d430c9349b
- update akonadi-apparmor-opensuse.diff: add openSUSE Postgresql path in AppArmor profiles (and make it a variable to keep the profiles readable) and some more rules for Postgresql OBS-URL: https://build.opensuse.org/request/show/905693 OBS-URL: https://build.opensuse.org/package/show/KDE:Applications/akonadi-server?expand=0&rev=283
140 lines
5.4 KiB
Diff
140 lines
5.4 KiB
Diff
Subject: Adjust Akonadi AppArmor profiles for openSUSE and AppArmor 3.0
|
|
|
|
From: Christian Boltz <suse-beta@cboltz.de>
|
|
|
|
* add paths to match the openSUSE file location
|
|
* use @{postgresqlpath} for the various postgresql paths (and add
|
|
/usr/lib/postgresql*[0-9]/ for openSUSE)
|
|
* add 'abi' rules to enable and enforce all AppArmor features
|
|
|
|
|
|
Index: akonadi-21.04.3/apparmor/mariadbd_akonadi
|
|
===================================================================
|
|
--- akonadi-21.04.3.orig/apparmor/mariadbd_akonadi 2021-06-08 21:02:40.000000000 +0200
|
|
+++ akonadi-21.04.3/apparmor/mariadbd_akonadi 2021-07-11 18:47:18.489487989 +0200
|
|
@@ -1,3 +1,5 @@
|
|
+abi <abi/3.0>,
|
|
+
|
|
#include <tunables/global>
|
|
|
|
@{xdg_data_home}=@{HOME}/.local/share
|
|
Index: akonadi-21.04.3/apparmor/mysqld_akonadi
|
|
===================================================================
|
|
--- akonadi-21.04.3.orig/apparmor/mysqld_akonadi 2021-06-08 21:02:40.000000000 +0200
|
|
+++ akonadi-21.04.3/apparmor/mysqld_akonadi 2021-07-11 18:47:18.489487989 +0200
|
|
@@ -1,3 +1,5 @@
|
|
+abi <abi/3.0>,
|
|
+
|
|
#include <tunables/global>
|
|
|
|
@{xdg_data_home}=@{HOME}/.local/share
|
|
Index: akonadi-21.04.3/apparmor/postgresql_akonadi
|
|
===================================================================
|
|
--- akonadi-21.04.3.orig/apparmor/postgresql_akonadi 2021-06-08 21:02:40.000000000 +0200
|
|
+++ akonadi-21.04.3/apparmor/postgresql_akonadi 2021-07-11 18:47:58.253406613 +0200
|
|
@@ -1,8 +1,12 @@
|
|
+abi <abi/3.0>,
|
|
+
|
|
#include <tunables/global>
|
|
|
|
@{xdg_data_home}=@{HOME}/.local/share
|
|
|
|
-profile postgresql_akonadi {
|
|
+@{postgresqlpath} = /usr/ /usr/lib/postgresql/*/ /usr/lib/postgresql*[0-9]/ /opt/pgsql*/
|
|
+
|
|
+profile postgresql_akonadi flags=(attach_disconnected) {
|
|
#include <abstractions/base>
|
|
#include <abstractions/bash>
|
|
#include <abstractions/consoles>
|
|
@@ -15,27 +19,30 @@ profile postgresql_akonadi {
|
|
signal receive set=kill peer=/usr/bin/akonadiserver,
|
|
signal receive set=term peer=/usr/bin/akonadiserver,
|
|
|
|
+ deny / rw, # disconnected path
|
|
+
|
|
/etc/passwd r,
|
|
/{usr/,}bin/{b,d}ash mrix,
|
|
/{usr/,}bin/locale mrix,
|
|
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/initdb mrix,
|
|
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_ctl mrix,
|
|
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/postgres mrix,
|
|
+ @{postgresqlpath}/bin/initdb mrix,
|
|
+ @{postgresqlpath}/bin/pg_ctl mrix,
|
|
+ @{postgresqlpath}/bin/postgres mrix,
|
|
/usr/share/postgresql/** r,
|
|
+ /usr/share/postgresql*[0-9]/timezonesets/Default r, # use globbing?
