From e2822388d8c42da621551726b3805278e4d5de8df6e5e1b34b252073f55d4278 Mon Sep 17 00:00:00 2001
From: Ludwig Nussel <lnussel@suse.com>
Date: Thu, 24 Mar 2011 13:43:17 +0000
Subject: [PATCH] - add apparmor profile

OBS-URL: https://build.opensuse.org/package/show/games:tools/mumble?expand=0&rev=13
---
 0001-remove-CAP_NET_ADMIN.diff | 26 ++++++++++++++++++
 mumble.changes                 |  5 ++++
 mumble.spec                    | 11 ++++++++
 murmur.apparmor                | 48 ++++++++++++++++++++++++++++++++++
 4 files changed, 90 insertions(+)
 create mode 100644 0001-remove-CAP_NET_ADMIN.diff
 create mode 100644 murmur.apparmor

diff --git a/0001-remove-CAP_NET_ADMIN.diff b/0001-remove-CAP_NET_ADMIN.diff
new file mode 100644
index 0000000..42fcb4c
--- /dev/null
+++ b/0001-remove-CAP_NET_ADMIN.diff
@@ -0,0 +1,26 @@
+From 6b365d33f10a9c4376bed058330d243c514b94a1 Mon Sep 17 00:00:00 2001
+From: Ludwig Nussel <ludwig.nussel@suse.de>
+Date: Thu, 24 Mar 2011 14:29:35 +0100
+Subject: [PATCH mumble] remove CAP_NET_ADMIN
+
+QoS settings do not need CAP_NET_ADMIN anymore
+---
+ src/murmur/UnixMurmur.cpp |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/src/murmur/UnixMurmur.cpp b/src/murmur/UnixMurmur.cpp
+index 9becf63..9e1c81c 100644
+--- a/src/murmur/UnixMurmur.cpp
++++ b/src/murmur/UnixMurmur.cpp
+@@ -288,7 +288,7 @@ void UnixMurmur::initialcap() {
+ 
+ void UnixMurmur::finalcap() {
+ #ifdef Q_OS_LINUX
+-	cap_value_t caps[] = {CAP_NET_ADMIN, CAP_SYS_RESOURCE};
++	cap_value_t caps[] = {CAP_SYS_RESOURCE};
+ 	struct rlimit r;
+ 
+ 	if (! bRoot)
+-- 
+1.7.3.4
+
diff --git a/mumble.changes b/mumble.changes
index 28bd633..fbc967e 100644
--- a/mumble.changes
+++ b/mumble.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Thu Mar 24 13:43:05 UTC 2011 - lnussel@suse.de
+
+- add apparmor profile
+
 -------------------------------------------------------------------
 Wed Mar 23 17:26:38 UTC 2011 - lnussel@suse.de
 
diff --git a/mumble.spec b/mumble.spec
index 275c7c6..69c72ed 100644
--- a/mumble.spec
+++ b/mumble.spec
@@ -95,10 +95,12 @@ Source:         http://downloads.sourceforge.net/project/mumble/Mumble/%{version
 Source1:        http://downloads.sourceforge.net/project/mumble/Mumble/%{version}/mumble-%{version}.tar.gz.sig
 %endif
 Source2:        mumble-server.init
+Source3:        murmur.apparmor
 Patch0:         0001-fix-build-error-with-capability.h.diff
 Patch1:         0001-fix-user-switching.diff
 Patch2:         0001-open-log-file-early-so-log-dir-can-be-root-owned.diff
 Patch3:         0001-if-service-name-is-empty-don-t-pass-an-empty-string.diff
+Patch4:         0001-remove-CAP_NET_ADMIN.diff
 Patch50:        mumble-1.2.2-buildcompare.diff
 # hack, no clue about glx so no idea to fix this properly
 Patch99:        mumble-1.1.4-sle10glx.diff
@@ -166,6 +168,7 @@ won't be audible to other players.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
 #
 %patch50 -p1
 %if 0%{?suse_version} && 0%{?suse_version} < 1020
@@ -312,6 +315,11 @@ install -D -m 0755 release/mumble11x %{buildroot}%{_bindir}/mumble11x
 # server
 install -D -m 0755 release/murmurd "%{buildroot}%{_sbindir}/murmurd"
 install -D -m 0755 %{SOURCE2} %{buildroot}/etc/init.d/mumble-server
+install -D -m 0755 %{SOURCE3} %{buildroot}/etc/apparmor.d/usr.sbin.murmurd
+install -d -m 0755 %{buildroot}%{_bindir}
+# can be launched as user too but apparmor profile doesn't make
+# sense in that case. So use link to avoid the profile.
+ln -s %{_sbindir}/murmurd %{buildroot}%{_bindir}/murmurd
 ln -s /etc/init.d/mumble-server %{buildroot}%{_sbindir}/rcmumble-server
 install -D -m 0644 scripts/murmur.conf %{buildroot}%{_sysconfdir}/dbus-1/system.d/mumble-server.conf
 install -D -m 0644 scripts/murmur.ini %{buildroot}%{_sysconfdir}/mumble-server.ini
@@ -406,8 +414,11 @@ getent passwd mumble-server >/dev/null || \
 %config %{_sysconfdir}/dbus-1/system.d/mumble-server.conf
 %config(noreplace) %{_sysconfdir}/mumble-server.ini
 /etc/init.d/mumble-server
+%dir /etc/apparmor.d
+/etc/apparmor.d/usr.sbin.murmurd
 %{_sbindir}/rcmumble-server
 %{_sbindir}/murmurd
+%{_bindir}/murmurd
 %{_bindir}/murmur-user-wrapper
 %{_mandir}/man1/murmurd.*
 %{_mandir}/man1/murmur-user-wrapper.*
diff --git a/murmur.apparmor b/murmur.apparmor
new file mode 100644
index 0000000..aa9ac1e
--- /dev/null
+++ b/murmur.apparmor
@@ -0,0 +1,48 @@
+# Last Modified: Thu Mar 24 13:33:08 2011
+#include <tunables/global>
+
+/usr/sbin/murmurd {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/ssl_certs>
+
+  /etc/ssl/certs/** r,
+  deny /usr/share/ssl/ r,
+  deny /usr/share/ssl/** r,
+
+# FIXME: mumble has weird capability handling. None of the first four should be
+# needed if the code is adjusted
+  capability dac_override,
+  capability setgid,
+  capability setuid,
+  capability chown,
+
+# needed for real time scheduling of the mixer threads
+  capability sys_resource,
+# not needed anymore
+# capability net_admin,
+
+  network inet stream,
+
+  /etc/mumble-server.ini rk,
+  /usr/bin/lsb_release cx,
+  /var/lib/mumble-server/ rwk,
+  /var/lib/mumble-server/** rwk,
+  /var/log/mumble-server/murmur.log w,
+  /var/run/mumble-server/mumble-server.pid w,
+
+  profile /usr/bin/lsb_release {
+    #include <abstractions/base>
+    #include <abstractions/consoles>
+
+    /bin/bash r,
+    /proc/meminfo r,
+    /usr/bin/getopt rix,
+    /usr/bin/head rix,
+    /bin/grep rix,
+    /bin/sed rix,
+    /usr/bin/cut rix,
+    /usr/bin/lsb_release r,
+    /etc/SuSE-release r,
+  }
+}