Debian and Neon already use Apparmor to secure AkonadiServer, we should
join forces and move the AppArmor profile upstream so other Linux
distributions can take advantages of it.
Closes: #411792
Debian and Neon already use Apparmor to secure AkonadiServer, we should
join forces and move the AppArmor profile upstream so other Linux
distributions can take advantages of it.
Closes: #411792
run akonadi with AppArmor enabled.
No Linters Available |
No Unit Test Coverage |
Buildable 16437 | |
Build 16455: arc lint + arc unit |
CMakeLists.txt | ||
---|---|---|
355 | Should this be installed on on-apparmor distros? Could it be hidden behind a cmake option? |
cleanup and split AppArmor profile.
Intrigeri pointed out some guidelines for Apparmor profiles.
(thanks intrigeri)
apparmor/usr.bin.akonadiserver | ||
---|---|---|
5 | REMOVE flags=(complain), when Postgres and SQLite profiles are added! |
CMakeLists.txt | ||
---|---|---|
355 | Yes I think we need a cmake option. Also this is only to run with root permissions. |
CMakeLists.txt | ||
---|---|---|
355 | Well as a developer you do not run make install as root, but then you don't need to set the cmake option either, so no problem. If you are a packager, you are using make DESTDIR=.... install to install into a prefix that will be packaged, so that will not need root privileges either. |
CMakeLists.txt | ||
---|---|---|
355 | ${KDE_INSTALL_SYSCONFDIR}/apparmor.d |
I've tested now mysql, postgresql and sqlite backend made sure everything starts/shutdown.
Did you test on both Neon and plain Debian?
CMakeLists.txt | ||
---|---|---|
355 | The CMake option is still missing. I think I'd prefer a conditional add_subdirectory() instead of the install() here. |
tested only on plain Debian with a new installation. I added @jriddell to this Differential to test on Neon, but if @jriddell do not answer we will get the info if the AppArmor profiles are fine some days later, as Neon build the master master branch. Also feedback from other distributions will come in later.
CMakeLists.txt | ||
---|---|---|
143 | I would prefer this to be opt-in, rather than opt-out (and generally, options should be named positively (INSTALL_APPARMOR) |
CMakeLists.txt | ||
---|---|---|
143 | The default needs to be toggled to FALSE now to make it opt-in for packagers... :-) |
CMakeLists.txt | ||
---|---|---|
143 | The reason to opt-out instead of opt-in is, that it enhance security, so everyone who is using AppArmor should use it and having these files lying around don't harm anyone. But yes we can call it INSTALL_APPARMOR and make it as TRUE by default, that would do the same | |
143 | As I already said, I think it should be opt-out, because it is a security feature, so every one who supports should enable it! And for those that don't support AppArmor, those file don't hurt, they are just annoying. With the default TRUE, we treat packagers to install Akonadi as secure as possible. |
apparmor/mysqld_akonadi | ||
---|---|---|
31 | AppArmor has currently no support for XDG_DATA_HOME, so we can only use the default location for linux installation. This is properly a feature request on AppArmor. |
Ok, let's roll with it, then.
We have enough time to fixup stuff before 19.12, if needed.
apparmor/mysqld_akonadi | ||
---|---|---|
31 | The discussion about XDG dirs support in apparmor happened first 6 years ago...doesn't shine the best light on apparmor, then... :-( |
well this patch is published with 19.08.0. The bug in 411093 seems more like a downstream bug.