|
|
owner /dev/shm/PostgreSQL.* rw,
|
|
owner @{xdg_data_home}/akonadi/** rwlk,
|
|
owner @{xdg_data_home}/akonadi/db_data/** l,
|
|
owner /{,var/}run/user/@{uid}/akonadi** rwk,
|
|
|
|
# pg_upgrade
|
|
- /{usr/,usr/lib/postgresql/*/}bin/pg_upgrade mrix,
|
|
+ @{postgresqlpath}/bin/pg_upgrade mrix,
|
|
/opt/pgsql*/** mr,
|
|
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_controldata mrix,
|
|
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_resetwal mrix,
|
|
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_dumpall mrix,
|
|
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_dump mrix,
|
|
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/vacuumdb mrix,
|
|
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/psql mrix,
|
|
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_restore mrix,
|
|
+ @{postgresqlpath}/bin/pg_controldata mrix,
|
|
+ @{postgresqlpath}/bin/pg_resetwal mrix,
|
|
+ @{postgresqlpath}/bin/pg_dumpall mrix,
|
|
+ @{postgresqlpath}/bin/pg_dump mrix,
|
|
+ @{postgresqlpath}/bin/vacuumdb mrix,
|
|
+ @{postgresqlpath}/bin/psql mrix,
|
|
+ @{postgresqlpath}/bin/pg_restore mrix,
|
|
/{usr/,}bin/cp mrix,
|
|
}
|
|
Index: akonadi-21.04.3/apparmor/usr.bin.akonadiserver
|
|
===================================================================
|
|
--- akonadi-21.04.3.orig/apparmor/usr.bin.akonadiserver 2021-06-08 21:02:40.000000000 +0200
|
|
+++ akonadi-21.04.3/apparmor/usr.bin.akonadiserver 2021-07-11 18:49:46.837184405 +0200
|
|
@@ -1,9 +1,13 @@
|
|
+abi <abi/3.0>,
|
|
+
|
|
#include <tunables/global>
|
|
|
|
@{xdg_data_home}=@{HOME}/.local/share
|
|
|
|
@{xdg_config_home}=@{HOME}/.config
|
|
|
|
+@{postgresqlpath} = /usr/ /usr/lib/postgresql/*/ /usr/lib/postgresql*[0-9]/ /opt/pgsql*/
|
|
+
|
|
/usr/bin/akonadiserver {
|
|
#include <abstractions/base>
|
|
#include <abstractions/consoles>
|
|
@@ -37,6 +41,7 @@
|
|
/etc/xdg/** r,
|
|
/usr/bin/akonadiserver mr,
|
|
/usr/lib/x86_64-linux-gnu/libexec/drkonqi PUx,
|
|
+ /usr/lib{,64}/libexec/drkonqi PUx,
|
|
/usr/bin/mariadb-admin PUx -> mariadbd_akonadi,
|
|
/usr/bin/mariadb-check PUx -> mariadbd_akonadi,
|
|
/usr/bin/mariadb-install-db PUx -> mariaddbd_akonadi,
|
|
@@ -45,14 +50,18 @@
|
|
/usr/bin/mysqladmin PUx -> mysqld_akonadi,
|
|
/usr/bin/mysqlcheck PUx -> mysqld_akonadi,
|
|
/usr/{,s}bin/mysqld PUx -> mysqld_akonadi,
|
|
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/initdb PUx -> postgresql_akonadi,
|
|
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_ctl PUx -> postgresql_akonadi,
|
|
- /{usr/,usr/lib/postgresql/*/}bin/pg_upgrade PUx -> postgresql_akonadi,
|
|
+ @{postgresqlpath}/bin/initdb PUx -> postgresql_akonadi,
|
|
+ @{postgresqlpath}/bin/pg_ctl PUx -> postgresql_akonadi,
|
|
+ @{postgresqlpath}/bin/pg_upgrade PUx -> postgresql_akonadi,
|
|
+ /usr/local/share/mime/mime.cache r,
|
|
+ /usr/local/share/mime/types r,
|
|
/usr/sbin/mysqld PUx -> mysqld_akonadi,
|
|
+ /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
|
/usr/share/mime/mime.cache r,
|
|
/usr/share/mime/packages/ r,
|
|
/usr/share/mime/types r,
|
|
- /usr/share/qt/translations/* r,
|
|
+ /usr/share/qt5/qtlogging.ini r,
|
|
+ /usr/share/qt{,5}/translations/* r,
|
|
/usr/share/mysql/** r,
|
|
@{PROC}/sys/kernel/core_pattern r,
|
|
@{PROC}/sys/kernel/random/boot_id r,
|