Subject: Adjust Akonadi AppArmor profiles for openSUSE and AppArmor 3.0 From: Christian Boltz * add paths to match the openSUSE file location * use @{postgresqlpath} for the various postgresql paths (and add /usr/lib/postgresql*[0-9]/ for openSUSE) * add 'abi' rules to enable and enforce all AppArmor features Index: akonadi-21.04.3/apparmor/mariadbd_akonadi =================================================================== --- akonadi-21.04.3.orig/apparmor/mariadbd_akonadi 2021-06-08 21:02:40.000000000 +0200 +++ akonadi-21.04.3/apparmor/mariadbd_akonadi 2021-07-11 18:47:18.489487989 +0200 @@ -1,3 +1,5 @@ +abi , + #include @{xdg_data_home}=@{HOME}/.local/share Index: akonadi-21.04.3/apparmor/mysqld_akonadi =================================================================== --- akonadi-21.04.3.orig/apparmor/mysqld_akonadi 2021-06-08 21:02:40.000000000 +0200 +++ akonadi-21.04.3/apparmor/mysqld_akonadi 2021-07-11 18:47:18.489487989 +0200 @@ -1,3 +1,5 @@ +abi , + #include @{xdg_data_home}=@{HOME}/.local/share Index: akonadi-21.04.3/apparmor/postgresql_akonadi =================================================================== --- akonadi-21.04.3.orig/apparmor/postgresql_akonadi 2021-06-08 21:02:40.000000000 +0200 +++ akonadi-21.04.3/apparmor/postgresql_akonadi 2021-07-11 18:47:58.253406613 +0200 @@ -1,8 +1,12 @@ +abi , + #include @{xdg_data_home}=@{HOME}/.local/share -profile postgresql_akonadi { +@{postgresqlpath} = /usr/ /usr/lib/postgresql/*/ /usr/lib/postgresql*[0-9]/ /opt/pgsql*/ + +profile postgresql_akonadi flags=(attach_disconnected) { #include #include #include @@ -15,27 +19,30 @@ profile postgresql_akonadi { signal receive set=kill peer=/usr/bin/akonadiserver, signal receive set=term peer=/usr/bin/akonadiserver, + deny / rw, # disconnected path + /etc/passwd r, /{usr/,}bin/{b,d}ash mrix, /{usr/,}bin/locale mrix, - /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/initdb mrix, - /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_ctl mrix, - /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/postgres mrix, + @{postgresqlpath}/bin/initdb mrix, + @{postgresqlpath}/bin/pg_ctl mrix, + @{postgresqlpath}/bin/postgres mrix, /usr/share/postgresql/** r, + /usr/share/postgresql*[0-9]/timezonesets/Default r, # use globbing? owner /dev/shm/PostgreSQL.* rw, owner @{xdg_data_home}/akonadi/** rwlk, owner @{xdg_data_home}/akonadi/db_data/** l, owner /{,var/}run/user/@{uid}/akonadi** rwk, # pg_upgrade - /{usr/,usr/lib/postgresql/*/}bin/pg_upgrade mrix, + @{postgresqlpath}/bin/pg_upgrade mrix, /opt/pgsql*/** mr, - /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_controldata mrix, - /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_resetwal mrix, - /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_dumpall mrix, - /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_dump mrix, - /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/vacuumdb mrix, - /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/psql mrix, - /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_restore mrix, + @{postgresqlpath}/bin/pg_controldata mrix, + @{postgresqlpath}/bin/pg_resetwal mrix, + @{postgresqlpath}/bin/pg_dumpall mrix, + @{postgresqlpath}/bin/pg_dump mrix, + @{postgresqlpath}/bin/vacuumdb mrix, + @{postgresqlpath}/bin/psql mrix, + @{postgresqlpath}/bin/pg_restore mrix, /{usr/,}bin/cp mrix, } Index: akonadi-21.04.3/apparmor/usr.bin.akonadiserver =================================================================== --- akonadi-21.04.3.orig/apparmor/usr.bin.akonadiserver 2021-06-08 21:02:40.000000000 +0200 +++ akonadi-21.04.3/apparmor/usr.bin.akonadiserver 2021-07-11 18:49:46.837184405 +0200 @@ -1,9 +1,13 @@ +abi , + #include @{xdg_data_home}=@{HOME}/.local/share @{xdg_config_home}=@{HOME}/.config +@{postgresqlpath} = /usr/ /usr/lib/postgresql/*/ /usr/lib/postgresql*[0-9]/ /opt/pgsql*/ + /usr/bin/akonadiserver { #include #include @@ -37,6 +41,7 @@ /etc/xdg/** r, /usr/bin/akonadiserver mr, /usr/lib/x86_64-linux-gnu/libexec/drkonqi PUx, + /usr/lib{,64}/libexec/drkonqi PUx, /usr/bin/mariadb-admin PUx -> mariadbd_akonadi, /usr/bin/mariadb-check PUx -> mariadbd_akonadi, /usr/bin/mariadb-install-db PUx -> mariaddbd_akonadi, @@ -45,14 +50,18 @@ /usr/bin/mysqladmin PUx -> mysqld_akonadi, /usr/bin/mysqlcheck PUx -> mysqld_akonadi, /usr/{,s}bin/mysqld PUx -> mysqld_akonadi, - /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/initdb PUx -> postgresql_akonadi, - /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_ctl PUx -> postgresql_akonadi, - /{usr/,usr/lib/postgresql/*/}bin/pg_upgrade PUx -> postgresql_akonadi, + @{postgresqlpath}/bin/initdb PUx -> postgresql_akonadi, + @{postgresqlpath}/bin/pg_ctl PUx -> postgresql_akonadi, + @{postgresqlpath}/bin/pg_upgrade PUx -> postgresql_akonadi, + /usr/local/share/mime/mime.cache r, + /usr/local/share/mime/types r, /usr/sbin/mysqld PUx -> mysqld_akonadi, + /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /usr/share/mime/mime.cache r, /usr/share/mime/packages/ r, /usr/share/mime/types r, - /usr/share/qt/translations/* r, + /usr/share/qt5/qtlogging.ini r, + /usr/share/qt{,5}/translations/* r, /usr/share/mysql/** r, @{PROC}/sys/kernel/core_pattern r, @{PROC}/sys/kernel/random/boot_id r,