[28330] in Source-Commits
apparmor-config commit: Make apparmor suck less with dconf and OpenAFS
daemon@ATHENA.MIT.EDU (Jonathan D Reed)
Wed Jul 9 09:39:22 2014
Date: Wed, 9 Jul 2014 09:39:14 -0400
From: Jonathan D Reed <jdreed@MIT.EDU>
Message-Id: <201407091339.s69DdEQu009444@drugstore.mit.edu>
To: source-commits@MIT.EDU
https://github.com/mit-athena/apparmor-config/commit/a90ce9a10df028818a152d9d10ffd1a356265c10
commit a90ce9a10df028818a152d9d10ffd1a356265c10
Author: Jonathan Reed <jdreed@mit.edu>
Date: Mon Jul 7 14:37:48 2014 -0400
Make apparmor suck less with dconf and OpenAFS
- Allow unconditional read access to the OpenAFS cache, otherwise
hilarity ensues with OpenAFS thinking the server went away.
- Allow read/write access to ANY dconf profile, not just the upstream one
named "user"
debian/changelog | 11 +++++++++++
debian/rules | 6 ++++++
debian/transform_base.debathena | 7 +++++++
debian/transform_xdg-desktop.debathena | 14 +++++++++++++-
4 files changed, 37 insertions(+), 1 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 2e43c92..3577e14 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+debathena-apparmor-config (1.2.9) unstable; urgency=low
+
+ * Further transform the xdg-desktop profile to allow access to dconf
+ profiles in /run/user or ~/.cache. Upstream only allows access to the
+ "user" profile. (Trac: #1505)
+ * Transform the 'base' abstraction to allow read access to the OpenAFS
+ cache, otherwise Evince will attempt to frob things in ~/.local/share,
+ fail, and then OpenAFS will think the volume vanished. (Trac: #1505)
+
+ -- Jonathan Reed <jdreed@mit.edu> Mon, 07 Jul 2014 14:36:48 -0400
+
debathena-apparmor-config (1.2.8) unstable; urgency=low
* Transform the xdg-desktop profile to take into account the fact that
diff --git a/debian/rules b/debian/rules
index 7fca2ab..20e0528 100755
--- a/debian/rules
+++ b/debian/rules
@@ -7,6 +7,12 @@ else
DEB_UNDIVERT_FILES_debathena-apparmor-config += /etc/apparmor.d/abstractions/kerberosclient.debathena
endif
+ifneq ($(wildcard /etc/apparmor.d/abstractions/base),)
+ DEB_TRANSFORM_FILES_debathena-apparmor-config += /etc/apparmor.d/abstractions/base.debathena
+else
+ DEB_UNDIVERT_FILES_debathena-apparmor-config += /etc/apparmor.d/abstractions/base.debathena
+endif
+
ifneq ($(wildcard /etc/apparmor.d/abstractions/cups-client),)
DEB_TRANSFORM_FILES_debathena-apparmor-config += /etc/apparmor.d/abstractions/cups-client.debathena
else
diff --git a/debian/transform_base.debathena b/debian/transform_base.debathena
new file mode 100755
index 0000000..efd912c
--- /dev/null
+++ b/debian/transform_base.debathena
@@ -0,0 +1,7 @@
+#!/bin/sh
+cat
+echo
+cat <<EOF
+ # Allow anything to read from the openafs cache
+ /var/cache/openafs/** r,
+EOF
diff --git a/debian/transform_xdg-desktop.debathena b/debian/transform_xdg-desktop.debathena
index 19eb9ef..e88bb7e 100755
--- a/debian/transform_xdg-desktop.debathena
+++ b/debian/transform_xdg-desktop.debathena
@@ -1,3 +1,15 @@
#!/usr/bin/perl -p0
s|^(\s*)owner \@\{HOME\}/.cache/\s+rw,$|$&\n$1owner /{,var/}run/athena-sessions/xdgcache-*/** rw,|m or die;
-s|$|\n\n # Allow access to dconf profiles and databases\n /etc/dconf/** r,\n| or die;
+END {
+ print <<'EOF'
+
+ # Allow access to dconf profiles and databases
+ /etc/dconf/** r,
+
+ # And runtime dconf profiles (in HOME or /run/user)
+ owner @{HOME}/.{cache,config}/dconf/ w,
+ owner @{HOME}/.{cache,config}/dconf/** rw,
+ owner /{,var/}run/user/*/dconf/ w,
+ owner /{,var/}run/user/*/dconf/** rw,
+EOF
+}
