Accepting request 843706 from home:darix:playground

- update apparmor profiles to get warning free again on 15.2 - use abstractions for ssl files - allow inet dgram sockets as mumble can also work via udp - allow netlink socket (probably for dbus) - properly allow lsb_release again - add support for optional local include - start murmurd directly as user mumble-server it gets rid of the dac_override/setgid/setuid/chown permissions OBS-URL: https://build.opensuse.org/request/show/843706 OBS-URL: https://build.opensuse.org/package/show/games:tools/mumble?expand=0&rev=126
2020-10-24 11:33:25 +00:00 · 2020-10-24 11:33:25 +00:00 · 69de16f7fa
commit 69de16f7fa
parent c2b1bf66c8
3 changed files with 27 additions and 20 deletions
--- a/mumble-server.service
+++ b/mumble-server.service
@ -14,6 +14,8 @@ Requires=var-run.mount network.target remote-fs.target time-sync.target
 After=var-run.mount network.target remote-fs.target time-sync.target mysql.target

 [Service]
+User=mumble-server
+Group=mumble-server
 ExecStart=/usr/sbin/murmurd -fg -ini /etc/mumble-server.ini

 [Install]
--- a/mumble.changes
+++ b/mumble.changes
@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Sat Oct 24 02:05:14 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>
+
+- update apparmor profiles to get warning free again on 15.2
+  - use abstractions for ssl files
+  - allow inet dgram sockets as mumble can also work via udp
+  - allow netlink socket (probably for dbus)
+  - properly allow lsb_release again
+  - add support for optional local include
+- start murmurd directly as user mumble-server it gets rid of the
+  dac_override/setgid/setuid/chown permissions
+
+-------------------------------------------------------------------
 Mon Oct 05 19:58:21 UTC 2020 - Markus Ebner <info@ebner-markus.de>

 - Update to upstream version 1.3.3
--- a/murmur.apparmor
+++ b/murmur.apparmor
@ -8,23 +8,14 @@ profile murmurd /usr/sbin/murmurd {
  #include <abstractions/ssl_certs>
  #include <abstractions/user-tmp>

-  /etc/ssl/certs/** r,
-  deny /usr/share/ssl/ r,
-  deny /usr/share/ssl/** r,
-
-# FIXME: mumble has weird capability handling. None of the first four should be
-# needed if the code is adjusted
-  capability dac_override,
-  capability setgid,
-  capability setuid,
-  capability chown,
-
-# needed for real time scheduling of the mixer threads
+  # needed for real time scheduling of the mixer threads
  capability sys_resource,
-# not needed anymore
-# capability net_admin,

+  network inet dgram,
  network inet stream,
+  network netlink,
+
+  /usr/share/icu/*/icu*.dat r,

  /etc/mumble-server.ini rk,
  /usr/bin/lsb_release cx,
@ -37,14 +28,15 @@ profile murmurd /usr/sbin/murmurd {
    #include <abstractions/base>
    #include <abstractions/consoles>

-    /{usr/,}bin/bash r,
+    /{usr/,}bin/bash rm,
    /proc/meminfo r,
-    /usr/bin/getopt rix,
-    /usr/bin/head rix,
-    /usr/bin/grep rix,
-    /usr/bin/sed rix,
-    /usr/bin/cut rix,
+    /usr/bin/getopt rmix,
+    /usr/bin/head rmix,
+    /usr/bin/grep rmix,
+    /usr/bin/sed rmix,
+    /usr/bin/cut rmix,
    /usr/bin/lsb_release r,
    /etc/SuSE-release r,
  }
+  #include if exists <local/usr.sbin.murmurd>
 }