Commit 9c33b1b4 authored by nl6720's avatar nl6720 Committed by Sandro Knauß
Browse files

Support more distributions in the AppArmor profiles

Summary:
This fixes Akonadi on Arch Linux (and possibly others).

Changes to the AppArmor profiles:

- Allow writing and locking `/run/user/${uid}/akonadi`, the database engine socket is stored there.
- Add `abstractions/consoles`, needed for console output.

PostgreSql specific:
- Add bash (it is a common default shell).
- Support `/usr/bin/*` paths for PostgreSQL binaries.
- Support `pg_upgrade`.

MySQL specific:
- Add bash (it is a common default shell).
- Add `/usr/bin/mysqld` as a path for the MySQL daemon binary.
- Add `abstractions/openssl`. When using MySQL, both `akonadiserver` and `mysqld` will try to read `/etc/ssl/openssl.cnf`.
- Add `/etc/my.cnf` and `/etc/my.cnf.d/`, on Arch Linux the `my.cnf` configuration is stored there.

Test Plan: `akonadictl start` on a system with active AppArmor and loaded profiles.

Reviewers: #kde_pim, knauss

Reviewed By: #kde_pim, knauss

Subscribers: arojas, dvratil, knauss, jriddell, kde-pim, #kde_pim

Tags: #kde_pim

Differential Revision: https://phabricator.kde.org/D25964
parent 57d597d7
......@@ -4,7 +4,10 @@
profile mysqld_akonadi {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
#include <abstractions/nameservice>
#include <abstractions/openssl>
#include <abstractions/user-tmp>
capability setgid,
......@@ -15,7 +18,9 @@ profile mysqld_akonadi {
/etc/mysql/ r,
/etc/mysql/** r,
/etc/my.cnf{,.d/**} r,
@{sys}/devices/system/cpu/ r,
/{usr/,}bin/{b,d}ash mrix,
/{usr/,}bin/cat mrix,
/{usr/,}bin/chmod mrix,
/{usr/,}bin/dirname mrix,
......@@ -26,8 +31,9 @@ profile mysqld_akonadi {
/usr/bin/mysql_install_db mrix,
/usr/bin/mysqladmin mrix,
/usr/bin/mysqlcheck mrix,
/usr/sbin/mysqld mrix,
/usr/{,s}bin/mysqld mrix,
/usr/share/mysql/** r,
owner @{xdg_data_home}/akonadi/** rwk,
owner @{PROC}/@{pid}/loginuid r,
owner /{,var/}run/user/@{uid}/akonadi** rwk,
}
......@@ -4,19 +4,35 @@
profile postgresql_akonadi {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
capability setgid,
capability setuid,
/etc/passwd r,
/{usr/,}bin/dash mrix,
/{usr/,}bin/{b,d}ash mrix,
/{usr/,}bin/locale mrix,
/usr/lib/postgresql/*/bin/initdb mrix,
/usr/lib/postgresql/*/bin/pg_ctl mrix,
/usr/lib/postgresql/*/bin/postgres mrix,
/{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/initdb mrix,
/{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_ctl mrix,
/{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/postgres mrix,
/usr/share/postgresql/** r,
owner /dev/shm/PostgreSQL.* rw,
owner @{xdg_data_home}/akonadi/** rwlk,
owner @{xdg_data_home}/akonadi/db_data/** l,
owner /{,var/}run/user/@{uid}/akonadi** rwk,
# pg_upgrade
/{usr/,usr/lib/postgresql/*/}bin/pg_upgrade mrix,
/opt/pgsql*/** mr,
/{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_controldata mrix,
/{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_resetwal mrix,
/{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_dumpall mrix,
/{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_dump mrix,
/{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/vacuumdb mrix,
/{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/psql mrix,
/{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_restore mrix,
/{usr/,}bin/cp mrix,
}
......@@ -6,8 +6,10 @@
/usr/bin/akonadiserver {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/dbus-session-strict>
#include <abstractions/nameservice>
#include <abstractions/openssl>
#include <abstractions/qt5>
#include <abstractions/user-tmp>
......@@ -19,12 +21,15 @@
/usr/bin/mysql_install_db PUx -> mysqld_akonadi,
/usr/bin/mysqladmin PUx -> mysqld_akonadi,
/usr/bin/mysqlcheck PUx -> mysqld_akonadi,
/usr/lib/postgresql/*/bin/initdb PUx -> postgresql_akonadi,
/usr/lib/postgresql/*/bin/pg_ctl PUx -> postgresql_akonadi,
/usr/{,s}bin/mysqld PUx -> mysqld_akonadi,
/{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/initdb PUx -> postgresql_akonadi,
/{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_ctl PUx -> postgresql_akonadi,
/{usr/,usr/lib/postgresql/*/}bin/pg_upgrade PUx -> postgresql_akonadi,
/usr/sbin/mysqld PUx -> mysqld_akonadi,
/usr/share/mime/mime.cache r,
/usr/share/mime/packages/ r,
/usr/share/mime/types r,
/usr/share/qt/translations/* r,
@{PROC}/sys/kernel/core_pattern r,
@{PROC}/sys/kernel/random/boot_id r,
owner @{xdg_config_home}/* r,
......@@ -43,4 +48,6 @@
owner @{xdg_data_home}/akonadi/** rwk,
owner @{PROC}/@{pid}/loginuid r,
owner @{PROC}/@{pid}/mounts r,
owner /{,var/}run/user/@{uid}/akonadi** rwk,
owner /tmp/#[0-9]* m,
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment