Discussion:
[apparmor] [patch] Update mlmmj profiles
Seth Arnold
2016-11-07 19:49:46 UTC
Permalink
Hello,
this patch updates the mlmmj profiles in the extras directory to the
profiles that are used on lists.opensuse.org now. Besides adding lots
of trailing slashes for directories, several permissions were added.
Also, usr.bin.mlmmj-receive gets added - it seems upstream renamed
mlmmj-recieve to fix a typo.
These profiles were provided by Per Jessen.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1000201
I propose this patch for trunk, 2.10 and 2.9.
In trunk, I'd also like to delete the mlmmj-recieve profile (for the
misnamed binary), but I tend to keep it in 2.10 and 2.9 to avoid
regressions.
I can see that these patches took a fair amount of back-and-forth
development already so I'm discinlined to suggest further changes before
they are merged, but...

1) Per Jessen did a huge amount of work on these and probably ought to
have a copyright line, or update suse's copyright lines.

2) All the executables will need 'm' access when run on kernels that have
9f834ec18defc369d73ccf9e87a2790bfa05bf46 integrated.

3) I'd suggest not deleting the mlmmj-recieve for a year or two. Who knows
how long it will be before the old name is removed everywhere.

So,
Acked-by: Seth Arnold <***@canonical.com>
for all three branches, with or without these suggested changes as you see
fit.

