- fix apparmor profile

- allow reading the webapp dir to make the builtin webserver work - modernize the profile to use a short profile name - remove php abstraction, replaced with rule to read the icu data files - remove all file rules that are covered by the base and nameservice abstraction - allow include (with "if exists) for local/rspamd and local/usr.bin.rspamd (for backrwards compat) OBS-URL: https://build.opensuse.org/package/show/server:mail/rspamd?expand=0&rev=49
2020-10-09 18:01:48 +00:00 · 2020-10-09 18:01:48 +00:00 · e7da101e6a
commit e7da101e6a
parent 881b98bcf4
2 changed files with 31 additions and 16 deletions
--- a/rspamd.changes
+++ b/rspamd.changes
@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Fri Oct  9 17:51:10 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>
+
+- fix apparmor profile
+  - allow reading the webapp dir to make the builtin webserver work
+  - modernize the profile to use a short profile name
+  - remove php abstraction, replaced with rule to read the icu data
+    files
+  - remove all file rules that are covered by the base and
+    nameservice abstraction
+  - allow include (with "if exists) for local/rspamd and
+    local/usr.bin.rspamd (for backrwards compat)
+
 -------------------------------------------------------------------
 Mon Oct  5 10:42:14 UTC 2020 - Bernhard Wiedemann <bwiedemann@suse.com>

--- a/usr.bin.rspamd
+++ b/usr.bin.rspamd
@ -3,31 +3,33 @@

 # based on https://github.com/progmaticltd/homebox/blob/master/install/playbooks/roles/rspamd/templates/apparmor.d/usr.bin.rspamd

-
-/usr/bin/rspamd {
+profile rspamd /usr/bin/rspamd {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/openssl>
-  #include <abstractions/php>
-  #include <local/usr.bin.rspamd>
+  #include <abstractions/ssl_certs>

-  /dev/shm/rhm.* rw,
-  /etc/gai.conf r,
-  /etc/host.conf r,
-  /etc/hosts r,
-  /etc/magic r,
-  /etc/nsswitch.conf r,
-  /etc/resolv.conf r,
-  /etc/rspamd/** r,
-  /lib/x86_64-linux-gnu/ld-*.so mr,
-  /proc/sys/kernel/random/uuid r,
  /usr/bin/rspamd mr,
+
+  /etc/rspamd/** r,
+
+  /srv/www/webapps/rspamd/ r,
+  /srv/www/webapps/rspamd/** r,
  /usr/share/rspamd/ r,
  /usr/share/rspamd/** r,
-  /var/cache/nscd/hosts r,
+
  /var/lib/rspamd/ r,
  /var/lib/rspamd/** rwk,
+
  /var/log/rspamd/rspamd.log* rwk,
  /{var/,}run/rspamd/* rwk,

-}
+  /dev/shm/rhm.* rw,
+  /etc/magic r,
+  /proc/sys/kernel/random/uuid r,
+
+  /usr/share/icu/*/icu*.dat r,
+
+  #include if exists <local/usr.bin.rspamd>
+  #include if exists <local/rspamd>
+}