Re: [apparmor] [patch] Update mlmmj profiles

Mon, 07 Nov 2016 11:51:02 -0800 

On Mon, Nov 07, 2016 at 06:09:46PM +0100, Christian Boltz wrote:
> Hello,
> 
> this patch updates the mlmmj profiles in the extras directory to the
> profiles that are used on lists.opensuse.org now. Besides adding lots
> of trailing slashes for directories, several permissions were added.
> Also, usr.bin.mlmmj-receive gets added - it seems upstream renamed
> mlmmj-recieve to fix a typo.
> 
> These profiles were provided by Per Jessen.
> 
> References: https://bugzilla.opensuse.org/show_bug.cgi?id=1000201
> 
> 
> I propose this patch for trunk, 2.10 and 2.9.
> 
> In trunk, I'd also like to delete the mlmmj-recieve profile (for the
> misnamed binary), but I tend to keep it in 2.10 and 2.9 to avoid
> regressions.

I can see that these patches took a fair amount of back-and-forth
development already so I'm discinlined to suggest further changes before
they are merged, but...

1) Per Jessen did a huge amount of work on these and probably ought to
have a copyright line, or update suse's copyright lines.

2) All the executables will need 'm' access when run on kernels that have
9f834ec18defc369d73ccf9e87a2790bfa05bf46 integrated.

3) I'd suggest not deleting the mlmmj-recieve for a year or two. Who knows
how long it will be before the old name is removed everywhere.

So,
Acked-by: Seth Arnold <[email protected]>
for all three branches, with or without these suggested changes as you see
fit.

