- add apparmor profile
OBS-URL: https://build.opensuse.org/package/show/games:tools/mumble?expand=0&rev=13
This commit is contained in:
Git OBS Bridge
parent
f73cd23d92
commit
e2822388d8
26
0001-remove-CAP_NET_ADMIN.diff
Normal file
26
0001-remove-CAP_NET_ADMIN.diff
Normal file
@ -0,0 +1,26 @@
|
||||
From 6b365d33f10a9c4376bed058330d243c514b94a1 Mon Sep 17 00:00:00 2001
|
||||
From: Ludwig Nussel <ludwig.nussel@suse.de>
|
||||
Date: Thu, 24 Mar 2011 14:29:35 +0100
|
||||
Subject: [PATCH mumble] remove CAP_NET_ADMIN
|
||||
|
||||
QoS settings do not need CAP_NET_ADMIN anymore
|
||||
---
|
||||
src/murmur/UnixMurmur.cpp | 2 +-
|
||||
1 files changed, 1 insertions(+), 1 deletions(-)
|
||||
|
||||
diff --git a/src/murmur/UnixMurmur.cpp b/src/murmur/UnixMurmur.cpp
|
||||
index 9becf63..9e1c81c 100644
|
||||
--- a/src/murmur/UnixMurmur.cpp
|
||||
+++ b/src/murmur/UnixMurmur.cpp
|
||||
@@ -288,7 +288,7 @@ void UnixMurmur::initialcap() {
|
||||
|
||||
void UnixMurmur::finalcap() {
|
||||
#ifdef Q_OS_LINUX
|
||||
- cap_value_t caps[] = {CAP_NET_ADMIN, CAP_SYS_RESOURCE};
|
||||
+ cap_value_t caps[] = {CAP_SYS_RESOURCE};
|
||||
struct rlimit r;
|
||||
|
||||
if (! bRoot)
|
||||
--
|
||||
1.7.3.4
|
||||
|
||||
@ -1,3 +1,8 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Mar 24 13:43:05 UTC 2011 - lnussel@suse.de
|
||||
|
||||
- add apparmor profile
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Mar 23 17:26:38 UTC 2011 - lnussel@suse.de
|
||||
|
||||
|
||||
11
mumble.spec
11
mumble.spec
@ -95,10 +95,12 @@ Source: http://downloads.sourceforge.net/project/mumble/Mumble/%{version
|
||||
Source1: http://downloads.sourceforge.net/project/mumble/Mumble/%{version}/mumble-%{version}.tar.gz.sig
|
||||
%endif
|
||||
Source2: mumble-server.init
|
||||
Source3: murmur.apparmor
|
||||
Patch0: 0001-fix-build-error-with-capability.h.diff
|
||||
Patch1: 0001-fix-user-switching.diff
|
||||
Patch2: 0001-open-log-file-early-so-log-dir-can-be-root-owned.diff
|
||||
Patch3: 0001-if-service-name-is-empty-don-t-pass-an-empty-string.diff
|
||||
Patch4: 0001-remove-CAP_NET_ADMIN.diff
|
||||
Patch50: mumble-1.2.2-buildcompare.diff
|
||||
# hack, no clue about glx so no idea to fix this properly
|
||||
Patch99: mumble-1.1.4-sle10glx.diff
|
||||
@ -166,6 +168,7 @@ won't be audible to other players.
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
#
|
||||
%patch50 -p1
|
||||
%if 0%{?suse_version} && 0%{?suse_version} < 1020
|
||||
@ -312,6 +315,11 @@ install -D -m 0755 release/mumble11x %{buildroot}%{_bindir}/mumble11x
|
||||
# server
|
||||
install -D -m 0755 release/murmurd "%{buildroot}%{_sbindir}/murmurd"
|
||||
install -D -m 0755 %{SOURCE2} %{buildroot}/etc/init.d/mumble-server
|
||||
install -D -m 0755 %{SOURCE3} %{buildroot}/etc/apparmor.d/usr.sbin.murmurd
|
||||
install -d -m 0755 %{buildroot}%{_bindir}
|
||||
# can be launched as user too but apparmor profile doesn't make
|
||||
# sense in that case. So use link to avoid the profile.
|
||||
ln -s %{_sbindir}/murmurd %{buildroot}%{_bindir}/murmurd
|
||||
ln -s /etc/init.d/mumble-server %{buildroot}%{_sbindir}/rcmumble-server
|
||||
install -D -m 0644 scripts/murmur.conf %{buildroot}%{_sysconfdir}/dbus-1/system.d/mumble-server.conf
|
||||
install -D -m 0644 scripts/murmur.ini %{buildroot}%{_sysconfdir}/mumble-server.ini
|
||||
@ -406,8 +414,11 @@ getent passwd mumble-server >/dev/null || \
|
||||
%config %{_sysconfdir}/dbus-1/system.d/mumble-server.conf
|
||||
%config(noreplace) %{_sysconfdir}/mumble-server.ini
|
||||
/etc/init.d/mumble-server
|
||||
%dir /etc/apparmor.d
|
||||
/etc/apparmor.d/usr.sbin.murmurd
|
||||
%{_sbindir}/rcmumble-server
|
||||
%{_sbindir}/murmurd
|
||||
%{_bindir}/murmurd
|
||||
%{_bindir}/murmur-user-wrapper
|
||||
%{_mandir}/man1/murmurd.*
|
||||
%{_mandir}/man1/murmur-user-wrapper.*
|
||||
|
||||
48
murmur.apparmor
Normal file
48
murmur.apparmor
Normal file
@ -0,0 +1,48 @@
|
||||
# Last Modified: Thu Mar 24 13:33:08 2011
|
||||
#include <tunables/global>
|
||||
|
||||
/usr/sbin/murmurd {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/ssl_certs>
|
||||
|
||||
/etc/ssl/certs/** r,
|
||||
deny /usr/share/ssl/ r,
|
||||
deny /usr/share/ssl/** r,
|
||||
|
||||
# FIXME: mumble has weird capability handling. None of the first four should be
|
||||
# needed if the code is adjusted
|
||||
capability dac_override,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
capability chown,
|
||||
|
||||
# needed for real time scheduling of the mixer threads
|
||||
capability sys_resource,
|
||||
# not needed anymore
|
||||
# capability net_admin,
|
||||
|
||||
network inet stream,
|
||||
|
||||
/etc/mumble-server.ini rk,
|
||||
/usr/bin/lsb_release cx,
|
||||
/var/lib/mumble-server/ rwk,
|
||||
/var/lib/mumble-server/** rwk,
|
||||
/var/log/mumble-server/murmur.log w,
|
||||
/var/run/mumble-server/mumble-server.pid w,
|
||||
|
||||
profile /usr/bin/lsb_release {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
|
||||
/bin/bash r,
|
||||
/proc/meminfo r,
|
||||
/usr/bin/getopt rix,
|
||||
/usr/bin/head rix,
|
||||
/bin/grep rix,
|
||||
/bin/sed rix,
|
||||
/usr/bin/cut rix,
|
||||
/usr/bin/lsb_release r,
|
||||
/etc/SuSE-release r,
|
||||
}
|
||||
}
|
||||
Loading…
x
Reference in New Issue
Block a user