diff --git a/0001-if-service-name-is-empty-don-t-pass-an-empty-string.diff b/0001-if-service-name-is-empty-don-t-pass-an-empty-string.diff new file mode 100644 index 0000000..583fc62 --- /dev/null +++ b/0001-if-service-name-is-empty-don-t-pass-an-empty-string.diff @@ -0,0 +1,28 @@ +From d2a97b874e55ad156781a2762ff32ae9566de495 Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Thu, 24 Mar 2011 09:04:53 +0100 +Subject: [PATCH mumble] if service name is empty don't pass an empty string + +DNSServiceRegister uses the local host name if the name is NULL but does nothing if it's empty +--- + src/bonjour/bonjourserviceregister.cpp | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) + +diff --git a/src/bonjour/bonjourserviceregister.cpp b/src/bonjour/bonjourserviceregister.cpp +index a818d8c..5f82779 100644 +--- a/src/bonjour/bonjourserviceregister.cpp ++++ b/src/bonjour/bonjourserviceregister.cpp +@@ -53,7 +53,9 @@ void BonjourServiceRegister::registerService(const BonjourRecord &record, quint1 + } + #endif + +- DNSServiceErrorType err = DNSServiceRegister(&dnssref, 0, 0, record.serviceName.toUtf8().constData(), ++ DNSServiceErrorType err = DNSServiceRegister(&dnssref, 0, 0, ++ record.serviceName.isEmpty() ? 0 ++ : record.serviceName.toUtf8().constData(), + record.registeredType.toUtf8().constData(), + record.replyDomain.isEmpty() ? 0 + : record.replyDomain.toUtf8().constData(), 0, +-- +1.7.3.4 + diff --git a/0001-remove-CAP_NET_ADMIN.diff b/0001-remove-CAP_NET_ADMIN.diff new file mode 100644 index 0000000..42fcb4c --- /dev/null +++ b/0001-remove-CAP_NET_ADMIN.diff @@ -0,0 +1,26 @@ +From 6b365d33f10a9c4376bed058330d243c514b94a1 Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Thu, 24 Mar 2011 14:29:35 +0100 +Subject: [PATCH mumble] remove CAP_NET_ADMIN + +QoS settings do not need CAP_NET_ADMIN anymore +--- + src/murmur/UnixMurmur.cpp | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/src/murmur/UnixMurmur.cpp b/src/murmur/UnixMurmur.cpp +index 9becf63..9e1c81c 100644 +--- a/src/murmur/UnixMurmur.cpp ++++ b/src/murmur/UnixMurmur.cpp +@@ -288,7 +288,7 @@ void UnixMurmur::initialcap() { + + void UnixMurmur::finalcap() { + #ifdef Q_OS_LINUX +- cap_value_t caps[] = {CAP_NET_ADMIN, CAP_SYS_RESOURCE}; ++ cap_value_t caps[] = {CAP_SYS_RESOURCE}; + struct rlimit r; + + if (! bRoot) +-- +1.7.3.4 + diff --git a/mumble.changes b/mumble.changes index 6d2ffd8..fbc967e 100644 --- a/mumble.changes +++ b/mumble.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Thu Mar 24 13:43:05 UTC 2011 - lnussel@suse.de + +- add apparmor profile + +------------------------------------------------------------------- +Wed Mar 23 17:26:38 UTC 2011 - lnussel@suse.de + +- fix bonjour registration + ------------------------------------------------------------------- Tue Mar 8 16:07:54 UTC 2011 - lnussel@suse.de diff --git a/mumble.spec b/mumble.spec index ce2bcbc..69c72ed 100644 --- a/mumble.spec +++ b/mumble.spec @@ -95,9 +95,12 @@ Source: http://downloads.sourceforge.net/project/mumble/Mumble/%{version Source1: http://downloads.sourceforge.net/project/mumble/Mumble/%{version}/mumble-%{version}.tar.gz.sig %endif Source2: mumble-server.init +Source3: murmur.apparmor Patch0: 0001-fix-build-error-with-capability.h.diff Patch1: 0001-fix-user-switching.diff Patch2: 0001-open-log-file-early-so-log-dir-can-be-root-owned.diff +Patch3: 0001-if-service-name-is-empty-don-t-pass-an-empty-string.diff +Patch4: 0001-remove-CAP_NET_ADMIN.diff Patch50: mumble-1.2.2-buildcompare.diff # hack, no clue about glx so no idea to fix this properly Patch99: mumble-1.1.4-sle10glx.diff @@ -164,6 +167,8 @@ won't be audible to other players. %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 +%patch4 -p1 # %patch50 -p1 %if 0%{?suse_version} && 0%{?suse_version} < 1020 @@ -310,6 +315,11 @@ install -D -m 0755 release/mumble11x %{buildroot}%{_bindir}/mumble11x # server install -D -m 0755 release/murmurd "%{buildroot}%{_sbindir}/murmurd" install -D -m 0755 %{SOURCE2} %{buildroot}/etc/init.d/mumble-server +install -D -m 0755 %{SOURCE3} %{buildroot}/etc/apparmor.d/usr.sbin.murmurd +install -d -m 0755 %{buildroot}%{_bindir} +# can be launched as user too but apparmor profile doesn't make +# sense in that case. So use link to avoid the profile. +ln -s %{_sbindir}/murmurd %{buildroot}%{_bindir}/murmurd ln -s /etc/init.d/mumble-server %{buildroot}%{_sbindir}/rcmumble-server install -D -m 0644 scripts/murmur.conf %{buildroot}%{_sysconfdir}/dbus-1/system.d/mumble-server.conf install -D -m 0644 scripts/murmur.ini %{buildroot}%{_sysconfdir}/mumble-server.ini @@ -404,8 +414,11 @@ getent passwd mumble-server >/dev/null || \ %config %{_sysconfdir}/dbus-1/system.d/mumble-server.conf %config(noreplace) %{_sysconfdir}/mumble-server.ini /etc/init.d/mumble-server +%dir /etc/apparmor.d +/etc/apparmor.d/usr.sbin.murmurd %{_sbindir}/rcmumble-server %{_sbindir}/murmurd +%{_bindir}/murmurd %{_bindir}/murmur-user-wrapper %{_mandir}/man1/murmurd.* %{_mandir}/man1/murmur-user-wrapper.* diff --git a/murmur.apparmor b/murmur.apparmor new file mode 100644 index 0000000..a23d7a6 --- /dev/null +++ b/murmur.apparmor @@ -0,0 +1,49 @@ +# Last Modified: Thu Mar 24 13:33:08 2011 +#include + +/usr/sbin/murmurd { + #include + #include + #include + #include + + /etc/ssl/certs/** r, + deny /usr/share/ssl/ r, + deny /usr/share/ssl/** r, + +# FIXME: mumble has weird capability handling. None of the first four should be +# needed if the code is adjusted + capability dac_override, + capability setgid, + capability setuid, + capability chown, + +# needed for real time scheduling of the mixer threads + capability sys_resource, +# not needed anymore +# capability net_admin, + + network inet stream, + + /etc/mumble-server.ini rk, + /usr/bin/lsb_release cx, + /var/lib/mumble-server/ rwk, + /var/lib/mumble-server/** rwk, + /var/log/mumble-server/murmur.log w, + /var/run/mumble-server/mumble-server.pid w, + + profile /usr/bin/lsb_release { + #include + #include + + /bin/bash r, + /proc/meminfo r, + /usr/bin/getopt rix, + /usr/bin/head rix, + /bin/grep rix, + /bin/sed rix, + /usr/bin/cut rix, + /usr/bin/lsb_release r, + /etc/SuSE-release r, + } +}