diff --git a/CMakeLists.txt b/CMakeLists.txt --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -140,6 +140,7 @@ option(AKONADI_BUILD_QSQLITE "Build the Sqlite backend." TRUE) option(BUILD_TOOLS "Build and install tools for development and testing purposes." TRUE) option(NO_REGENERATE_MIME "Don't regenerate mime file (developer-only option)" FALSE ) +option(NO_INSTALL_APPARMOR "Don't install AppArmor profiles" FALSE) if(BUILD_TESTING) set(BUILD_TOOLS TRUE) @@ -315,6 +316,9 @@ add_subdirectory(tests) endif() +if(NOT NO_INSTALL_APPARMOR) + add_subdirectory(apparmor) +endif() ############### install stuff ############### diff --git a/apparmor/CMakeLists.txt b/apparmor/CMakeLists.txt new file mode 100644 --- /dev/null +++ b/apparmor/CMakeLists.txt @@ -0,0 +1,2 @@ + +install(FILES usr.bin.akonadiserver mysqld_akonadi postgresql_akonadi DESTINATION ${KDE_INSTALL_SYSCONFDIR}/apparmor.d) diff --git a/apparmor/mysqld_akonadi b/apparmor/mysqld_akonadi new file mode 100644 --- /dev/null +++ b/apparmor/mysqld_akonadi @@ -0,0 +1,32 @@ +# Last Modified: Sun Sep 22 11:22:17 2019 +#include + +profile mysqld_akonadi { + #include + #include + #include + + capability setgid, + capability setuid, + + signal receive set=kill peer=/usr/bin/akonadiserver, + signal receive set=term peer=/usr/bin/akonadiserver, + + /etc/mysql/ r, + /etc/mysql/** r, + @{sys}/devices/system/cpu/ r, + /usr/bin/cat mrix, + /usr/bin/chmod mrix, + /usr/bin/dirname mrix, + /usr/bin/hostname mrix, + /usr/bin/mkdir mrix, + /usr/bin/my_print_defaults mrix, + /usr/bin/mysql_install_db mrix, + /usr/bin/mysqladmin mrix, + /usr/bin/mysqlcheck mrix, + /usr/bin/sed mrix, + /usr/sbin/mysqld mrix, + /usr/share/mysql/** r, + owner @{HOME}/.local/share/akonadi/** rwk, + owner @{PROC}/@{pid}/loginuid r, +} diff --git a/apparmor/postgresql_akonadi b/apparmor/postgresql_akonadi new file mode 100644 --- /dev/null +++ b/apparmor/postgresql_akonadi @@ -0,0 +1,21 @@ +# Last Modified: Sun Sep 22 11:13:12 2019 +#include + +profile postgresql_akonadi { + #include + #include + + capability setgid, + capability setuid, + + /etc/passwd r, + /usr/bin/dash mrix, + /usr/bin/locale mrix, + /usr/lib/postgresql/*/bin/initdb mrix, + /usr/lib/postgresql/*/bin/pg_ctl mrix, + /usr/lib/postgresql/*/bin/postgres mrix, + /usr/share/postgresql/** r, + owner /dev/shm/PostgreSQL.* rw, + owner @{HOME}/.local/share/akonadi/** rwlk, + owner @{HOME}/.local/share/akonadi/db_data/** l, +} diff --git a/apparmor/usr.bin.akonadiserver b/apparmor/usr.bin.akonadiserver new file mode 100644 --- /dev/null +++ b/apparmor/usr.bin.akonadiserver @@ -0,0 +1,36 @@ +# Last Modified: Sun Sep 22 11:30:16 2019 +#include + +/usr/bin/akonadiserver { + #include + #include + #include + #include + #include + + signal send set=kill peer=mysqld_akonadi, + signal send set=term peer=mysqld_akonadi, + + /etc/xdg/** r, + /usr/bin/akonadiserver mr, + /usr/bin/mysql_install_db Px -> mysqld_akonadi, + /usr/bin/mysqladmin Px -> mysqld_akonadi, + /usr/bin/mysqlcheck Px -> mysqld_akonadi, + /usr/lib/postgresql/*/bin/initdb Px -> postgresql_akonadi, + /usr/lib/postgresql/*/bin/pg_ctl Px -> postgresql_akonadi, + /usr/sbin/mysqld Px -> mysqld_akonadi, + @{PROC}/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{HOME}/.config/* r, + owner @{HOME}/.config/QtProject/qtlogging.ini r, + owner @{HOME}/.config/akonadi/ rw, + owner @{HOME}/.config/akonadi/* rwl, + owner @{HOME}/.config/akonadi/akonadiconnectionrc wl, + owner @{HOME}/.config/akonadi/akonadiconnectionrc.lock rwk, + owner @{HOME}/.config/akonadi/akonadiserverrc.lock rwk, + owner @{HOME}/.local/share/akonadi/ rw, + owner @{HOME}/.local/share/akonadi/* rwlk, + owner @{HOME}/.local/share/akonadi/** rwk, + owner @{PROC}/@{pid}/loginuid r, + owner @{PROC}/@{pid}/mounts r, +}