Thanks

> 
> [ mlmmj.diff ]
> 
> === modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-bounce'
> --- profiles/apparmor/profiles/extras/usr.bin.mlmmj-bounce      2010-12-20 
> 20:29:10 +0000
> +++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-bounce      2016-11-07 
> 16:49:35 +0000
> @@ -16,7 +16,24 @@
>  
>    /usr/bin/mlmmj-bounce r,
>    /usr/bin/mlmmj-send Px,
> +  /usr/bin/mlmmj-maintd Px,
> +  /var/spool/mlmmj/*/subscribers.d/ r,
> +  /var/spool/mlmmj/*/subscribers.d/* r,
> +  /var/spool/mlmmj/*/subconf rwl, #
>    /var/spool/mlmmj/*/subconf/* rwl,
> +  /var/spool/mlmmj/*/queue rwl, #
>    /var/spool/mlmmj/*/queue/* rwl,
> -
> +  /var/spool/mlmmj/*/bounce/ rwl,
> +
> +  /var/spool/mlmmj/*/nomailsubs.d/  r,
> +  /var/spool/mlmmj/*/nomailsubs.d/* r,
> +  /var/spool/mlmmj/*/digesters.d/  r,
> +  /var/spool/mlmmj/*/digesters.d/* r,
> +
> +  /var/spool/mlmmj/*/bounce/* rw,
> +
> +  /var/spool/mlmmj/*/unsubconf/* w,
> +
> +  /usr/share/mlmmj/text.skel/*/* r,
> +  /var/spool/mlmmj/*/control/*  r,
>  }
> 
> === modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-maintd'
> --- profiles/apparmor/profiles/extras/usr.bin.mlmmj-maintd      2010-12-20 
> 20:29:10 +0000
> +++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-maintd      2016-11-07 
> 16:49:47 +0000
> @@ -18,19 +18,34 @@
>  
>    /usr/bin/mlmmj-maintd r,
>    /usr/bin/mlmmj-send Px,
> +  /usr/bin/mlmmj-bounce Px,
> +  /usr/bin/mlmmj-unsub Px,
>  
> -  /var/spool/mlmmj r,
> -  /var/spool/mlmmj/*/bounce r,
> +  /var/spool/mlmmj/ r,
> +  /var/spool/mlmmj/* r, #
> +  /var/spool/mlmmj/*/bounce/ r,
> +  /var/spool/mlmmj/*/bounce/* rw,
>    /var/spool/mlmmj/*/index r,
> -  /var/spool/mlmmj/*/lastdigest rw,
> +  /var/spool/mlmmj/*/lastdigest rwk,
>    /var/spool/mlmmj/*/maintdlog-* lrw,
>    /var/spool/mlmmj/*/mlmmj-maintd.lastrun.log w,
> -  /var/spool/mlmmj/*/moderation r,
> +  /var/spool/mlmmj/*/moderation/ r,
> +  /var/spool/mlmmj/*/moderation/* w,
> +  /var/spool/mlmmj/*/archive/ r,
>    /var/spool/mlmmj/*/archive/* r,
> +  /var/spool/mlmmj/*/control/ r,
>    /var/spool/mlmmj/*/control/* r,
> -  /var/spool/mlmmj/*/queue r,
> -  /var/spool/mlmmj/*/queue/* rwl,
> -  /var/spool/mlmmj/*/requeue r,
> -  /var/spool/mlmmj/*/subconf r,
> -  /var/spool/mlmmj/*/unsubconf r,
> +  /var/spool/mlmmj/*/queue/ r,
> +  /var/spool/mlmmj/*/queue/** rwl,
> +  /var/spool/mlmmj/*/requeue/ r,
> +  /var/spool/mlmmj/*/requeue/* rw,
> +  /var/spool/mlmmj/*/requeue/*/ rw,
> +  /var/spool/mlmmj/*/subconf/ r,
> +  /var/spool/mlmmj/*/subconf/* rw,
> +  /var/spool/mlmmj/*/unsubconf/ r,
> +  /var/spool/mlmmj/*/unsubconf/* rw,
> +
> +  /usr/share/mlmmj/text.skel/*/digest r,
> +  /var/spool/mlmmj/*/mlmmj.operation.log rwk,
> +
>  }
> 
> === modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-process'
> --- profiles/apparmor/profiles/extras/usr.bin.mlmmj-process     2010-12-20 
> 20:29:10 +0000
> +++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-process     2016-11-07 
> 16:50:03 +0000
> @@ -19,11 +19,27 @@
>    /usr/bin/mlmmj-sub Px,
>    /usr/bin/mlmmj-unsub Px,
>    /usr/bin/mlmmj-bounce Px,
> +  # skeleton data
> +  /usr/share/mlmmj/text.skel/ r,
> +  /usr/share/mlmmj/text.skel/*/* r,
> +
>    /var/spool/mlmmj/*/control/* r,
>    /var/spool/mlmmj/*/text/* r,
>    /var/spool/mlmmj/*/incoming/* rwl,
> -  /var/spool/mlmmj/*/queue/* rwl,
> +  /var/spool/mlmmj/*/queue/** rwl,
>    /var/spool/mlmmj/*/subconf/* rwl,
>    /var/spool/mlmmj/*/unsubconf/* rwl,
> -  /var/spool/mlmmj/*/mlmmj.operation.log rw,
> +  /var/spool/mlmmj/*/mlmmj.operation.log rwk,
> +  /var/spool/mlmmj/*/mlmmj.operation.log.rotated w,
> +
> +  /var/spool/mlmmj/*/nomailsubs.d/ r,
> +  /var/spool/mlmmj/*/nomailsubs.d/* r,
> +  /var/spool/mlmmj/*/subscribers.d/ r,
> +  /var/spool/mlmmj/*/subscribers.d/* r,
> +  /var/spool/mlmmj/*/digesters.d/ r,
> +  /var/spool/mlmmj/*/digesters.d/* r,
> +
> +  /var/spool/mlmmj/*/moderation/* rw,
> +  /etc/mlmmj/text/*/* r,
> +
>  }
> 
> === added file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-receive'
