mrix,
|
||||
+ @{postgresqlpath}/bin/pg_dump mrix,
|
||||
+ @{postgresqlpath}/bin/vacuumdb mrix,
|
||||
+ @{postgresqlpath}/bin/psql mrix,
|
||||
+ @{postgresqlpath}/bin/pg_restore mrix,
|
||||
/{usr/,}bin/cp mrix,
|
||||
}
|
||||
Index: akonadi-21.04.3/apparmor/usr.bin.akonadiserver
|
||||
===================================================================
|
||||
--- a/apparmor/usr.bin.akonadiserver 2021-04-22 18:21:40.000000000 +0200
|
||||
+++ b/apparmor/usr.bin.akonadiserver 2021-06-05 18:47:44.697130942 +0200
|
||||
@@ -1,3 +1,5 @@
|
||||
--- akonadi-21.04.3.orig/apparmor/usr.bin.akonadiserver 2021-06-08 21:02:40.000000000 +0200
|
||||
+++ akonadi-21.04.3/apparmor/usr.bin.akonadiserver 2021-07-11 18:49:46.837184405 +0200
|
||||
@@ -1,9 +1,13 @@
|
||||
+abi <abi/3.0>,
|
||||
+
|
||||
#include <tunables/global>
|
||||
|
||||
@{xdg_data_home}=@{HOME}/.local/share
|
||||
@@ -37,6 +39,7 @@
|
||||
|
||||
@{xdg_config_home}=@{HOME}/.config
|
||||
|
||||
+@{postgresqlpath} = /usr/ /usr/lib/postgresql/*/ /usr/lib/postgresql*[0-9]/ /opt/pgsql*/
|
||||
+
|
||||
/usr/bin/akonadiserver {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
@@ -37,6 +41,7 @@
|
||||
/etc/xdg/** r,
|
||||
/usr/bin/akonadiserver mr,
|
||||
/usr/lib/x86_64-linux-gnu/libexec/drkonqi PUx,
|
||||
@ -54,9 +114,18 @@ Index: b/apparmor/usr.bin.akonadiserver
|
||||
/usr/bin/mariadb-admin PUx -> mariadbd_akonadi,
|
||||
/usr/bin/mariadb-check PUx -> mariadbd_akonadi,
|
||||
/usr/bin/mariadb-install-db PUx -> mariaddbd_akonadi,
|
||||
@@ -49,10 +52,12 @@
|
||||
/{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_ctl PUx -> postgresql_akonadi,
|
||||
/{usr/,usr/lib/postgresql/*/}bin/pg_upgrade PUx -> postgresql_akonadi,
|
||||
@@ -45,14 +50,18 @@
|
||||
/usr/bin/mysqladmin PUx -> mysqld_akonadi,
|
||||
/usr/bin/mysqlcheck PUx -> mysqld_akonadi,
|
||||
/usr/{,s}bin/mysqld PUx -> mysqld_akonadi,
|
||||
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/initdb PUx -> postgresql_akonadi,
|
||||
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_ctl PUx -> postgresql_akonadi,
|
||||
- /{usr/,usr/lib/postgresql/*/}bin/pg_upgrade PUx -> postgresql_akonadi,
|
||||
+ @{postgresqlpath}/bin/initdb PUx -> postgresql_akonadi,
|
||||
+ @{postgresqlpath}/bin/pg_ctl PUx -> postgresql_akonadi,
|
||||
+ @{postgresqlpath}/bin/pg_upgrade PUx -> postgresql_akonadi,
|
||||
+ /usr/local/share/mime/mime.cache r,
|
||||
+ /usr/local/share/mime/types r,
|
||||
/usr/sbin/mysqld PUx -> mysqld_akonadi,
|
||||
+ /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
||||
/usr/share/mime/mime.cache r,
|
||||
|
@ -1,3 +1,10 @@
|
||||
-------------------------------------------------------------------
|
||||
Sun Jul 11 16:59:05 UTC 2021 - Christian Boltz <suse-beta@cboltz.de>
|
||||
|
||||
- update akonadi-apparmor-opensuse.diff: add openSUSE Postgresql
|
||||
path in AppArmor profiles (and make it a variable to keep the
|
||||
profiles readable) and some more rules for Postgresql
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jul 7 08:56:32 UTC 2021 - Christophe Giboudeaux <christophe@krop.fr>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user