From 69de16f7fa29c78a6b3894d977ebad10b8520d1c3f0c385568a51c74248dcbab Mon Sep 17 00:00:00 2001
From: Dirk Stoecker <opensuse@dstoecker.de>
Date: Sat, 24 Oct 2020 11:33:25 +0000
Subject: [PATCH] Accepting request 843706 from home:darix:playground

- update apparmor profiles to get warning free again on 15.2
  - use abstractions for ssl files
  - allow inet dgram sockets as mumble can also work via udp
  - allow netlink socket (probably for dbus)
  - properly allow lsb_release again
  - add support for optional local include
- start murmurd directly as user mumble-server it gets rid of the
  dac_override/setgid/setuid/chown permissions

OBS-URL: https://build.opensuse.org/request/show/843706
OBS-URL: https://build.opensuse.org/package/show/games:tools/mumble?expand=0&rev=126
---
 mumble-server.service |  2 ++
 mumble.changes        | 13 +++++++++++++
 murmur.apparmor       | 32 ++++++++++++--------------------
 3 files changed, 27 insertions(+), 20 deletions(-)

diff --git a/mumble-server.service b/mumble-server.service
index e188792..52f5726 100644
--- a/mumble-server.service
+++ b/mumble-server.service
@@ -14,6 +14,8 @@ Requires=var-run.mount network.target remote-fs.target time-sync.target
 After=var-run.mount network.target remote-fs.target time-sync.target mysql.target
 
 [Service]
+User=mumble-server
+Group=mumble-server
 ExecStart=/usr/sbin/murmurd -fg -ini /etc/mumble-server.ini
 
 [Install]
diff --git a/mumble.changes b/mumble.changes
index 229592c..eef2cdc 100644
--- a/mumble.changes
+++ b/mumble.changes
@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Sat Oct 24 02:05:14 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>
+
+- update apparmor profiles to get warning free again on 15.2
+  - use abstractions for ssl files
+  - allow inet dgram sockets as mumble can also work via udp
+  - allow netlink socket (probably for dbus)
+  - properly allow lsb_release again
+  - add support for optional local include
+- start murmurd directly as user mumble-server it gets rid of the
+  dac_override/setgid/setuid/chown permissions
+
+-------------------------------------------------------------------
 Mon Oct 05 19:58:21 UTC 2020 - Markus Ebner <info@ebner-markus.de>
 
 - Update to upstream version 1.3.3
diff --git a/murmur.apparmor b/murmur.apparmor
index 6302e33..0cd3b40 100644
--- a/murmur.apparmor
+++ b/murmur.apparmor
@@ -8,23 +8,14 @@ profile murmurd /usr/sbin/murmurd {
   #include <abstractions/ssl_certs>
   #include <abstractions/user-tmp>
 
-  /etc/ssl/certs/** r,
-  deny /usr/share/ssl/ r,
-  deny /usr/share/ssl/** r,
-
-# FIXME: mumble has weird capability handling. None of the first four should be
-# needed if the code is adjusted
-  capability dac_override,
-  capability setgid,
-  capability setuid,
-  capability chown,
-
-# needed for real time scheduling of the mixer threads
+  # needed for real time scheduling of the mixer threads
   capability sys_resource,
-# not needed anymore
-# capability net_admin,
 
+  network inet dgram,
   network inet stream,
+  network netlink,
+
+  /usr/share/icu/*/icu*.dat r,
 
   /etc/mumble-server.ini rk,
   /usr/bin/lsb_release cx,
@@ -37,14 +28,15 @@ profile murmurd /usr/sbin/murmurd {
     #include <abstractions/base>
     #include <abstractions/consoles>
 
-    /{usr/,}bin/bash r,
+    /{usr/,}bin/bash rm,
     /proc/meminfo r,
-    /usr/bin/getopt rix,
-    /usr/bin/head rix,
-    /usr/bin/grep rix,
-    /usr/bin/sed rix,
-    /usr/bin/cut rix,
+    /usr/bin/getopt rmix,
+    /usr/bin/head rmix,
+    /usr/bin/grep rmix,
+    /usr/bin/sed rmix,
+    /usr/bin/cut rmix,
     /usr/bin/lsb_release r,
     /etc/SuSE-release r,
   }
+  #include if exists <local/usr.sbin.murmurd>
 }