[apparmor] [patch] Update mlmmj profiles
Seth Arnold
seth.arnold at canonical.com
Mon Nov 7 19:49:46 UTC 2016
On Mon, Nov 07, 2016 at 06:09:46PM +0100, Christian Boltz wrote:
> Hello,
>
> this patch updates the mlmmj profiles in the extras directory to the
> profiles that are used on lists.opensuse.org now. Besides adding lots
> of trailing slashes for directories, several permissions were added.
> Also, usr.bin.mlmmj-receive gets added - it seems upstream renamed
> mlmmj-recieve to fix a typo.
>
> These profiles were provided by Per Jessen.
>
> References: https://bugzilla.opensuse.org/show_bug.cgi?id=1000201
>
>
> I propose this patch for trunk, 2.10 and 2.9.
>
> In trunk, I'd also like to delete the mlmmj-recieve profile (for the
> misnamed binary), but I tend to keep it in 2.10 and 2.9 to avoid
> regressions.
I can see that these patches took a fair amount of back-and-forth
development already so I'm discinlined to suggest further changes before
they are merged, but...
1) Per Jessen did a huge amount of work on these and probably ought to
have a copyright line, or update suse's copyright lines.
2) All the executables will need 'm' access when run on kernels that have
9f834ec18defc369d73ccf9e87a2790bfa05bf46 integrated.
3) I'd suggest not deleting the mlmmj-recieve for a year or two. Who knows
how long it will be before the old name is removed everywhere.
So,
Acked-by: Seth Arnold <seth.arnold at canonical.com>
for all three branches, with or without these suggested changes as you see
fit.
Thanks
>
> [ mlmmj.diff ]
>
> === modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-bounce'
> --- profiles/apparmor/profiles/extras/usr.bin.mlmmj-bounce 2010-12-20 20:29:10 +0000
> +++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-bounce 2016-11-07 16:49:35 +0000
> @@ -16,7 +16,24 @@
>
> /usr/bin/mlmmj-bounce r,
> /usr/bin/mlmmj-send Px,
> + /usr/bin/mlmmj-maintd Px,
> + /var/spool/mlmmj/*/subscribers.d/ r,
> + /var/spool/mlmmj/*/subscribers.d/* r,
> + /var/spool/mlmmj/*/subconf rwl, #
> /var/spool/mlmmj/*/subconf/* rwl,
> + /var/spool/mlmmj/*/queue rwl, #
> /var/spool/mlmmj/*/queue/* rwl,
> -
> + /var/spool/mlmmj/*/bounce/ rwl,
> +
> + /var/spool/mlmmj/*/nomailsubs.d/ r,
> + /var/spool/mlmmj/*/nomailsubs.d/* r,
> + /var/spool/mlmmj/*/digesters.d/ r,
> + /var/spool/mlmmj/*/digesters.d/* r,
> +
> + /var/spool/mlmmj/*/bounce/* rw,
> +
> + /var/spool/mlmmj/*/unsubconf/* w,
> +
> + /usr/share/mlmmj/text.skel/*/* r,
> + /var/spool/mlmmj/*/control/* r,
> }
>
> === modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-maintd'
> --- profiles/apparmor/profiles/extras/usr.bin.mlmmj-maintd 2010-12-20 20:29:10 +0000
> +++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-maintd 2016-11-07 16:49:47 +0000
> @@ -18,19 +18,34 @@
>
> /usr/bin/mlmmj-maintd r,
> /usr/bin/mlmmj-send Px,
> + /usr/bin/mlmmj-bounce Px,
> + /usr/bin/mlmmj-unsub Px,
>
> - /var/spool/mlmmj r,
