[ioquake3] 01/05: Add an experimental AppArmor profile supporting OpenArena (openarena) and Quake III Arena (quake3 from contrib), in complain mode for now
Simon McVittie
smcv at debian.org
Mon Mar 21 09:25:04 UTC 2016
This is an automated email from the git hooks/post-receive script.
smcv pushed a commit to branch master
in repository ioquake3.
commit 4922b03534184214210cf0a3a3daad5c4bfbb741
Author: Simon McVittie <smcv at debian.org>
Date: Sun Mar 20 14:19:48 2016 +0000
Add an experimental AppArmor profile supporting OpenArena (openarena) and Quake III Arena (quake3 from contrib), in complain mode for now
---
debian/apparmor.d/usr.lib.ioquake3.ioq3ded | 28 ++++++++++++
debian/apparmor.d/usr.lib.ioquake3.ioquake3 | 67 +++++++++++++++++++++++++++++
debian/changelog | 3 ++
debian/control | 1 +
debian/ioquake3-server.install | 1 +
debian/ioquake3.install | 1 +
debian/rules | 7 +++
7 files changed, 108 insertions(+)
diff --git a/debian/apparmor.d/usr.lib.ioquake3.ioq3ded b/debian/apparmor.d/usr.lib.ioquake3.ioq3ded
new file mode 100644
index 0000000..f8cc388
--- /dev/null
+++ b/debian/apparmor.d/usr.lib.ioquake3.ioq3ded
@@ -0,0 +1,28 @@
+# idTech3 server AppArmor profile
+# Copyright © 2016 Simon McVittie
+# Copying and distribution of this file, with or without modification, are
+# permitted in any medium without royalty provided this notice is preserved.
+# This file is offered as-is, without any warranty.
+
+#include <tunables/global>
+
+/usr/lib/ioquake3/ioq3ded flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/private-files-strict>
+
+ network inet dgram,
+ network inet stream,
+ network inet6 dgram,
+ network inet6 stream,
+
+ /etc/{openarena,quake3}-server/** r,
+ /usr/lib/{ioquake3,quake3,openarena}/** mr,
+ /usr/share/games/{quake3*,openarena}/** r,
+
+ owner @{HOME}/.{openarena,q3a}/{,**} rwk,
+ owner /var/games/{openarena,quake3}-server/** rwk,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.ioquake3.ioq3ded>
+}
diff --git a/debian/apparmor.d/usr.lib.ioquake3.ioquake3 b/debian/apparmor.d/usr.lib.ioquake3.ioquake3
new file mode 100644
index 0000000..2342ae6
--- /dev/null
+++ b/debian/apparmor.d/usr.lib.ioquake3.ioquake3
@@ -0,0 +1,67 @@
+# idTech3 client AppArmor profile
+# Copyright © 2016 Simon McVittie
+# Copying and distribution of this file, with or without modification, are
+# permitted in any medium without royalty provided this notice is preserved.
+# This file is offered as-is, without any warranty.
