New profile: mariadbd_akonadi

A similar approach is available on https://invent.kde.org/pim/akonadi/-/tree/master/apparmor?ref_type=heads where also @cboltz contributed. This profile has some additional rules and is formatted according to the guidelines of this project.
2023-09-03 17:22:11 +02:00 · 2023-09-03 17:22:11 +02:00 · 6cb0f6cc73
commit 6cb0f6cc73
parent b2fa7bacb8
1 changed files with 54 additions and 0 deletions
--- a/apparmor.d/groups/kde/mariadbd_akonadi
+++ b/apparmor.d/groups/kde/mariadbd_akonadi
@ -0,0 +1,54 @@
+abi <abi/3.0>,
+
+#include <tunables/global>
+
+@{exec_path} = @{bin}/mariadb{,-*} @{bin}/mariadbd @{bin}/mysql @{bin}/mysqld{,*}
+profile mariadbd_akonadi @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/bash>
+  include <abstractions/consoles>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+  
+  capability setgid,
+  capability setuid,
+
+  signal (receive) set=(kill, term) peer=akonadiserver,
+    
+  @{exec_path} mrix,
+  
+  @{bin}/{b,d}ash rix,
+  @{bin}/cat rix,
+  @{bin}/chmod rix,
+  @{bin}/dirname rix,
+  @{bin}/hostname rix,
+  @{bin}/mkdir rix,
+  @{bin}/sed rix,
+  @{bin}/my_print_defaults rix,
+    
+  /usr/share/mysql/** r,
+  
+  /etc/mysql/{,**} r,
+  /etc/my.cnf{,.d/**} r,
+  
+  owner @{user_share_dirs}/akonadi/** rwk,
+  
+        /tmp/ r,
+  owner /tmp/#@{int} rw,
+  owner /tmp/mysql_upgrade-@{rand6} rw,
+  owner /tmp/sql* rw,
+  owner /tmp/#sql-temptable-*.{MAD,MAI} rw,
+  
+  owner @{run}/user/@{uid}/akonadi** rwk,
+  
+  @{sys}/block/ r,
+  @{sys}/devices/system/cpu/ r,
+  @{sys}/devices/pci[0-9]*/**/{dev,rotational} r,
+  @{sys}/devices/virtual/block/zram@{int}/queue/rotational r,
+  @{sys}/devices/virtual/block/zram@{int}/dev r,
+
+  owner @{PROC}/@{pid}/loginuid r,
+  
+  include if exists <local/mariadbd_akonadi>  
+  
+}