[Pkg-privacy-commits] [ricochet-im] 01/03: Update apparmor profile and install it

Ximin Luo infinity0 at debian.org
Thu Oct 19 22:05:37 UTC 2017 

This is an automated email from the git hooks/post-receive script.

infinity0 pushed a commit to branch master
in repository ricochet-im.

commit c5cbb05ba777a06b1d1945ee1af41e01e47c9fcd
Author: Ximin Luo <infinity0 at debian.org>
Date:   Fri Oct 20 00:02:49 2017 +0200

    Update apparmor profile and install it
---
 debian/changelog                                   |  8 ++
 debian/control                                     |  1 +
 .../a22c729b3e912794a8af65879ed1b38573385657.diff  | 92 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 debian/rules                                       |  8 +-
 5 files changed, 109 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 31d442c..eb3a223 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+ricochet-im (1.1.4-2) UNRELEASED; urgency=medium
+
+  * Backport an upstream patch improving apparmor support. It is also now
+    installed into the right place on Debian systems, and should "just work"
+    if you have apparmor enabled.
+
+ -- Ximin Luo <infinity0 at debian.org>  Thu, 19 Oct 2017 19:36:25 +0200
+
 ricochet-im (1.1.4-1) unstable; urgency=medium
 
   * Team upload.
diff --git a/debian/control b/debian/control
index 9079d3c..b5ad688 100644
--- a/debian/control
+++ b/debian/control
@@ -4,6 +4,7 @@ Priority: optional
 Maintainer: Debian Privacy Tools Maintainers <pkg-privacy-maintainers at lists.alioth.debian.org>
 Uploaders: Ximin Luo <infinity0 at debian.org>
 Build-Depends: debhelper (>= 9),
+ dh-apparmor,
  libssl-dev,
  pkg-config,
  libprotobuf-dev,
diff --git a/debian/patches/a22c729b3e912794a8af65879ed1b38573385657.diff b/debian/patches/a22c729b3e912794a8af65879ed1b38573385657.diff
new file mode 100644
index 0000000..1f3b205
--- /dev/null
+++ b/debian/patches/a22c729b3e912794a8af65879ed1b38573385657.diff
@@ -0,0 +1,92 @@
+--- a/contrib/usr.bin.ricochet-apparmor
++++ b/contrib/usr.bin.ricochet-apparmor
+@@ -1,43 +1,51 @@
++# Last Modified: Mon Jul 17 00:25:38 2017
++#include <tunables/global>
++
+ # AppArmor Ricochet profile for Debian GNU/Linux
+ # This profile is Free Software and released under the same license as Ricochet
+ # itself.
+ #
+ # Copyleft 2015 Jacob Appelbaum <jacob at appelbaum.net>
+ #
+-#include <tunables/global>
++
+ 
+ /usr/bin/ricochet {
++  #include <abstractions/audio>
+   #include <abstractions/kde>
+   #include <abstractions/nameservice>
+-  #include <abstractions/audio>
++
++  /usr/lib/** mr,
+ 
+   # Allow TCP connections
+   network inet stream,
+   network inet6 stream,
+ 
+-  /usr/lib/** mr,
+-
+   # Allow Ricochet to exec pulseaudio
+   # This makes me very sad...
+   # as it seems that you can't isolate playing and recording :(
+-  /usr/bin/pulseaudio ixr,
++  /usr/bin/pulseaudio rix,
+ 
+   # Allow Ricochet to exec tor
+-  /usr/bin/tor ixr,
++  /usr/bin/tor rix,
++  # Tor in turn needs various things
+   /usr/share/tor/geoip  r,
+   /usr/share/tor/geoip6 r,
+-  # Tor in turn needs various things
+   /proc/sys/kernel/random/uuid r,
+   /sys/devices/system/cpu/ r,
++  # Allow Ricochet to read tor daemons auth cookie
++  /run/tor/control.authcookie r,
+ 
+   # Allow Ricochet to read itself
+   /usr/bin/ricochet r,
+   /proc/[0-9]*/cmdline r,
++  /proc/[0-9]*/environ r,
+ 
+   # Allow Ricochet to generate audio
+   owner /{dev,run}/shm/pulse-shm* m,
+ 
+   # Allow Ricochet to draw the UX
++  /dev/dri/ r,
++  /sys/devices/pci[0-9]*/**/config r,
+   /sys/devices/pci[0-9]*/**/uevent r,
+   /run/udev/data/* r,
+ 
+@@ -50,8 +58,7 @@
+   # Why does it need this stuff? BAD NEWS BEARS
+   /etc/machine-id r,
+   /var/lib/dbus/machine-id r,
+-  /etc/udev/udev.conf r,
+ 
+   owner @{HOME}/.local/share/Ricochet/ rw,
+-  owner @{HOME}/.local/share/Ricochet/** rwmk,
++  owner @{HOME}/.local/share/Ricochet/** mrwk,
+ }
+--- a/ricochet.pro
++++ b/ricochet.pro
+@@ -62,6 +62,18 @@
+         scalable_icon.path = /usr/share/icons/hicolor/scalable/apps/
+         scalable_icon.files = icons/ricochet.svg
+         INSTALLS += target shortcut icon scalable_icon
++        QMAKE_CLEAN += contrib/usr.bin.ricochet
++        contains(DEFINES, APPARMOR) {
++            apparmor_profile.extra = cp -f $${_PRO_FILE_PWD_}/contrib/usr.bin.ricochet-apparmor $${_PRO_FILE_PWD_}/contrib/usr.bin.ricochet
++            apparmor_profile.files = contrib/usr.bin.ricochet
++            QMAKE_CLEAN += contrib/usr.bin.ricochet
++            !isEmpty(APPARMORDIR) {
++                    apparmor_profile.path = $${APPARMORDIR}/
++            } else {
++                    apparmor_profile.path = /etc/apparmor.d/
++            }
++            INSTALLS += apparmor_profile
++        }
+ 
+         exists(tor) {
+             message(Adding bundled Tor to installations)
diff --git a/debian/patches/series b/debian/patches/series
index 08b29a1..0bd19df 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 rename-desktop-file.patch
+a22c729b3e912794a8af65879ed1b38573385657.diff
diff --git a/debian/rules b/debian/rules
index ab9cd62..824b501 100755
--- a/debian/rules
+++ b/debian/rules
@@ -25,7 +25,13 @@ export QT_SELECT = qt5
 	dh $@
 
 override_dh_auto_configure:
-	dh_auto_configure -- CONFIG+=release DEFINES+=RICOCHET_NO_PORTABLE
+	dh_auto_configure -- CONFIG+=release DEFINES+=RICOCHET_NO_PORTABLE DEFINES+=APPARMOR
+
+override_dh_install:
+	dh_install
+	# work around upstream bug, see https://github.com/ricochet-im/ricochet/pull/549#issuecomment-337991027
+	install -t debian/ricochet-im/etc/apparmor.d/ contrib/usr.bin.ricochet
+	dh_apparmor --profile-name=usr.bin.ricochet -pricochet-im
 
 override_dh_auto_clean:
 	dh_auto_clean

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/ricochet-im.git

More information about the Pkg-privacy-commits mailing list