diff --git a/CMakeLists.txt b/CMakeLists.txt --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -137,6 +137,7 @@ option(AKONADI_BUILD_QSQLITE "Build the Sqlite backend." TRUE) option(BUILD_TOOLS "Build and install tools for development and testing purposes." TRUE) option(NO_REGENERATE_MIME "Don't regenerate mime file (developer-only option)" FALSE ) +option(INSTALL_APPARMOR "Install AppArmor profiles" TRUE) if(BUILD_TESTING) set(BUILD_TOOLS TRUE) @@ -312,6 +313,9 @@ add_subdirectory(tests) endif() +if(INSTALL_APPARMOR) + add_subdirectory(apparmor) +endif() ############### install stuff ############### diff --git a/apparmor/CMakeLists.txt b/apparmor/CMakeLists.txt new file mode 100644 --- /dev/null +++ b/apparmor/CMakeLists.txt @@ -0,0 +1,2 @@ + +install(FILES usr.bin.akonadiserver mysqld_akonadi postgresql_akonadi DESTINATION ${KDE_INSTALL_SYSCONFDIR}/apparmor.d) diff --git a/apparmor/mysqld_akonadi b/apparmor/mysqld_akonadi new file mode 100644 --- /dev/null +++ b/apparmor/mysqld_akonadi @@ -0,0 +1,31 @@ +#include + +profile mysqld_akonadi { + #include + #include + #include + + capability setgid, + capability setuid, + + signal receive set=kill peer=/usr/bin/akonadiserver, + signal receive set=term peer=/usr/bin/akonadiserver, + + /etc/mysql/ r, + /etc/mysql/** r, + @{sys}/devices/system/cpu/ r, + /{usr/,}bin/cat mrix, + /{usr/,}bin/chmod mrix, + /{usr/,}bin/dirname mrix, + /{usr/,}bin/hostname mrix, + /{usr/,}bin/mkdir mrix, + /{usr/,}bin/sed mrix, + /usr/bin/my_print_defaults mrix, + /usr/bin/mysql_install_db mrix, + /usr/bin/mysqladmin mrix, + /usr/bin/mysqlcheck mrix, + /usr/sbin/mysqld mrix, + /usr/share/mysql/** r, + owner @{HOME}/.local/share/akonadi/** rwk, + owner @{PROC}/@{pid}/loginuid r, +} diff --git a/apparmor/postgresql_akonadi b/apparmor/postgresql_akonadi new file mode 100644 --- /dev/null +++ b/apparmor/postgresql_akonadi @@ -0,0 +1,20 @@ +#include + +profile postgresql_akonadi { + #include + #include + + capability setgid, + capability setuid, + + /etc/passwd r, + /{usr/,}bin/dash mrix, + /{usr/,}bin/locale mrix, + /usr/lib/postgresql/*/bin/initdb mrix, + /usr/lib/postgresql/*/bin/pg_ctl mrix, + /usr/lib/postgresql/*/bin/postgres mrix, + /usr/share/postgresql/** r, + owner /dev/shm/PostgreSQL.* rw, + owner @{HOME}/.local/share/akonadi/** rwlk, + owner @{HOME}/.local/share/akonadi/db_data/** l, +} diff --git a/apparmor/usr.bin.akonadiserver b/apparmor/usr.bin.akonadiserver new file mode 100644 --- /dev/null +++ b/apparmor/usr.bin.akonadiserver @@ -0,0 +1,42 @@ +#include + +/usr/bin/akonadiserver { + #include + #include + #include + #include + #include + + signal send set=kill peer=mysqld_akonadi, + signal send set=term peer=mysqld_akonadi, + + /etc/xdg/** r, + /usr/bin/akonadiserver mr, + /usr/bin/mysql_install_db PUx -> mysqld_akonadi, + /usr/bin/mysqladmin PUx -> mysqld_akonadi, + /usr/bin/mysqlcheck PUx -> mysqld_akonadi, + /usr/lib/postgresql/*/bin/initdb PUx -> postgresql_akonadi, + /usr/lib/postgresql/*/bin/pg_ctl PUx -> postgresql_akonadi, + /usr/sbin/mysqld PUx -> mysqld_akonadi, + /usr/share/mime/mime.cache r, + /usr/share/mime/packages/ r, + /usr/share/mime/types r, + @{PROC}/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{HOME}/.local/share/mime/mime.cache r, + owner @{HOME}/.local/share/mime/packages/ r, + owner @{HOME}/.local/share/mime/types r, + owner @{HOME}/.config/* r, + owner @{HOME}/.config/QtProject/qtlogging.ini r, + owner @{HOME}/.config/akonadi* rw, + owner @{HOME}/.config/akonadi/ rw, + owner @{HOME}/.config/akonadi/* rwl, + owner @{HOME}/.config/akonadi/akonadiconnectionrc wl, + owner @{HOME}/.config/akonadi/akonadiconnectionrc.lock rwk, + owner @{HOME}/.config/akonadi/akonadiserverrc.lock rwk, + owner @{HOME}/.local/share/akonadi/ rw, + owner @{HOME}/.local/share/akonadi/* rwlk, + owner @{HOME}/.local/share/akonadi/** rwk, + owner @{PROC}/@{pid}/loginuid r, + owner @{PROC}/@{pid}/mounts r, +}