774828ac6f
- Install AppArmor profiles (as -apparmor subpackage) - add akonadi-apparmor-opensuse.diff to adjust the profiles to openSUSE paths, and to add 'abi' rules to the profiles Thanks for the quick review in SR 897569. This SR should fix the issues you noticed. Another diff to SR 897569 is that I added 'abi' rules to the profiles to ensure that all AppArmor features get enforced. Original description (from SR 897569): Note: The akonadi-server-apparmor package will _not_ be installed automatically, so users will have to explicitely install it if they want to use the AppArmor profiles for akonadi-server. I tested the profiles with my setup (which is using the system-wide mariadb with akonadi), other setups might need some adjustments. My proposal is: As soon as this change reaches Tumbleweed, let's send out a call for testing on the factory mailinglist (I can do that, unless you want to do it yourself). I'll update the profiles as needed (as bugreports come in) so that they work with mariadb and postgresql, with the goal to have profiles that "just work". To get started, I added a patch with some profile additions (openSUSE and Debian paths somewhat differ). When the dust/bugreports settles, we should of course get the patch upstream. (I can probably do that, but might need some help - it's been a long time since I last submitted a patch to one of the KDE repos.) If you want to test yourself, note that you'll need to restart akonadi to actually enable the AppArmor confinement. OBS-URL: https://build.opensuse.org/request/show/897736 OBS-URL: https://build.opensuse.org/package/show/KDE:Applications/akonadi-server?expand=0&rev=279
71 lines
2.4 KiB
Diff
71 lines
2.4 KiB
Diff
Subject: Adjust Akonadi AppArmor profiles for openSUSE and AppArmor 3.0
|
|
|
|
From: Christian Boltz <suse-beta@cboltz.de>
|
|
|
|
- add paths to match the openSUSE file location
|
|
- add 'abi' rules to enable and enforce all AppArmor features
|
|
|
|
|
|
Index: b/apparmor/mariadbd_akonadi
|
|
===================================================================
|
|
--- a/apparmor/mariadbd_akonadi 2021-04-22 18:21:40.000000000 +0200
|
|
+++ b/apparmor/mariadbd_akonadi 2021-06-05 18:47:31.029159467 +0200
|
|
@@ -1,3 +1,5 @@
|
|
+abi <abi/3.0>,
|
|
+
|
|
#include <tunables/global>
|
|
|
|
@{xdg_data_home}=@{HOME}/.local/share
|
|
Index: b/apparmor/mysqld_akonadi
|
|
===================================================================
|
|
--- a/apparmor/mysqld_akonadi 2021-04-22 18:21:40.000000000 +0200
|
|
+++ b/apparmor/mysqld_akonadi 2021-06-05 18:47:36.609147822 +0200
|
|
@@ -1,3 +1,5 @@
|
|
+abi <abi/3.0>,
|
|
+
|
|
#include <tunables/global>
|
|
|
|
@{xdg_data_home}=@{HOME}/.local/share
|
|
Index: b/apparmor/postgresql_akonadi
|
|
===================================================================
|
|
--- a/apparmor/postgresql_akonadi 2021-04-22 18:21:40.000000000 +0200
|
|
+++ b/apparmor/postgresql_akonadi 2021-06-05 18:47:38.149144609 +0200
|
|
@@ -1,3 +1,5 @@
|
|
+abi <abi/3.0>,
|
|
+
|
|
#include <tunables/global>
|
|
|
|
@{xdg_data_home}=@{HOME}/.local/share
|
|
Index: b/apparmor/usr.bin.akonadiserver
|
|
===================================================================
|
|
--- a/apparmor/usr.bin.akonadiserver 2021-04-22 18:21:40.000000000 +0200
|
|
+++ b/apparmor/usr.bin.akonadiserver 2021-06-05 18:47:44.697130942 +0200
|
|
@@ -1,3 +1,5 @@
|
|
+abi <abi/3.0>,
|
|
+
|
|
#include <tunables/global>
|
|
|
|
@{xdg_data_home}=@{HOME}/.local/share
|
|
@@ -37,6 +39,7 @@
|
|
/etc/xdg/** r,
|
|
/usr/bin/akonadiserver mr,
|
|
/usr/lib/x86_64-linux-gnu/libexec/drkonqi PUx,
|
|
+ /usr/lib{,64}/libexec/drkonqi PUx,
|
|
/usr/bin/mariadb-admin PUx -> mariadbd_akonadi,
|
|
/usr/bin/mariadb-check PUx -> mariadbd_akonadi,
|
|
/usr/bin/mariadb-install-db PUx -> mariaddbd_akonadi,
|
|
@@ -49,10 +52,12 @@
|
|
/{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_ctl PUx -> postgresql_akonadi,
|
|
/{usr/,usr/lib/postgresql/*/}bin/pg_upgrade PUx -> postgresql_akonadi,
|
|
/usr/sbin/mysqld PUx -> mysqld_akonadi,
|
|
+ /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
|
|
/usr/share/mime/mime.cache r,
|
|
/usr/share/mime/packages/ r,
|
|
/usr/share/mime/types r,
|
|
- /usr/share/qt/translations/* r,
|
|
+ /usr/share/qt5/qtlogging.ini r,
|
|
+ /usr/share/qt{,5}/translations/* r,
|
|
/usr/share/mysql/** r,
|
|
@{PROC}/sys/kernel/core_pattern r,
|
|
@{PROC}/sys/kernel/random/boot_id r,
|