> - /var/spool/mlmmj/*/bounce r,
> + /var/spool/mlmmj/ r,
> + /var/spool/mlmmj/* r, #
> + /var/spool/mlmmj/*/bounce/ r,
> + /var/spool/mlmmj/*/bounce/* rw,
> /var/spool/mlmmj/*/index r,
> - /var/spool/mlmmj/*/lastdigest rw,
> + /var/spool/mlmmj/*/lastdigest rwk,
> /var/spool/mlmmj/*/maintdlog-* lrw,
> /var/spool/mlmmj/*/mlmmj-maintd.lastrun.log w,
> - /var/spool/mlmmj/*/moderation r,
> + /var/spool/mlmmj/*/moderation/ r,
> + /var/spool/mlmmj/*/moderation/* w,
> + /var/spool/mlmmj/*/archive/ r,
> /var/spool/mlmmj/*/archive/* r,
> + /var/spool/mlmmj/*/control/ r,
> /var/spool/mlmmj/*/control/* r,
> - /var/spool/mlmmj/*/queue r,
> - /var/spool/mlmmj/*/queue/* rwl,
> - /var/spool/mlmmj/*/requeue r,
> - /var/spool/mlmmj/*/subconf r,
> - /var/spool/mlmmj/*/unsubconf r,
> + /var/spool/mlmmj/*/queue/ r,
> + /var/spool/mlmmj/*/queue/** rwl,
> + /var/spool/mlmmj/*/requeue/ r,
> + /var/spool/mlmmj/*/requeue/* rw,
> + /var/spool/mlmmj/*/requeue/*/ rw,
> + /var/spool/mlmmj/*/subconf/ r,
> + /var/spool/mlmmj/*/subconf/* rw,
> + /var/spool/mlmmj/*/unsubconf/ r,
> + /var/spool/mlmmj/*/unsubconf/* rw,
> +
> + /usr/share/mlmmj/text.skel/*/digest r,
> + /var/spool/mlmmj/*/mlmmj.operation.log rwk,
> +
> }
>
> === modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-process'
> --- profiles/apparmor/profiles/extras/usr.bin.mlmmj-process 2010-12-20 20:29:10 +0000
> +++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-process 2016-11-07 16:50:03 +0000
> @@ -19,11 +19,27 @@
> /usr/bin/mlmmj-sub Px,
> /usr/bin/mlmmj-unsub Px,
> /usr/bin/mlmmj-bounce Px,
> + # skeleton data
> + /usr/share/mlmmj/text.skel/ r,
> + /usr/share/mlmmj/text.skel/*/* r,
> +
> /var/spool/mlmmj/*/control/* r,
> /var/spool/mlmmj/*/text/* r,
> /var/spool/mlmmj/*/incoming/* rwl,
> - /var/spool/mlmmj/*/queue/* rwl,
> + /var/spool/mlmmj/*/queue/** rwl,
> /var/spool/mlmmj/*/subconf/* rwl,
> /var/spool/mlmmj/*/unsubconf/* rwl,
> - /var/spool/mlmmj/*/mlmmj.operation.log rw,
> + /var/spool/mlmmj/*/mlmmj.operation.log rwk,
> + /var/spool/mlmmj/*/mlmmj.operation.log.rotated w,
> +
> + /var/spool/mlmmj/*/nomailsubs.d/ r,
> + /var/spool/mlmmj/*/nomailsubs.d/* r,
> + /var/spool/mlmmj/*/subscribers.d/ r,
> + /var/spool/mlmmj/*/subscribers.d/* r,
> + /var/spool/mlmmj/*/digesters.d/ r,
> + /var/spool/mlmmj/*/digesters.d/* r,
> +
> + /var/spool/mlmmj/*/moderation/* rw,
> + /etc/mlmmj/text/*/* r,
> +
> }
>
> === added file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-receive'
> --- profiles/apparmor/profiles/extras/usr.bin.mlmmj-receive 1970-01-01 00:00:00 +0000
> +++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-receive 2016-11-07 16:50:13 +0000
> @@ -0,0 +1,21 @@
> +# ------------------------------------------------------------------
> +#
> +# Copyright (C) 2002-2005 Novell/SUSE
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of version 2 of the GNU General Public
> +# License published by the Free Software Foundation.