Thanks
[ mlmmj.diff ]
=== modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-bounce'
--- profiles/apparmor/profiles/extras/usr.bin.mlmmj-bounce 2010-12-20 20:29:10 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-bounce 2016-11-07 16:49:35 +0000
@@ -16,7 +16,24 @@
/usr/bin/mlmmj-bounce r,
/usr/bin/mlmmj-send Px,
+ /usr/bin/mlmmj-maintd Px,
+ /var/spool/mlmmj/*/subscribers.d/ r,
+ /var/spool/mlmmj/*/subscribers.d/* r,
+ /var/spool/mlmmj/*/subconf rwl, #
/var/spool/mlmmj/*/subconf/* rwl,
+ /var/spool/mlmmj/*/queue rwl, #
/var/spool/mlmmj/*/queue/* rwl,
-
+ /var/spool/mlmmj/*/bounce/ rwl,
+
+ /var/spool/mlmmj/*/nomailsubs.d/ r,
+ /var/spool/mlmmj/*/nomailsubs.d/* r,
+ /var/spool/mlmmj/*/digesters.d/ r,
+ /var/spool/mlmmj/*/digesters.d/* r,
+
+ /var/spool/mlmmj/*/bounce/* rw,
+
+ /var/spool/mlmmj/*/unsubconf/* w,
+
+ /usr/share/mlmmj/text.skel/*/* r,
+ /var/spool/mlmmj/*/control/* r,
}
=== modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-maintd'
--- profiles/apparmor/profiles/extras/usr.bin.mlmmj-maintd 2010-12-20 20:29:10 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-maintd 2016-11-07 16:49:47 +0000
@@ -18,19 +18,34 @@
/usr/bin/mlmmj-maintd r,
/usr/bin/mlmmj-send Px,
+ /usr/bin/mlmmj-bounce Px,
+ /usr/bin/mlmmj-unsub Px,
- /var/spool/mlmmj r,
- /var/spool/mlmmj/*/bounce r,
+ /var/spool/mlmmj/ r,
+ /var/spool/mlmmj/* r, #
+ /var/spool/mlmmj/*/bounce/ r,
+ /var/spool/mlmmj/*/bounce/* rw,
/var/spool/mlmmj/*/index r,
- /var/spool/mlmmj/*/lastdigest rw,
+ /var/spool/mlmmj/*/lastdigest rwk,
/var/spool/mlmmj/*/maintdlog-* lrw,
/var/spool/mlmmj/*/mlmmj-maintd.lastrun.log w,
- /var/spool/mlmmj/*/moderation r,
+ /var/spool/mlmmj/*/moderation/ r,
+ /var/spool/mlmmj/*/moderation/* w,
+ /var/spool/mlmmj/*/archive/ r,
/var/spool/mlmmj/*/archive/* r,
+ /var/spool/mlmmj/*/control/ r,
/var/spool/mlmmj/*/control/* r,
- /var/spool/mlmmj/*/queue r,
- /var/spool/mlmmj/*/queue/* rwl,
- /var/spool/mlmmj/*/requeue r,
- /var/spool/mlmmj/*/subconf r,
- /var/spool/mlmmj/*/unsubconf r,
+ /var/spool/mlmmj/*/queue/ r,
+ /var/spool/mlmmj/*/queue/** rwl,
+ /var/spool/mlmmj/*/requeue/ r,
+ /var/spool/mlmmj/*/requeue/* rw,
+ /var/spool/mlmmj/*/requeue/*/ rw,
+ /var/spool/mlmmj/*/subconf/ r,
+ /var/spool/mlmmj/*/subconf/* rw,
+ /var/spool/mlmmj/*/unsubconf/ r,
+ /var/spool/mlmmj/*/unsubconf/* rw,
+
+ /usr/share/mlmmj/text.skel/*/digest r,
+ /var/spool/mlmmj/*/mlmmj.operation.log rwk,
+
}
=== modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-process'
--- profiles/apparmor/profiles/extras/usr.bin.mlmmj-process 2010-12-20 20:29:10 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-process 2016-11-07 16:50:03 +0000
@@ -19,11 +19,27 @@
/usr/bin/mlmmj-sub Px,
/usr/bin/mlmmj-unsub Px,
/usr/bin/mlmmj-bounce Px,
+ # skeleton data
+ /usr/share/mlmmj/text.skel/ r,
+ /usr/share/mlmmj/text.skel/*/* r,
+
/var/spool/mlmmj/*/control/* r,
/var/spool/mlmmj/*/text/* r,
/var/spool/mlmmj/*/incoming/* rwl,
- /var/spool/mlmmj/*/queue/* rwl,
+ /var/spool/mlmmj/*/queue/** rwl,
/var/spool/mlmmj/*/subconf/* rwl,
/var/spool/mlmmj/*/unsubconf/* rwl,
- /var/spool/mlmmj/*/mlmmj.operation.log rw,
+ /var/spool/mlmmj/*/mlmmj.operation.log rwk,
+ /var/spool/mlmmj/*/mlmmj.operation.log.rotated w,
+
+ /var/spool/mlmmj/*/nomailsubs.d/ r,
+ /var/spool/mlmmj/*/nomailsubs.d/* r,
+ /var/spool/mlmmj/*/subscribers.d/ r,
+ /var/spool/mlmmj/*/subscribers.d/* r,
+ /var/spool/mlmmj/*/digesters.d/ r,
+ /var/spool/mlmmj/*/digesters.d/* r,
+
+ /var/spool/mlmmj/*/moderation/* rw,
+ /etc/mlmmj/text/*/* r,
+
}
=== added file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-receive'
