Bug#951388: [akonadi-backend-postgresql] apparmor profile unsuitable

[Sandro Knauß]

Forwarded: https://invent.kde.org/pim/akonadi/-/merge_requests/32

Hey,

I have pushed the needed changes to upstream. The AppArmor profile is living 
there.

hefee

--
On Samstag, 15. Februar 2020 21:08:15 CEST Bastien Roucariès wrote:
> Package: akonadi-backend-postgresql
> Version: 4:19.08.3-1
> Severity: grave
> Justification: renders package unusable
> Tags: patch
> 
> Dear Maintainer,
> 
> Please find the following update for apparmor
> 
> Please apply
> 
> Bastien



signature.asc
Description: This is a digitally signed message part.

Bug#951388: [akonadi-backend-postgresql] apparmor profile unsuitable

[Bastien Roucariès]

Package: akonadi-backend-postgresql
Version: 4:19.08.3-1
Severity: grave
Justification: renders package unusable
Tags: patch

Dear Maintainer,

Please find the following update for apparmor 

Please apply

Bastiendiff --git a/apparmor.d/postgresql_akonadi b/apparmor.d/postgresql_akonadi
index c25fa08..b650612 100644
--- a/apparmor.d/postgresql_akonadi
+++ b/apparmor.d/postgresql_akonadi
@@ -5,21 +5,27 @@
 
 profile postgresql_akonadi {
   #include 
+  #include 
   #include 
 
   capability setgid,
   capability setuid,
 
+  signal receive set=kill peer=/usr/bin/akonadiserver,
+  signal receive set=term peer=/usr/bin/akonadiserver,
+
   /etc/passwd r,
+
   /{usr/,}bin/dash mrix,
   /{usr/,}bin/locale mrix,
+  /{var/,}run/systemd/resolve/resolv.conf r,
   /usr/lib/postgresql/*/bin/initdb mrix,
   /usr/lib/postgresql/*/bin/pg_ctl mrix,
   /usr/lib/postgresql/*/bin/postgres mrix,
+  /usr/lib/postgresql/*/bin/pg_upgrade mrix,
   /usr/share/postgresql/** r,
   owner /dev/shm/PostgreSQL.* rw,
   owner @{xdg_data_home}/akonadi/** rwlk,
-  owner @{xdg_data_home}/akonadi/db_data/** l,
 
   # Site-specific additions and overrides. See local/README for details.
   #include 
diff --git a/apparmor.d/usr.bin.akonadiserver b/apparmor.d/usr.bin.akonadiserver
index 2055a49..8a8cc23 100644
--- a/apparmor.d/usr.bin.akonadiserver
+++ b/apparmor.d/usr.bin.akonadiserver
@@ -13,7 +13,8 @@
 
   signal send set=kill peer=mysqld_akonadi,
   signal send set=term peer=mysqld_akonadi,
-
+  signal send set=kill peer=postgresql_akonadi,
+  signal send set=term peer=postgresql_akonadi,
 
   /etc/xdg/** r,
   /usr/bin/akonadiserver mr,
@@ -32,7 +33,7 @@
   owner @{xdg_config_home}/akonadi* rw,
   owner @{xdg_config_home}/QtProject/qtlogging.ini r,
   owner @{xdg_config_home}/akonadi/ rw,
-  owner @{xdg_config_home}/akonadi/* rwl,
+  owner @{xdg_config_home}/akonadi/** rwl,
   owner @{xdg_config_home}/akonadi/akonadiconnectionrc wl,
   owner @{xdg_config_home}/akonadi/akonadiconnectionrc.lock rwk,
   owner @{xdg_config_home}/akonadi/akonadiserverrc.lock rwk,
@@ -44,6 +45,8 @@
   owner @{xdg_data_home}/akonadi/** rwk,
   owner @{PROC}/@{pid}/loginuid r,
   owner @{PROC}/@{pid}/mounts r,
+  owner /{,var/}run/user/[0-9]*/akonadi/ w,
+  owner /{,var/}run/user/[0-9]*/akonadi/** rw,
 
   # Site-specific additions and overrides. See local/README for details.
   #include 


signature.asc
Description: This is a digitally signed message part.