> --- profiles/apparmor/profiles/extras/usr.bin.mlmmj-receive     1970-01-01 
> 00:00:00 +0000
> +++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-receive     2016-11-07 
> 16:50:13 +0000
> @@ -0,0 +1,21 @@
> +# ------------------------------------------------------------------
> +#
> +#    Copyright (C) 2002-2005 Novell/SUSE
> +#
> +#    This program is free software; you can redistribute it and/or
> +#    modify it under the terms of version 2 of the GNU General Public
> +#    License published by the Free Software Foundation.
> +#
> +# ------------------------------------------------------------------
> +# vim:syntax=apparmor
> +
> +#include <tunables/global>
> +
> +/usr/bin/mlmmj-receive {
> +  #include <abstractions/base>
> +
> +  /usr/bin/mlmmj-process Px,
> +  /usr/bin/mlmmj-receive r,
> +  /var/spool/mlmmj/*/incoming/ rw,
> +  /var/spool/mlmmj/*/incoming/* rw,
> +}
> 
> === modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-send'
> --- profiles/apparmor/profiles/extras/usr.bin.mlmmj-send        2010-12-20 
> 20:29:10 +0000
> +++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-send        2016-11-07 
> 16:53:17 +0000
> @@ -18,8 +18,13 @@
>    /usr/bin/mlmmj-send r,
>    /var/spool/mlmmj/*/archive/* w,
>    /var/spool/mlmmj/*/control/* r,
> -  /var/spool/mlmmj/*/index rw,
> -  /var/spool/mlmmj/*/queue/* lrw,
> -  /var/spool/mlmmj/*/subscribers.d r,
> +  /var/spool/mlmmj/*/index rwk,
> +  /var/spool/mlmmj/*/queue/* klrw,
> +  /var/spool/mlmmj/*/subscribers.d/ r,
>    /var/spool/mlmmj/*/subscribers.d/* r,
> +
> +  /var/spool/mlmmj/*/digesters.d/ r,
> +
> +  /var/spool/mlmmj/*/moderation/* rwk,
> +
>  }
> 
> === modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-sub'
> --- profiles/apparmor/profiles/extras/usr.bin.mlmmj-sub 2010-12-20 20:29:10 
> +0000
> +++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-sub 2016-11-07 16:56:10 
> +0000
> @@ -18,11 +18,23 @@
>  
>    /usr/bin/mlmmj-send Px,
>    /usr/bin/mlmmj-sub r,
> +  /var/spool/mlmmj/*/control/ r,
>    /var/spool/mlmmj/*/control/* r,
> -  /var/spool/mlmmj/*/queue/* w,
> -  /var/spool/mlmmj/*/subconf/* w,
> -  /var/spool/mlmmj/*/subscribers.d rw,
> -  /var/spool/mlmmj/*/subscribers.d/* rw,
> -  /var/spool/mlmmj/*/subscribers.d/.d.lock lw,
> +  /var/spool/mlmmj/*/queue/ rw,
> +  /var/spool/mlmmj/*/queue/* rw,
> +  /var/spool/mlmmj/*/subconf/ rw,
> +  /var/spool/mlmmj/*/subconf/* rw,
> +  /var/spool/mlmmj/*/subscribers.d/ rw,
> +  /var/spool/mlmmj/*/subscribers.d/* rwk,
> +  /var/spool/mlmmj/*/text/ r, #
>    /var/spool/mlmmj/*/text/* r,
> +
> +  /usr/share/mlmmj/text.skel/*/* r,
> +
> +  /var/spool/mlmmj/*/nomailsubs.d/ rw,
> +  /var/spool/mlmmj/*/nomailsubs.d/* rwk,
> +
> +  /var/spool/mlmmj/*/digesters.d/ rw,
> +  /var/spool/mlmmj/*/digesters.d/* rwk,
> +
>  }
> 
> === modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-unsub'
> --- profiles/apparmor/profiles/extras/usr.bin.mlmmj-unsub       2010-12-20 
> 20:29:10 +0000
> +++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-unsub       2016-11-07 
> 16:50:52 +0000
> @@ -16,12 +16,25 @@
>  
>    /usr/bin/mlmmj-unsub r,
>    /usr/bin/mlmmj-send Px,
> +  /var/spool/mlmmj/*/control/ r,
>    /var/spool/mlmmj/*/control/* r,
> +  /var/spool/mlmmj/*/text/ r,
>    /var/spool/mlmmj/*/text/* r,
> -  /var/spool/mlmmj/*/subscribers.d r,
> -  /var/spool/mlmmj/*/subscribers.d/* r,
>  
> +  /var/spool/mlmmj/*/queue/ rwl,
>    /var/spool/mlmmj/*/queue/* rwl,
> +  /var/spool/mlmmj/*/unsubconf/ rwl,
>    /var/spool/mlmmj/*/unsubconf/* rwl,
> -  /var/spool/mlmmj/*/subscribers.d/* rwl,
> +  /var/spool/mlmmj/*/subscribers.d/ rw,
> +  /var/spool/mlmmj/*/subscribers.d/* rwk,
> +
> +  /var/spool/mlmmj/*/nomailsubs.d/ rw,
> +  /var/spool/mlmmj/*/nomailsubs.d/* rwk,
> +
> +  /var/spool/mlmmj/*/digesters.d/ rw,
> +  /var/spool/mlmmj/*/digesters.d/* rwk,
> +
> +  /usr/share/mlmmj/text.skel/*/* r,
> +  /etc/mlmmj/text/*/finish r,
> +
>  }
>

Attachment: signature.asc
Description: PGP signature

-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to