[openjk] 16/19: Add experimental AppArmor profiles, initially in non-enforcing mode
Simon McVittie
smcv at debian.org
Sun Mar 20 21:48:44 UTC 2016
This is an automated email from the git hooks/post-receive script.
smcv pushed a commit to branch master
in repository openjk.
commit 952c0718fcc653eda0566de18ac8e61f433499bb
Author: Simon McVittie <smcv at debian.org>
Date: Sun Mar 20 14:18:47 2016 +0000
Add experimental AppArmor profiles, initially in non-enforcing mode
---
debian/apparmor.d/usr.games.openjk | 49 +++++++++++++++++++++++++++++++++++
debian/apparmor.d/usr.games.openjkded | 31 ++++++++++++++++++++++
debian/changelog | 1 +
debian/control | 1 +
debian/openjk-academy-server.install | 3 ++-
debian/openjk-common.install | 1 +
debian/rules | 7 +++++
7 files changed, 92 insertions(+), 1 deletion(-)
diff --git a/debian/apparmor.d/usr.games.openjk b/debian/apparmor.d/usr.games.openjk
new file mode 100644
index 0000000..ce74a6f
--- /dev/null
+++ b/debian/apparmor.d/usr.games.openjk
@@ -0,0 +1,49 @@
+# OpenJK Jedi Outcast/Jedi Academy client AppArmor profile
+# Copyright © 2016 Simon McVittie
+# Copying and distribution of this file, with or without modification, are
+# permitted in any medium without royalty provided this notice is preserved.
+# This file is offered as-is, without any warranty.
+
+#include <tunables/global>
+
+# The profile attaches to the real binary, not the shell script in /usr/games
+/usr/lib/openjk/Jedi{Outcast,Academy}/open{jo_sp,jk,jk_sp}.* flags=(complain) {
+ #include <abstractions/X>
+ #include <abstractions/audio>
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/nvidia>
+ #include <abstractions/private-files-strict>
+
+ network inet dgram,
+ network inet stream,
+ network inet6 dgram,
+ network inet6 stream,
+
+ /etc/openjk-academy-server/** r,
+ /usr/lib/openjk/** mr,
+ /usr/lib/openjk/Jedi{Outcast,Academy}/open{jo_sp,jk,jk_sp}.* mrix,
+ /usr/share/games/jedi-{outcast,academy}/** r,
+ /usr/share/icons/** r,
+
+ owner @{HOME}/.local/share/open{jo,jk}/{,**} rwk,
+
+ # used by PulseAudio
+ /etc/machine-id r,
+ /var/lib/dbus/machine-id r,
+
+ # udev device enumeration, input devices, video
+ /etc/udev/udev.conf r,
+ /run/udev/data/** r,
+ /sys/bus/ r,
+ /sys/class/ r,
+ /sys/class/input/ r,
+ /sys/class/sound/ r,
+ /sys/devices/**/input/** r,
+ /sys/devices/**/sound/**/input*/** r,
+ /sys/devices/**/sound/timer/uevent r,
+ /sys/devices/pci*/**/uevent r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.games.openjk>
+}
diff --git a/debian/apparmor.d/usr.games.openjkded b/debian/apparmor.d/usr.games.openjkded
new file mode 100644
index 0000000..5319d7c
--- /dev/null
+++ b/debian/apparmor.d/usr.games.openjkded
@@ -0,0 +1,31 @@
+# OpenJK Jedi Academy server AppArmor profile
+# Copyright © 2016 Simon McVittie
+# Copying and distribution of this file, with or without modification, are
+# permitted in any medium without royalty provided this notice is preserved.
+# This file is offered as-is, without any warranty.
+
+#include <tunables/global>
+
+# The profile attaches to the real binary, not the shell script in /usr/games
+/usr/lib/openjk/JediAcademy/openjkded.* flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/private-files-strict>
+
+ network inet dgram,
+ network inet stream,
+ network inet6 dgram,
+ network inet6 stream,
+
+ /etc/openjk-academy-server/** r,
+ /usr/lib/openjk/** mr,
+ /usr/lib/openjk/JediAcademy/openjkded.* mrix,
+ /usr/share/games/jedi-academy/** r,
+ /usr/share/icons/** r,
+
+ owner @{HOME}/.local/share/openjk/{,**} rwk,
+ owner /var/games/openjk-academy-server/** rwk,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.games.openjkded>
+}
diff --git a/debian/changelog b/debian/changelog
index a4e1718..5098efd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -18,6 +18,7 @@ openjk (0~20160320+dfsg1-1) UNRELEASED; urgency=medium
* Remove traditional Debian menu entries (prohibited by CTTE decision
#741573) and the XPM icon that they used
* Add documentation to the systemd units
+ * Add experimental AppArmor profiles, initially in non-enforcing mode
-- Simon McVittie <smcv at debian.org> Fri, 22 Jan 2016 11:09:04 +0000
diff --git a/debian/control b/debian/control
index 8b33b9b..b5da40e 100644
--- a/debian/control
+++ b/debian/control
@@ -6,6 +6,7 @@ Uploaders: Simon McVittie <smcv at debian.org>
Build-Depends:
cmake,
debhelper (>= 9.20160114~),
+ dh-apparmor [linux-any],
dh-systemd,
dpkg-dev (>= 1.16.1),
icnsutils,
diff --git a/debian/openjk-academy-server.install b/debian/openjk-academy-server.install
index 15c3f49..faf2fd3 100644
--- a/debian/openjk-academy-server.install
+++ b/debian/openjk-academy-server.install
@@ -1,7 +1,8 @@
# Game plugin is in openjk-common because it's shared by the
# multiplayer client, for listen servers
-debian/scripts/openjkded usr/games
+debian/apparmor.d/usr.games.openjkded etc/apparmor.d
debian/openjk-academy-server at .service lib/systemd/system
+debian/scripts/openjkded usr/games
debian/server.cfg etc/openjk-academy-server
usr/lib/openjk/JediAcademy/openjkded
usr/lib/openjk/JediAcademy/openjkded.*
diff --git a/debian/openjk-common.install b/debian/openjk-common.install
index 7c72a3f..b2c288c 100644
--- a/debian/openjk-common.install
+++ b/debian/openjk-common.install
@@ -1,4 +1,5 @@
# Shared by Jedi Academy and Jedi Outcast
+debian/apparmor.d/usr.games.openjk etc/apparmor.d
debian/icons/16/openjk.png usr/share/icons/hicolor/16x16/apps
debian/icons/32/openjk.png usr/share/icons/hicolor/32x32/apps
debian/icons/128/openjk.png usr/share/icons/hicolor/128x128/apps
diff --git a/debian/rules b/debian/rules
index a0fec13..bca013a 100755
--- a/debian/rules
+++ b/debian/rules
@@ -123,6 +123,13 @@ ifeq ($(with_jk2),ON)
endif
chmod 0755 debian/scripts/openj*
+ifeq ($(DEB_HOST_ARCH_OS),linux)
+override_dh_install:
+ dh_install
+ dh_apparmor -popenjk-common --profile-name=usr.games.openjk
+ dh_apparmor -popenjk-academy-server --profile-name=usr.games.openjkded
+endif
+
override_dh_installchangelogs:
dh_installchangelogs CHANGELOG.md
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-games/openjk.git
More information about the Pkg-games-commits
mailing list