From f4bc9636cf0d47eb18198a0ed7082cf864cef234 Mon Sep 17 00:00:00 2001
From: Christian Boltz <opensuse@cboltz.de>
Date: Jul 03 2017 17:18:39 +0000
Subject: Allow executing pygmentize in the wiki AppArmor profile


pygmentize is used by the SyntaxHighlight_GeSHi extension.
Add a profile for it, and allow to execute it from the wiki profile.

---

diff --git a/pillar/role/wiki.sls b/pillar/role/wiki.sls
index b63ed22..9b6d61f 100644
--- a/pillar/role/wiki.sls
+++ b/pillar/role/wiki.sls
@@ -5,6 +5,8 @@ apparmor:
       template: jinja
     memcached:
       source: salt://profile/wiki/files/memcached.apparmor
+    pygmentize:
+      source: salt://profile/wiki/files/pygmentize.apparmor
 
 # list of wikis running MediaWiki 1.27 (this will allow us to migrate to a new version one by one later)
 mediawiki_1_27:
diff --git a/salt/profile/wiki/files/httpd2-prefork.apparmor b/salt/profile/wiki/files/httpd2-prefork.apparmor
index b9e331f..727b2bb 100644
--- a/salt/profile/wiki/files/httpd2-prefork.apparmor
+++ b/salt/profile/wiki/files/httpd2-prefork.apparmor
@@ -118,6 +118,7 @@ profile httpd2-prefork /usr/sbin/httpd{,2}-prefork flags=(complain,attach_discon
     /bin/bash rix,
     /dev/tty rw,
     /proc/meminfo r,
+    /usr/share/mediawiki_1_27/extensions/SyntaxHighlight_GeSHi/pygments/pygmentize Px -> pygmentize,
     /usr/sbin/sendmail PUx,
     /var/log/apache2/access_log w,
     /var/log/apache2/error_log w,
diff --git a/salt/profile/wiki/files/pygmentize.apparmor b/salt/profile/wiki/files/pygmentize.apparmor
new file mode 100644
index 0000000..79b2829
--- /dev/null
+++ b/salt/profile/wiki/files/pygmentize.apparmor
@@ -0,0 +1,39 @@
+# managed by salt - do not edit!
+
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2017 Christian Boltz
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+profile pygmentize /usr/share/mediawiki_1_27/extensions/SyntaxHighlight_GeSHi/pygments/pygmentize flags=(complain) {
+  #include <abstractions/base>
+  #include <abstractions/python>
+
+  /etc/nsswitch.conf r,
+  /etc/passwd r,
+  /proc/meminfo r,
+  /usr/ r,
+  /usr/bin/ r,
+  /usr/bin/env rix,
+  /usr/bin/python r,
+  /usr/bin/python2.7 rix,
+  /usr/lib/ r,
+  /usr/local/lib/ r,
+  /usr/local/lib64/ r,
+  /usr/share/ r,
+  /usr/share/mediawiki_1_27/ r,
+  /usr/share/mediawiki_1_27/extensions/ r,
+  /usr/share/mediawiki_1_27/extensions/SyntaxHighlight_GeSHi/ r,
+  /usr/share/mediawiki_1_27/extensions/SyntaxHighlight_GeSHi/pygments/ r,
+  /usr/share/mediawiki_1_27/extensions/SyntaxHighlight_GeSHi/pygments/pygmentize r,
+
+}
+
+# vim: ft=apparmor expandtab