--- profiles/apparmor/profiles/extras/usr.bin.mlmmj-receive 1970-01-01 00:00:00 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-receive 2016-11-07 16:50:13 +0000
@@ -0,0 +1,21 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+
+#include <tunables/global>
+
+/usr/bin/mlmmj-receive {
+ #include <abstractions/base>
+
+ /usr/bin/mlmmj-process Px,
+ /usr/bin/mlmmj-receive r,
+ /var/spool/mlmmj/*/incoming/ rw,
+ /var/spool/mlmmj/*/incoming/* rw,
+}
=== modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-send'
--- profiles/apparmor/profiles/extras/usr.bin.mlmmj-send 2010-12-20 20:29:10 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-send 2016-11-07 16:53:17 +0000
@@ -18,8 +18,13 @@
/usr/bin/mlmmj-send r,
/var/spool/mlmmj/*/archive/* w,
/var/spool/mlmmj/*/control/* r,
- /var/spool/mlmmj/*/index rw,
- /var/spool/mlmmj/*/queue/* lrw,
- /var/spool/mlmmj/*/subscribers.d r,
+ /var/spool/mlmmj/*/index rwk,
+ /var/spool/mlmmj/*/queue/* klrw,
+ /var/spool/mlmmj/*/subscribers.d/ r,
/var/spool/mlmmj/*/subscribers.d/* r,
+
+ /var/spool/mlmmj/*/digesters.d/ r,
+
+ /var/spool/mlmmj/*/moderation/* rwk,
+
}
=== modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-sub'
--- profiles/apparmor/profiles/extras/usr.bin.mlmmj-sub 2010-12-20 20:29:10 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-sub 2016-11-07 16:56:10 +0000
@@ -18,11 +18,23 @@
/usr/bin/mlmmj-send Px,
/usr/bin/mlmmj-sub r,
+ /var/spool/mlmmj/*/control/ r,
/var/spool/mlmmj/*/control/* r,
- /var/spool/mlmmj/*/queue/* w,
- /var/spool/mlmmj/*/subconf/* w,
- /var/spool/mlmmj/*/subscribers.d rw,
- /var/spool/mlmmj/*/subscribers.d/* rw,
- /var/spool/mlmmj/*/subscribers.d/.d.lock lw,
+ /var/spool/mlmmj/*/queue/ rw,
+ /var/spool/mlmmj/*/queue/* rw,
+ /var/spool/mlmmj/*/subconf/ rw,
+ /var/spool/mlmmj/*/subconf/* rw,
+ /var/spool/mlmmj/*/subscribers.d/ rw,
+ /var/spool/mlmmj/*/subscribers.d/* rwk,
+ /var/spool/mlmmj/*/text/ r, #
/var/spool/mlmmj/*/text/* r,
+
+ /usr/share/mlmmj/text.skel/*/* r,
+
+ /var/spool/mlmmj/*/nomailsubs.d/ rw,
+ /var/spool/mlmmj/*/nomailsubs.d/* rwk,
+
+ /var/spool/mlmmj/*/digesters.d/ rw,
+ /var/spool/mlmmj/*/digesters.d/* rwk,
+
}
=== modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-unsub'
--- profiles/apparmor/profiles/extras/usr.bin.mlmmj-unsub 2010-12-20 20:29:10 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-unsub 2016-11-07 16:50:52 +0000
@@ -16,12 +16,25 @@
/usr/bin/mlmmj-unsub r,
/usr/bin/mlmmj-send Px,
+ /var/spool/mlmmj/*/control/ r,
/var/spool/mlmmj/*/control/* r,
+ /var/spool/mlmmj/*/text/ r,
/var/spool/mlmmj/*/text/* r,
- /var/spool/mlmmj/*/subscribers.d r,
- /var/spool/mlmmj/*/subscribers.d/* r,
+ /var/spool/mlmmj/*/queue/ rwl,
/var/spool/mlmmj/*/queue/* rwl,
+ /var/spool/mlmmj/*/unsubconf/ rwl,
/var/spool/mlmmj/*/unsubconf/* rwl,
- /var/spool/mlmmj/*/subscribers.d/* rwl,
+ /var/spool/mlmmj/*/subscribers.d/ rw,
+ /var/spool/mlmmj/*/subscribers.d/* rwk,
+
+ /var/spool/mlmmj/*/nomailsubs.d/ rw,
+ /var/spool/mlmmj/*/nomailsubs.d/* rwk,
+
+ /var/spool/mlmmj/*/digesters.d/ rw,
+ /var/spool/mlmmj/*/digesters.d/* rwk,
+
+ /usr/share/mlmmj/text.skel/*/* r,
+ /etc/mlmmj/text/*/finish r,
+
}
Seth Arnold
2016-11-08 22:47:52 UTC
Permalink
[patch] Add m permissions to mlmmj profiles
Newer kernels need m permissions for the binary the profile covers,
so add it before someone hits this problem in the wild ;-)
Also add a note that the mlmmj-recieve profile is probably superfluous
after upstream renamed the misspelled binary.
I propose this patch for trunk, 2.10 and 2.9
Acked-by: Seth Arnold <***@canonical.com>

