Subject: Adjust Akonadi AppArmor profiles for openSUSE and AppArmor 3.0
From: Christian Boltz <suse-beta@cboltz.de>
* add paths to match the openSUSE file location
* use @{postgresqlpath} for the various postgresql paths (and add
/usr/lib/postgresql*[0-9]/ for openSUSE)
* add 'abi' rules to enable and enforce all AppArmor features
Index: akonadi-21.04.3/apparmor/mariadbd_akonadi
===================================================================
--- akonadi-21.04.3.orig/apparmor/mariadbd_akonadi 2021-06-08 21:02:40.000000000 +0200
+++ akonadi-21.04.3/apparmor/mariadbd_akonadi 2021-07-11 18:47:18.489487989 +0200
@@ -1,3 +1,5 @@
+abi <abi/3.0>,
+
#include <tunables/global>
@{xdg_data_home}=@{HOME}/.local/share
Index: akonadi-21.04.3/apparmor/mysqld_akonadi
===================================================================
--- akonadi-21.04.3.orig/apparmor/mysqld_akonadi 2021-06-08 21:02:40.000000000 +0200
+++ akonadi-21.04.3/apparmor/mysqld_akonadi 2021-07-11 18:47:18.489487989 +0200
@@ -1,3 +1,5 @@
+abi <abi/3.0>,
+
#include <tunables/global>
@{xdg_data_home}=@{HOME}/.local/share
Index: akonadi-21.04.3/apparmor/postgresql_akonadi
===================================================================
--- akonadi-21.04.3.orig/apparmor/postgresql_akonadi 2021-06-08 21:02:40.000000000 +0200
+++ akonadi-21.04.3/apparmor/postgresql_akonadi 2021-07-11 18:47:58.253406613 +0200
@@ -1,8 +1,12 @@
+abi <abi/3.0>,
+
#include <tunables/global>
@{xdg_data_home}=@{HOME}/.local/share
-profile postgresql_akonadi {
+@{postgresqlpath} = /usr/ /usr/lib/postgresql/*/ /usr/lib/postgresql*[0-9]/ /opt/pgsql*/
+
+profile postgresql_akonadi flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
@@ -15,27 +19,30 @@ profile postgresql_akonadi {
signal receive set=kill peer=/usr/bin/akonadiserver,
signal receive set=term peer=/usr/bin/akonadiserver,
+ deny / rw, # disconnected path
+
/etc/passwd r,
/{usr/,}bin/{b,d}ash mrix,
/{usr/,}bin/locale mrix,
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/initdb mrix,
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_ctl mrix,
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/postgres mrix,
+ @{postgresqlpath}/bin/initdb mrix,
+ @{postgresqlpath}/bin/pg_ctl mrix,
+ @{postgresqlpath}/bin/postgres mrix,
/usr/share/postgresql/** r,
+ /usr/share/postgresql*[0-9]/timezonesets/Default r, # use globbing?
owner /dev/shm/PostgreSQL.* rw,
owner @{xdg_data_home}/akonadi/** rwlk,
owner @{xdg_data_home}/akonadi/db_data/** l,
owner /{,var/}run/user/@{uid}/akonadi** rwk,
# pg_upgrade
- /{usr/,usr/lib/postgresql/*/}bin/pg_upgrade mrix,
+ @{postgresqlpath}/bin/pg_upgrade mrix,
/opt/pgsql*/** mr,
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_controldata mrix,
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_resetwal mrix,
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_dumpall mrix,
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_dump mrix,
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/vacuumdb mrix,
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/psql mrix,
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_restore mrix,
+ @{postgresqlpath}/bin/pg_controldata mrix,
+ @{postgresqlpath}/bin/pg_resetwal mrix,
+ @{postgresqlpath}/bin/pg_dumpall mrix,
+ @{postgresqlpath}/bin/pg_dump mrix,
+ @{postgresqlpath}/bin/vacuumdb mrix,
+ @{postgresqlpath}/bin/psql mrix,
+ @{postgresqlpath}/bin/pg_restore mrix,
/{usr/,}bin/cp mrix,
}
Index: akonadi-21.04.3/apparmor/usr.bin.akonadiserver
===================================================================
--- akonadi-21.04.3.orig/apparmor/usr.bin.akonadiserver 2021-06-08 21:02:40.000000000 +0200
+++ akonadi-21.04.3/apparmor/usr.bin.akonadiserver 2021-07-11 18:49:46.837184405 +0200
@@ -1,9 +1,13 @@
+abi <abi/3.0>,
+
#include <tunables/global>
@{xdg_data_home}=@{HOME}/.local/share
@{xdg_config_home}=@{HOME}/.config
+@{postgresqlpath} = /usr/ /usr/lib/postgresql/*/ /usr/lib/postgresql*[0-9]/ /opt/pgsql*/
+
/usr/bin/akonadiserver {
#include <abstractions/base>
#include <abstractions/consoles>
@@ -37,6 +41,7 @@
/etc/xdg/** r,
/usr/bin/akonadiserver mr,
/usr/lib/x86_64-linux-gnu/libexec/drkonqi PUx,
+ /usr/lib{,64}/libexec/drkonqi PUx,
/usr/bin/mariadb-admin PUx -> mariadbd_akonadi,
/usr/bin/mariadb-check PUx -> mariadbd_akonadi,
/usr/bin/mariadb-install-db PUx -> mariaddbd_akonadi,
@@ -45,14 +50,18 @@
/usr/bin/mysqladmin PUx -> mysqld_akonadi,
/usr/bin/mysqlcheck PUx -> mysqld_akonadi,
/usr/{,s}bin/mysqld PUx -> mysqld_akonadi,
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/initdb PUx -> postgresql_akonadi,
- /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_ctl PUx -> postgresql_akonadi,
- /{usr/,usr/lib/postgresql/*/}bin/pg_upgrade PUx -> postgresql_akonadi,
+ @{postgresqlpath}/bin/initdb PUx -> postgresql_akonadi,
+ @{postgresqlpath}/bin/pg_ctl PUx -> postgresql_akonadi,
+ @{postgresqlpath}/bin/pg_upgrade PUx -> postgresql_akonadi,
+ /usr/local/share/mime/mime.cache r,
+ /usr/local/share/mime/types r,
/usr/sbin/mysqld PUx -> mysqld_akonadi,
+ /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
/usr/share/mime/mime.cache r,
/usr/share/mime/packages/ r,
/usr/share/mime/types r,
- /usr/share/qt/translations/* r,
+ /usr/share/qt5/qtlogging.ini r,
+ /usr/share/qt{,5}/translations/* r,
/usr/share/mysql/** r,
@{PROC}/sys/kernel/core_pattern r,
@{PROC}/sys/kernel/random/boot_id r,