akonadi-server/akonadi-apparmor-opensuse.diff
Luca Beltrame 774828ac6f Accepting request 897736 from home:cboltz:branches:KDE:Applications
- Install AppArmor profiles (as -apparmor subpackage)
- add akonadi-apparmor-opensuse.diff to adjust the profiles to
  openSUSE paths, and to add 'abi' rules to the profiles



Thanks for the quick review in SR 897569. This SR should fix the issues you
noticed.

Another diff to SR 897569 is that I added 'abi' rules to the profiles to ensure
that all AppArmor features get enforced.



Original description (from SR 897569):

Note: The akonadi-server-apparmor package will _not_ be installed
automatically, so users will have to explicitely install it if they want
to use the AppArmor profiles for akonadi-server.

I tested the profiles with my setup (which is using the system-wide
mariadb with akonadi), other setups might need some adjustments.

My proposal is: As soon as this change reaches Tumbleweed, let's send
out a call for testing on the factory mailinglist (I can do that, unless
you want to do it yourself).

I'll update the profiles as needed (as bugreports come in) so that they
work with mariadb and postgresql, with the goal to have profiles that
"just work".

To get started, I added a patch with some profile additions (openSUSE
and Debian paths somewhat differ). When the dust/bugreports settles, we
should of course get the patch upstream. (I can probably do that, but
might need some help - it's been a long time since I last submitted a
patch to one of the KDE repos.)

If you want to test yourself, note that you'll need to restart akonadi
to actually enable the AppArmor confinement.

OBS-URL: https://build.opensuse.org/request/show/897736
OBS-URL: https://build.opensuse.org/package/show/KDE:Applications/akonadi-server?expand=0&rev=279
2021-06-08 12:04:10 +00:00

71 lines
2.4 KiB
Diff

Subject: Adjust Akonadi AppArmor profiles for openSUSE and AppArmor 3.0
From: Christian Boltz <suse-beta@cboltz.de>
- add paths to match the openSUSE file location
- add 'abi' rules to enable and enforce all AppArmor features
Index: b/apparmor/mariadbd_akonadi
===================================================================
--- a/apparmor/mariadbd_akonadi 2021-04-22 18:21:40.000000000 +0200
+++ b/apparmor/mariadbd_akonadi 2021-06-05 18:47:31.029159467 +0200
@@ -1,3 +1,5 @@
+abi <abi/3.0>,
+
#include <tunables/global>
@{xdg_data_home}=@{HOME}/.local/share
Index: b/apparmor/mysqld_akonadi
===================================================================
--- a/apparmor/mysqld_akonadi 2021-04-22 18:21:40.000000000 +0200
+++ b/apparmor/mysqld_akonadi 2021-06-05 18:47:36.609147822 +0200
@@ -1,3 +1,5 @@
+abi <abi/3.0>,
+
#include <tunables/global>
@{xdg_data_home}=@{HOME}/.local/share
Index: b/apparmor/postgresql_akonadi
===================================================================
--- a/apparmor/postgresql_akonadi 2021-04-22 18:21:40.000000000 +0200
+++ b/apparmor/postgresql_akonadi 2021-06-05 18:47:38.149144609 +0200
@@ -1,3 +1,5 @@
+abi <abi/3.0>,
+
#include <tunables/global>
@{xdg_data_home}=@{HOME}/.local/share
Index: b/apparmor/usr.bin.akonadiserver
===================================================================
--- a/apparmor/usr.bin.akonadiserver 2021-04-22 18:21:40.000000000 +0200
+++ b/apparmor/usr.bin.akonadiserver 2021-06-05 18:47:44.697130942 +0200
@@ -1,3 +1,5 @@
+abi <abi/3.0>,
+
#include <tunables/global>
@{xdg_data_home}=@{HOME}/.local/share
@@ -37,6 +39,7 @@
/etc/xdg/** r,
/usr/bin/akonadiserver mr,
/usr/lib/x86_64-linux-gnu/libexec/drkonqi PUx,
+ /usr/lib{,64}/libexec/drkonqi PUx,
/usr/bin/mariadb-admin PUx -> mariadbd_akonadi,
/usr/bin/mariadb-check PUx -> mariadbd_akonadi,
/usr/bin/mariadb-install-db PUx -> mariaddbd_akonadi,
@@ -49,10 +52,12 @@
/{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_ctl PUx -> postgresql_akonadi,
/{usr/,usr/lib/postgresql/*/}bin/pg_upgrade PUx -> postgresql_akonadi,
/usr/sbin/mysqld PUx -> mysqld_akonadi,
+ /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
/usr/share/mime/mime.cache r,
/usr/share/mime/packages/ r,
/usr/share/mime/types r,
- /usr/share/qt/translations/* r,
+ /usr/share/qt5/qtlogging.ini r,
+ /usr/share/qt{,5}/translations/* r,
/usr/share/mysql/** r,
@{PROC}/sys/kernel/core_pattern r,
@{PROC}/sys/kernel/random/boot_id r,