Support more distributions in the AppArmor profiles
ClosedPublic

Authored by nl6720 on Dec 13 2019, 7:51 PM.

Details

Summary

This fixes Akonadi on Arch Linux (and possibly others).

Changes to the AppArmor profiles:

  • Allow writing and locking /run/user/${uid}/akonadi, the database engine socket is stored there.
  • Add abstractions/consoles, needed for console output.

PostgreSql specific:

  • Add bash (it is a common default shell).
  • Support /usr/bin/* paths for PostgreSQL binaries.
  • Support pg_upgrade.

MySQL specific:

  • Add bash (it is a common default shell).
  • Add /usr/bin/mysqld as a path for the MySQL daemon binary.
  • Add abstractions/openssl. When using MySQL, both akonadiserver and mysqld will try to read /etc/ssl/openssl.cnf.
  • Add /etc/my.cnf and /etc/my.cnf.d/, on Arch Linux the my.cnf configuration is stored there.
Test Plan

akonadictl start on a system with active AppArmor and loaded profiles.

Diff Detail

Repository
R165 Akonadi
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.
nl6720 created this revision.Dec 13 2019, 7:51 PM
Restricted Application added a subscriber: kde-pim. · View Herald TranscriptDec 13 2019, 7:51 PM
nl6720 requested review of this revision.Dec 13 2019, 7:51 PM
nl6720 added a comment.EditedDec 13 2019, 7:56 PM

This is not exactly finished.

  • pg_upgrade is untested,
  • one issue still remains: apparmor="DENIED" operation="file_mmap" info="Failed name lookup - disconnected path" error=-13 profile="postgresql_akonadi" name="" pid=23663 comm="postgres" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000.

PID 23663 is /usr/bin/postgres -D /home/username/.local/share/akonadi/db_data -k/run/user/1000/akonadi/default -h.

@knauss, @jriddell Could you guys take a look and maybe help @nl6720 ? I have no clue about apparmor :)

nl6720 updated this revision to Diff 71762.Dec 18 2019, 9:19 AM

Support pg_upgrade.

nl6720 updated this revision to Diff 71766.Dec 18 2019, 10:04 AM
nl6720 added a subscriber: arojas.

Fix mysqld_akonadi.

Despite some remaining DENIED messages, Akonadi starts and runs.

  • I tested that KMail works using Akonadi with PostgreSQL.
  • For MySQL, I just confirmed that akonadiserver runs.
nl6720 edited the summary of this revision. (Show Details)Dec 18 2019, 10:07 AM

some small issues.

apparmor/postgresql_akonadi
28

missing /opt/pqsql*/ option.

29

is this really needed? because we don have a usr/** equivalent.

apparmor/usr.bin.akonadiserver
32

what translation are access?

nl6720 added inline comments.Dec 24 2019, 7:02 PM
apparmor/postgresql_akonadi
28

Not needed. The old version of pg_upgrade should not be used for upgrading (and Akonadi doesn't use it).

29

The equivalent of /usr/* is covered by abstractions/base (/{usr/,}lib{,32,64}/** r, and similar).
Arch Linux packages the old version of PostgreSQL in /opt/. See https://www.archlinux.org/packages/extra/x86_64/postgresql-old-upgrade/files/ .

apparmor/usr.bin.akonadiserver
32
audit: type=1400 audit(1576225757.446:328): apparmor="DENIED" operation="open" profile="/usr/bin/akonadiserver" name="/usr/share/qt/translations/qt_en.qm" pid=4465 comm="akonadiserver" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

And another one just like this, but for my language.

knauss accepted this revision.Dec 25 2019, 2:11 AM

Thanks for your patch!
Now I understand everything of your patch and it cam be applied.

@nl6720: You still don't have commit access, so I need to land it for you?
With these data from you side?
https://phabricator.kde.org/D22154#488686

This revision is now accepted and ready to land.Dec 25 2019, 2:11 AM

@nl6720: You still don't have commit access, so I need to land it for you?
With these data from you side?
https://phabricator.kde.org/D22154#488686

Yes, that's correct.

This revision was automatically updated to reflect the committed changes.