Acked for all three.

Thanks
[ mlmmj-m.diff ]
=== modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-bounce'
--- profiles/apparmor/profiles/extras/usr.bin.mlmmj-bounce 2016-11-08 20:34:15 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-bounce 2016-11-08 20:40:38 +0000
@@ -15,7 +15,7 @@
/usr/bin/mlmmj-bounce {
#include <abstractions/base>
- /usr/bin/mlmmj-bounce r,
+ /usr/bin/mlmmj-bounce mr,
/usr/bin/mlmmj-send Px,
/usr/bin/mlmmj-maintd Px,
/var/spool/mlmmj/*/subscribers.d/ r,
=== modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-maintd'
--- profiles/apparmor/profiles/extras/usr.bin.mlmmj-maintd 2016-11-08 20:34:15 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-maintd 2016-11-08 20:40:55 +0000
@@ -17,7 +17,7 @@
capability setuid,
- /usr/bin/mlmmj-maintd r,
+ /usr/bin/mlmmj-maintd mr,
/usr/bin/mlmmj-send Px,
/usr/bin/mlmmj-bounce Px,
/usr/bin/mlmmj-unsub Px,
=== modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-process'
--- profiles/apparmor/profiles/extras/usr.bin.mlmmj-process 2016-11-08 20:34:15 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-process 2016-11-08 20:41:35 +0000
@@ -15,7 +15,7 @@
/usr/bin/mlmmj-process {
#include <abstractions/base>
- /usr/bin/mlmmj-process r,
+ /usr/bin/mlmmj-process mr,
/usr/bin/mlmmj-send Px,
/usr/bin/mlmmj-sub Px,
/usr/bin/mlmmj-unsub Px,
=== modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-receive'
--- profiles/apparmor/profiles/extras/usr.bin.mlmmj-receive 2016-11-08 20:34:15 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-receive 2016-11-08 20:41:45 +0000
@@ -16,7 +16,7 @@
#include <abstractions/base>
/usr/bin/mlmmj-process Px,
- /usr/bin/mlmmj-receive r,
+ /usr/bin/mlmmj-receive mr,
/var/spool/mlmmj/*/incoming/ rw,
/var/spool/mlmmj/*/incoming/* rw,
}
=== modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-recieve'
--- profiles/apparmor/profiles/extras/usr.bin.mlmmj-recieve 2010-12-20 20:29:10 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-recieve 2016-11-08 20:43:15 +0000
@@ -9,12 +9,17 @@
# ------------------------------------------------------------------
# vim:syntax=apparmor
+
+# mlmmj upstream renamed the (misspelled) mlmmj-recieve to mlmmj-receive,
+# so this profile is probably superfluous
+
+
#include <tunables/global>
/usr/bin/mlmmj-recieve {
#include <abstractions/base>
/usr/bin/mlmmj-process Px,
- /usr/bin/mlmmj-recieve r,
+ /usr/bin/mlmmj-recieve mr,
/var/spool/mlmmj/*/incoming/* w,
}
=== modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-send'
--- profiles/apparmor/profiles/extras/usr.bin.mlmmj-send 2016-11-08 20:34:15 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-send 2016-11-08 20:43:28 +0000
@@ -16,7 +16,7 @@
#include <abstractions/base>
#include <abstractions/nameservice>
- /usr/bin/mlmmj-send r,
+ /usr/bin/mlmmj-send mr,
/var/spool/mlmmj/*/archive/* w,
/var/spool/mlmmj/*/control/* r,
/var/spool/mlmmj/*/index rwk,
=== modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-sub'
--- profiles/apparmor/profiles/extras/usr.bin.mlmmj-sub 2016-11-08 20:34:15 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-sub 2016-11-08 20:43:39 +0000
@@ -18,7 +18,7 @@
capability setuid,
/usr/bin/mlmmj-send Px,
- /usr/bin/mlmmj-sub r,
+ /usr/bin/mlmmj-sub mr,
/var/spool/mlmmj/*/control/ r,
/var/spool/mlmmj/*/control/* r,
/var/spool/mlmmj/*/queue/ rw,
=== modified file 'profiles/apparmor/profiles/extras/usr.bin.mlmmj-unsub'
--- profiles/apparmor/profiles/extras/usr.bin.mlmmj-unsub 2016-11-08 20:34:15 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.mlmmj-unsub 2016-11-08 20:43:51 +0000
@@ -15,7 +15,7 @@
/usr/bin/mlmmj-unsub {
#include <abstractions/base>
- /usr/bin/mlmmj-unsub r,
+ /usr/bin/mlmmj-unsub mr,
/usr/bin/mlmmj-send Px,
/var/spool/mlmmj/*/control/ r,
/var/spool/mlmmj/*/control/* r,
Loading...