+
+#include <tunables/global>
+
+/usr/lib/ioquake3/ioquake3 flags=(complain) {
+ #include <abstractions/X>
+ #include <abstractions/audio>
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/nvidia>
+ #include <abstractions/private-files-strict>
+
+ network inet dgram,
+ network inet stream,
+ network inet6 dgram,
+ network inet6 stream,
+
+ /etc/{openarena,quake3}-server/** r,
+ /usr/lib/{ioquake3,quake3,openarena}/** mr,
+ /usr/share/games/{quake3*,openarena}/** r,
+ /usr/share/icons/** r,
+
+ owner @{HOME}/.{openarena,q3a}/{,**} rwk,
+
+ # "safe mode" prompt
+ /usr/bin/kdialog Cx -> popup,
+ /usr/bin/xmessage Cx -> popup,
+ /usr/bin/zenity Cx -> popup,
+
+ # used by PulseAudio
+ /etc/machine-id r,
+ /var/lib/dbus/machine-id r,
+
+ # udev device enumeration, input devices, video
+ /etc/udev/udev.conf r,
+ /run/udev/data/** r,
+ /sys/bus/ r,
+ /sys/class/ r,
+ /sys/class/input/ r,
+ /sys/class/sound/ r,
+ /sys/devices/**/input/** r,
+ /sys/devices/**/sound/**/input*/** r,
+ /sys/devices/**/sound/timer/uevent r,
+ /sys/devices/pci*/**/uevent r,
+
+ profile popup (complain) {
+ #include <abstractions/X>
+ #include <abstractions/base>
+ #include <abstractions/fonts>
+ #include <abstractions/freedesktop.org>
+
+ /etc/X11/app-defaults/Xmessage-color r,
+ /usr/bin/kdialog mr,
+ /usr/bin/xmessage mr,
+ /usr/bin/zenity mr,
+ /usr/share/themes/** r,
+ /usr/share/zenity/** r,
+ owner @{HOME}/.config/gtk-3.0/settings.ini r,
+ }
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.ioquake3.ioquake3>
+}
diff --git a/debian/changelog b/debian/changelog
index 5fc757c..476c895 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,9 @@
ioquake3 (1.36+u20160122+dfsg1-2) UNRELEASED; urgency=medium
* Standards-Version: 3.9.7 (no changes needed)
+ * Add an experimental AppArmor profile supporting OpenArena
+ (openarena) and Quake III Arena (quake3 from contrib), in complain
+ mode for now
-- Simon McVittie <smcv at debian.org> Wed, 02 Mar 2016 09:28:06 +0000
diff --git a/debian/control b/debian/control
index b46879c..eb5e674 100644
--- a/debian/control
+++ b/debian/control
@@ -7,6 +7,7 @@ Uploaders:
Simon McVittie <smcv at debian.org>,
Build-Depends:
debhelper (>= 9),
+ dh-apparmor [linux-any],
dpkg-dev (>= 1.16.1),
libcurl4-gnutls-dev,
libjpeg-dev,
diff --git a/debian/ioquake3-server.install b/debian/ioquake3-server.install
index d57c31b..0c913df 100644
--- a/debian/ioquake3-server.install
+++ b/debian/ioquake3-server.install
@@ -1,3 +1,4 @@
+debian/apparmor.d/usr.lib.ioquake3.ioq3ded etc/apparmor.d
debian/q3arch usr/share/ioquake3
usr/lib/ioquake3/*/qagame*.so
usr/lib/ioquake3/ioq3ded
diff --git a/debian/ioquake3.install b/debian/ioquake3.install
index fb28dbc..f8e30dc 100644
--- a/debian/ioquake3.install
+++ b/debian/ioquake3.install
@@ -1,3 +1,4 @@
+debian/apparmor.d/usr.lib.ioquake3.ioquake3 etc/apparmor.d
usr/lib/ioquake3/*/cgame*.so
usr/lib/ioquake3/*/ui*.so
usr/lib/ioquake3/ioquake3
diff --git a/debian/rules b/debian/rules
index a64eaeb..3927cf2 100755
--- a/debian/rules
+++ b/debian/rules
@@ -67,6 +67,13 @@ override_dh_auto_install:
cd $(DESTDIR)/usr/lib/quake3/ta/baseq3 && ln -s ../../../ioquake3/baseq3/*.so .
cd $(DESTDIR)/usr/lib/quake3/ta/missionpack && ln -s ../../../ioquake3/missionpack/*.so .
+ifeq ($(DEB_HOST_ARCH_OS),linux)
+override_dh_install-arch:
+ dh_install -a
+ dh_apparmor -pioquake3 --profile-name=usr.lib.ioquake3.ioquake3
+ dh_apparmor -pioquake3-server --profile-name=usr.lib.ioquake3.ioq3ded
+endif
+
override_dh_strip:
dh_strip --dbg-package=ioquake3-dbg
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-games/ioquake3.git
More information about the Pkg-games-commits
mailing list