Am Sonntag, 27. Juni 2021, 15:48:26 CEST schrieb Christian Boltz:
Hello,
since some days, we have a new subpackage akonadi-server-apparmor in Tumbleweed which contains AppArmor profiles for Akonadi.
If you use KMail or another program from the Kontact suite that uses Akonadi as a backend, please install that package and report back if the profiles work for you or if they need adjustments.
Short version: zypper in akonadi-server-apparmor then re-login (or reboot or "akonadictl restart") to enable enforcement of the profiles on Akonadi.
In case of problems, please switch the profiles to complain mode so that they allow everything and log what would be denied: aa-complain /etc/apparmor.d/*akonadi* Later grep akonadi /var/log/audit/audit.log and attach the result to a bugreport. (Also, don't forget to aa-enforce the profiles again once they are complete.)
Please also let me know if the profiles "just work" for you, for example with a short mail. In this case, please include a notice which database backend you use, and if you let Akonadi start the database server or if you use the system-wide database server.
I use Akonadi with the system-wide MariaDB, so that usecase should already be covered by the profiles. I also know that the profiles are shipped in Debian since a while, therefore I don't expect too many problems with them.
Longer-term, I hope that we can install these profiles for everybody (via Recommends:), but of course that depends on the testing results.
Note: These profiles are for the Akonadi backend. They will not restrict KMail itsself - which would be quite difficult because for example "save attachment as..." would require write permissions everywhere.
Regards,
Christian Boltz
Doesn't work: akonadictl restart org.kde.pim.akonadictl: Starting Akonadi Server... org.kde.pim.akonadictl: done. Connecting to deprecated signal QDBusConnectionInterface::serviceOwnerChanged(QString,QString,QString) AW@linux-izun:~> org.kde.pim.akonadiserver: Starting up the Akonadi Server... (QFileInfo(/usr/lib/postgresql/bin), QFileInfo(/usr/lib/postgresql/lib64)) org.kde.pim.akonadiserver: Could not start database server! org.kde.pim.akonadiserver: executable: "/usr/bin/pg_ctl" org.kde.pim.akonadiserver: arguments: ("start", "-w", "--timeout=10", "-- pgdata=/home/AW/.local/share/akonadi/db_data", "-o \"-k/tmp/akonadi-AW.hash\" -h ''") org.kde.pim.akonadiserver: process error: "execvp: Permission denied" org.kde.pim.akonadiserver: Failed to remove runtime connection config file org.kde.pim.akonadiserver: Shutting down AkonadiServer... org.kde.pim.akonadicontrol: Application '/usr/bin/akonadiserver' exited normally... ^C I'm using thre postgresql server. Regards, Alexander