> +#
> +# ------------------------------------------------------------------
> +# vim:syntax=apparmor
> +
> +#include <tunables/global>
> +
> +/usr/bin/mlmmj-receive {
> + #include <abstractions/base>
> +
> + /usr/bin/mlmmj-process Px,
> + /usr/bin/mlmmj-receive r,
> + /var/spool/mlmmj/*/incoming/ rw,
> + /var/spool/mlmmj/*/incoming/* rw,
> +}
>
> === modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-send'
> --- profiles/apparmor/profiles/extras/usr.bin.mlmmj-send 2010-12-20 20:29:10 +0000
> +++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-send 2016-11-07 16:53:17 +0000
> @@ -18,8 +18,13 @@
> /usr/bin/mlmmj-send r,
> /var/spool/mlmmj/*/archive/* w,
> /var/spool/mlmmj/*/control/* r,
> - /var/spool/mlmmj/*/index rw,
> - /var/spool/mlmmj/*/queue/* lrw,
> - /var/spool/mlmmj/*/subscribers.d r,
> + /var/spool/mlmmj/*/index rwk,
> + /var/spool/mlmmj/*/queue/* klrw,
> + /var/spool/mlmmj/*/subscribers.d/ r,
> /var/spool/mlmmj/*/subscribers.d/* r,
> +
> + /var/spool/mlmmj/*/digesters.d/ r,
> +
> + /var/spool/mlmmj/*/moderation/* rwk,
> +
> }
>
> === modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-sub'
> --- profiles/apparmor/profiles/extras/usr.bin.mlmmj-sub 2010-12-20 20:29:10 +0000
> +++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-sub 2016-11-07 16:56:10 +0000
> @@ -18,11 +18,23 @@
>
> /usr/bin/mlmmj-send Px,
> /usr/bin/mlmmj-sub r,
> + /var/spool/mlmmj/*/control/ r,
> /var/spool/mlmmj/*/control/* r,
> - /var/spool/mlmmj/*/queue/* w,
> - /var/spool/mlmmj/*/subconf/* w,
> - /var/spool/mlmmj/*/subscribers.d rw,
> - /var/spool/mlmmj/*/subscribers.d/* rw,
> - /var/spool/mlmmj/*/subscribers.d/.d.lock lw,
> + /var/spool/mlmmj/*/queue/ rw,
> + /var/spool/mlmmj/*/queue/* rw,
> + /var/spool/mlmmj/*/subconf/ rw,
> + /var/spool/mlmmj/*/subconf/* rw,
> + /var/spool/mlmmj/*/subscribers.d/ rw,
> + /var/spool/mlmmj/*/subscribers.d/* rwk,
> + /var/spool/mlmmj/*/text/ r, #
> /var/spool/mlmmj/*/text/* r,
> +
> + /usr/share/mlmmj/text.skel/*/* r,
> +
> + /var/spool/mlmmj/*/nomailsubs.d/ rw,
> + /var/spool/mlmmj/*/nomailsubs.d/* rwk,
> +
> + /var/spool/mlmmj/*/digesters.d/ rw,
> + /var/spool/mlmmj/*/digesters.d/* rwk,
> +
> }
>
> === modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-unsub'
> --- profiles/apparmor/profiles/extras/usr.bin.mlmmj-unsub 2010-12-20 20:29:10 +0000
> +++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-unsub 2016-11-07 16:50:52 +0000
> @@ -16,12 +16,25 @@
>
> /usr/bin/mlmmj-unsub r,
> /usr/bin/mlmmj-send Px,
> + /var/spool/mlmmj/*/control/ r,
> /var/spool/mlmmj/*/control/* r,
> + /var/spool/mlmmj/*/text/ r,
> /var/spool/mlmmj/*/text/* r,
> - /var/spool/mlmmj/*/subscribers.d r,
> - /var/spool/mlmmj/*/subscribers.d/* r,
>
> + /var/spool/mlmmj/*/queue/ rwl,
> /var/spool/mlmmj/*/queue/* rwl,
> + /var/spool/mlmmj/*/unsubconf/ rwl,
> /var/spool/mlmmj/*/unsubconf/* rwl,
> - /var/spool/mlmmj/*/subscribers.d/* rwl,
> + /var/spool/mlmmj/*/subscribers.d/ rw,
> + /var/spool/mlmmj/*/subscribers.d/* rwk,
> +
> + /var/spool/mlmmj/*/nomailsubs.d/ rw,
> + /var/spool/mlmmj/*/nomailsubs.d/* rwk,
> +
> + /var/spool/mlmmj/*/digesters.d/ rw,
> + /var/spool/mlmmj/*/digesters.d/* rwk,
> +
> + /usr/share/mlmmj/text.skel/*/* r,
> + /etc/mlmmj/text/*/finish r,
> +
> }
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161107/0223df3c/attachment.pgp>
More information about the AppArmor
mailing list