diff --git a/apparmor/mysqld_akonadi b/apparmor/mysqld_akonadi index c769d87ac..224b5b083 100644 --- a/apparmor/mysqld_akonadi +++ b/apparmor/mysqld_akonadi @@ -1,33 +1,39 @@ #include @{xdg_data_home}=@{HOME}/.local/share profile mysqld_akonadi { #include + #include + #include #include + #include #include capability setgid, capability setuid, signal receive set=kill peer=/usr/bin/akonadiserver, signal receive set=term peer=/usr/bin/akonadiserver, /etc/mysql/ r, /etc/mysql/** r, + /etc/my.cnf{,.d/**} r, @{sys}/devices/system/cpu/ r, + /{usr/,}bin/{b,d}ash mrix, /{usr/,}bin/cat mrix, /{usr/,}bin/chmod mrix, /{usr/,}bin/dirname mrix, /{usr/,}bin/hostname mrix, /{usr/,}bin/mkdir mrix, /{usr/,}bin/sed mrix, /usr/bin/my_print_defaults mrix, /usr/bin/mysql_install_db mrix, /usr/bin/mysqladmin mrix, /usr/bin/mysqlcheck mrix, - /usr/sbin/mysqld mrix, + /usr/{,s}bin/mysqld mrix, /usr/share/mysql/** r, owner @{xdg_data_home}/akonadi/** rwk, owner @{PROC}/@{pid}/loginuid r, + owner /{,var/}run/user/@{uid}/akonadi** rwk, } diff --git a/apparmor/postgresql_akonadi b/apparmor/postgresql_akonadi index 399220419..e5f771264 100644 --- a/apparmor/postgresql_akonadi +++ b/apparmor/postgresql_akonadi @@ -1,22 +1,38 @@ #include @{xdg_data_home}=@{HOME}/.local/share profile postgresql_akonadi { #include + #include + #include + #include #include capability setgid, capability setuid, /etc/passwd r, - /{usr/,}bin/dash mrix, + /{usr/,}bin/{b,d}ash mrix, /{usr/,}bin/locale mrix, - /usr/lib/postgresql/*/bin/initdb mrix, - /usr/lib/postgresql/*/bin/pg_ctl mrix, - /usr/lib/postgresql/*/bin/postgres mrix, + /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/initdb mrix, + /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_ctl mrix, + /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/postgres mrix, /usr/share/postgresql/** r, owner /dev/shm/PostgreSQL.* rw, owner @{xdg_data_home}/akonadi/** rwlk, owner @{xdg_data_home}/akonadi/db_data/** l, + owner /{,var/}run/user/@{uid}/akonadi** rwk, + + # pg_upgrade + /{usr/,usr/lib/postgresql/*/}bin/pg_upgrade mrix, + /opt/pgsql*/** mr, + /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_controldata mrix, + /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_resetwal mrix, + /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_dumpall mrix, + /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_dump mrix, + /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/vacuumdb mrix, + /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/psql mrix, + /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_restore mrix, + /{usr/,}bin/cp mrix, } diff --git a/apparmor/usr.bin.akonadiserver b/apparmor/usr.bin.akonadiserver index 7acaa067a..697d31519 100644 --- a/apparmor/usr.bin.akonadiserver +++ b/apparmor/usr.bin.akonadiserver @@ -1,46 +1,53 @@ #include @{xdg_data_home}=@{HOME}/.local/share @{xdg_config_home}=@{HOME}/.config /usr/bin/akonadiserver { #include + #include #include #include + #include #include #include signal send set=kill peer=mysqld_akonadi, signal send set=term peer=mysqld_akonadi, /etc/xdg/** r, /usr/bin/akonadiserver mr, /usr/bin/mysql_install_db PUx -> mysqld_akonadi, /usr/bin/mysqladmin PUx -> mysqld_akonadi, /usr/bin/mysqlcheck PUx -> mysqld_akonadi, - /usr/lib/postgresql/*/bin/initdb PUx -> postgresql_akonadi, - /usr/lib/postgresql/*/bin/pg_ctl PUx -> postgresql_akonadi, + /usr/{,s}bin/mysqld PUx -> mysqld_akonadi, + /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/initdb PUx -> postgresql_akonadi, + /{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_ctl PUx -> postgresql_akonadi, + /{usr/,usr/lib/postgresql/*/}bin/pg_upgrade PUx -> postgresql_akonadi, /usr/sbin/mysqld PUx -> mysqld_akonadi, /usr/share/mime/mime.cache r, /usr/share/mime/packages/ r, /usr/share/mime/types r, + /usr/share/qt/translations/* r, @{PROC}/sys/kernel/core_pattern r, @{PROC}/sys/kernel/random/boot_id r, owner @{xdg_config_home}/* r, owner @{xdg_config_home}/akonadi* rw, owner @{xdg_config_home}/QtProject/qtlogging.ini r, owner @{xdg_config_home}/akonadi/ rw, owner @{xdg_config_home}/akonadi/* rwl, owner @{xdg_config_home}/akonadi/akonadiconnectionrc wl, owner @{xdg_config_home}/akonadi/akonadiconnectionrc.lock rwk, owner @{xdg_config_home}/akonadi/akonadiserverrc.lock rwk, owner @{xdg_data_home}/mime/mime.cache r, owner @{xdg_data_home}/mime/packages/ r, owner @{xdg_data_home}/mime/types r, owner @{xdg_data_home}/akonadi/ rw, owner @{xdg_data_home}/akonadi/* rwlk, owner @{xdg_data_home}/akonadi/** rwk, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/mounts r, + owner /{,var/}run/user/@{uid}/akonadi** rwk, + owner /tmp/#[0-9]* m, }