[iortcw] 01/02: Add experimental AppArmor profiles to protect the client and server, both in "complain" mode for now
Simon McVittie
smcv at debian.org
Tue Mar 8 09:00:07 UTC 2016
This is an automated email from the git hooks/post-receive script.
smcv pushed a commit to branch master
in repository iortcw.
commit 2d780d445e3e8960cd776b9bbf058bc79e2e06d2
Author: Simon McVittie <smcv at debian.org>
Date: Tue Mar 8 08:00:28 2016 +0000
Add experimental AppArmor profiles to protect the client and server, both in "complain" mode for now
---
debian/apparmor.d/usr.lib.rtcw | 50 ++++++++++++++++++++++++++++++++
debian/apparmor.d/usr.lib.rtcw.iowolfded | 25 ++++++++++++++++
debian/changelog | 2 ++
debian/control | 1 +
debian/copyright | 3 +-
debian/rtcw-server.install | 1 +
debian/rtcw.install | 1 +
debian/rules | 5 ++++
8 files changed, 87 insertions(+), 1 deletion(-)
diff --git a/debian/apparmor.d/usr.lib.rtcw b/debian/apparmor.d/usr.lib.rtcw
new file mode 100644
index 0000000..5d90eae
--- /dev/null
+++ b/debian/apparmor.d/usr.lib.rtcw
@@ -0,0 +1,50 @@
+# Return to Castle Wolfenstein client AppArmor profile
+# Copyright © 2016 Simon McVittie
+# Copying and distribution of this file, with or without modification, are
+# permitted in any medium without royalty provided this notice is preserved.
+# This file is offered as-is, without any warranty.
+
+#include <tunables/global>
+
+/usr/lib/rtcw/iowolf{mp,sp}* flags=(complain) {
+ #include <abstractions/X>
+ #include <abstractions/audio>
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/nvidia>
+ #include <abstractions/private-files-strict>
+
+ network inet dgram,
+ network inet stream,
+ network inet6 dgram,
+ network inet6 stream,
+
+ /etc/rtcw-server/** r,
+ /usr/lib/rtcw/** mr,
+ /usr/lib/rtcw/iowolf{mp,sp}* mrix,
+ /usr/share/games/rtcw/** r,
+ /usr/share/icons/** r,
+
+ owner @{HOME}/.wolf/{,**} rwk,
+
+ # "safe mode" prompt
+ /usr/bin/kdialog mrix,
+ /usr/bin/xmessage mrix,
+ /usr/bin/zenity mrix,
+
+ # used by PulseAudio
+ /etc/machine-id r,
+ /var/lib/dbus/machine-id r,
+
+ # udev device enumeration, input devices, video
+ /etc/udev/udev.conf r,
+ /run/udev/data/** r,
+ /sys/bus/ r,
+ /sys/class/ r,
+ /sys/class/input/ r,
+ /sys/class/sound/ r,
+ /sys/devices/**/input/** r,
+ /sys/devices/**/sound/**/input*/** r,
+ /sys/devices/**/sound/timer/uevent r,
+ /sys/devices/pci*/**/uevent r,
+}
diff --git a/debian/apparmor.d/usr.lib.rtcw.iowolfded b/debian/apparmor.d/usr.lib.rtcw.iowolfded
new file mode 100644
index 0000000..3017d3a
--- /dev/null
+++ b/debian/apparmor.d/usr.lib.rtcw.iowolfded
@@ -0,0 +1,25 @@
+# Return to Castle Wolfenstein server AppArmor profile
+# Copyright © 2016 Simon McVittie
+# Copying and distribution of this file, with or without modification, are
+# permitted in any medium without royalty provided this notice is preserved.
+# This file is offered as-is, without any warranty.
+
+#include <tunables/global>
+
+/usr/lib/rtcw/iowolfded* flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/private-files-strict>
+
+ network inet dgram,
+ network inet stream,
+ network inet6 dgram,
+ network inet6 stream,
+
+ /etc/rtcw-server/** r,
+ /usr/lib/rtcw/** mr,
+ /usr/share/games/rtcw/** r,
+
+ owner @{HOME}/.wolf/{,**} rwk,
+ owner /var/games/rtcw-server/** rwk,
+}
diff --git a/debian/changelog b/debian/changelog
index d7b36f6..c6414d3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -12,6 +12,8 @@ iortcw (1.42d+dfsg1-1) UNRELEASED; urgency=medium
execute arbitrary code from Activision servers without authentication.
* Switch Vcs-Git to https (see #810378)
* Standards-Version: 3.9.7 (no changes needed)
+ * Add experimental AppArmor profiles to protect the client and server,
+ both in "complain" mode for now
-- Simon McVittie <smcv at debian.org> Fri, 22 Jan 2016 11:06:29 +0000
diff --git a/debian/control b/debian/control
index d7b9787..471ef5c 100644
--- a/debian/control
+++ b/debian/control
@@ -4,6 +4,7 @@ Priority: optional
Maintainer: Debian Games Team <pkg-games-devel at lists.alioth.debian.org>
Uploaders: Simon McVittie <smcv at debian.org>
Build-Depends: debhelper (>= 9),
+ dh-apparmor [linux-any],
dh-systemd,
dpkg-dev (>= 1.16.1),
libcurl4-gnutls-dev,
diff --git a/debian/copyright b/debian/copyright
index 606f87c..94d0f51 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -125,9 +125,10 @@ Copyright:
License: GPL-2+
Files:
+ debian/apparmor.d/*
debian/q3arch
Copyright:
- © 2009-2015 Simon McVittie <smcv at debian.org>
+ © 2009-2016 Simon McVittie <smcv at debian.org>
License: permissive
Copying and distribution of this file, with or without modification, are
permitted in any medium without royalty provided this notice is preserved.
diff --git a/debian/rtcw-server.install b/debian/rtcw-server.install
index 42c5062..d998056 100644
--- a/debian/rtcw-server.install
+++ b/debian/rtcw-server.install
@@ -1,3 +1,4 @@
+debian/apparmor.d/usr.lib.rtcw.iowolfded etc/apparmor.d
debian/build/mp/iowolfded usr/lib/rtcw
debian/build/mp/iowolfded.* usr/lib/rtcw
debian/scripts/wolfded usr/games
diff --git a/debian/rtcw.install b/debian/rtcw.install
index 3b4812e..431030e 100644
--- a/debian/rtcw.install
+++ b/debian/rtcw.install
@@ -14,6 +14,7 @@ debian/wolfmp.desktop usr/share/applications
debian/scripts/wolfmp usr/games
# Shared between clients
+debian/apparmor.d/usr.lib.rtcw etc/apparmor.d
debian/need-data.sh usr/lib/rtcw
debian/32/*.png usr/share/icons/hicolor/32x32/apps
debian/48/*.png usr/share/icons/hicolor/48x48/apps
diff --git a/debian/rules b/debian/rules
index 507c22c..b227075 100755
--- a/debian/rules
+++ b/debian/rules
@@ -72,6 +72,11 @@ override_dh_auto_build:
chmod +x debian/scripts/wolfmp
chmod +x debian/scripts/wolfded
+override_dh_install-arch:
+ dh_install -a
+ dh_apparmor -prtcw --profile-name=usr.lib.rtcw
+ dh_apparmor -prtcw-server --profile-name=usr.lib.rtcw.iowolfded
+
override_dh_strip:
dh_strip --dbg-package=rtcw-dbg
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-games/iortcw.git
More information about the Pkg-games-commits
mailing list