Call for testing: Akonadi AppArmor profiles
Hello, since some days, we have a new subpackage akonadi-server-apparmor in Tumbleweed which contains AppArmor profiles for Akonadi. If you use KMail or another program from the Kontact suite that uses Akonadi as a backend, please install that package and report back if the profiles work for you or if they need adjustments. Short version: zypper in akonadi-server-apparmor then re-login (or reboot or "akonadictl restart") to enable enforcement of the profiles on Akonadi. In case of problems, please switch the profiles to complain mode so that they allow everything and log what would be denied: aa-complain /etc/apparmor.d/*akonadi* Later grep akonadi /var/log/audit/audit.log and attach the result to a bugreport. (Also, don't forget to aa-enforce the profiles again once they are complete.) Please also let me know if the profiles "just work" for you, for example with a short mail. In this case, please include a notice which database backend you use, and if you let Akonadi start the database server or if you use the system-wide database server. I use Akonadi with the system-wide MariaDB, so that usecase should already be covered by the profiles. I also know that the profiles are shipped in Debian since a while, therefore I don't expect too many problems with them. Longer-term, I hope that we can install these profiles for everybody (via Recommends:), but of course that depends on the testing results. Note: These profiles are for the Akonadi backend. They will not restrict KMail itsself - which would be quite difficult because for example "save attachment as..." would require write permissions everywhere. Regards, Christian Boltz -- The clean solution would be to kick out the whole freedesktop crap. At least would be nice if freedesktop would only break desktop related stuff instead of whole systems. [Ruediger Meier in opensuse-factory]
Dne neděle 27. června 2021 15:48:26 CEST, Christian Boltz napsal(a):
Please also let me know if the profiles "just work" for you, for example with a short mail. In this case, please include a notice which database backend you use, and if you let Akonadi start the database server or if you use the system-wide database server.
I use default settings, i.e. MariaDB with special instance started by Akonadi. I use bunch of Akonadi resouces (IMAP, ownCloud, OWA, Google, ...) and everything seems to work fine. -- Vojtěch Zeisek https://trapa.cz/ Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux https://www.opensuse.org/
Am Sonntag, 27. Juni 2021, 15:48:26 CEST schrieb Christian Boltz:
Hello,
since some days, we have a new subpackage akonadi-server-apparmor in Tumbleweed which contains AppArmor profiles for Akonadi.
If you use KMail or another program from the Kontact suite that uses Akonadi as a backend, please install that package and report back if the profiles work for you or if they need adjustments.
Short version: zypper in akonadi-server-apparmor then re-login (or reboot or "akonadictl restart") to enable enforcement of the profiles on Akonadi.
In case of problems, please switch the profiles to complain mode so that they allow everything and log what would be denied: aa-complain /etc/apparmor.d/*akonadi* Later grep akonadi /var/log/audit/audit.log and attach the result to a bugreport. (Also, don't forget to aa-enforce the profiles again once they are complete.)
Please also let me know if the profiles "just work" for you, for example with a short mail. In this case, please include a notice which database backend you use, and if you let Akonadi start the database server or if you use the system-wide database server.
I use Akonadi with the system-wide MariaDB, so that usecase should already be covered by the profiles. I also know that the profiles are shipped in Debian since a while, therefore I don't expect too many problems with them.
Longer-term, I hope that we can install these profiles for everybody (via Recommends:), but of course that depends on the testing results.
Note: These profiles are for the Akonadi backend. They will not restrict KMail itsself - which would be quite difficult because for example "save attachment as..." would require write permissions everywhere.
Regards,
Christian Boltz
Doesn't work: akonadictl restart org.kde.pim.akonadictl: Starting Akonadi Server... org.kde.pim.akonadictl: done. Connecting to deprecated signal QDBusConnectionInterface::serviceOwnerChanged(QString,QString,QString) AW@linux-izun:~> org.kde.pim.akonadiserver: Starting up the Akonadi Server... (QFileInfo(/usr/lib/postgresql/bin), QFileInfo(/usr/lib/postgresql/lib64)) org.kde.pim.akonadiserver: Could not start database server! org.kde.pim.akonadiserver: executable: "/usr/bin/pg_ctl" org.kde.pim.akonadiserver: arguments: ("start", "-w", "--timeout=10", "-- pgdata=/home/AW/.local/share/akonadi/db_data", "-o \"-k/tmp/akonadi-AW.hash\" -h ''") org.kde.pim.akonadiserver: process error: "execvp: Permission denied" org.kde.pim.akonadiserver: Failed to remove runtime connection config file org.kde.pim.akonadiserver: Shutting down AkonadiServer... org.kde.pim.akonadicontrol: Application '/usr/bin/akonadiserver' exited normally... ^C I'm using thre postgresql server. Regards, Alexander
Hello, Am Dienstag, 29. Juni 2021, 13:43:22 CEST schrieb AW:
Am Sonntag, 27. Juni 2021, 15:48:26 CEST schrieb Christian Boltz:
since some days, we have a new subpackage akonadi-server-apparmor in Tumbleweed which contains AppArmor profiles for Akonadi. [...] Doesn't work: [...] AW@linux-izun:~> org.kde.pim.akonadiserver: Starting up the Akonadi Server... (QFileInfo(/usr/lib/postgresql/bin), QFileInfo(/usr/lib/postgresql/lib64)) org.kde.pim.akonadiserver: Could not start database server! [...] I'm using thre postgresql server.
OK, this means the profiles will need some changes to work with Postgresql. Please switch the profiles to complain mode with (as root) aa-complain /etc/apparmor.d/*akonadi* This will allow everything (so Akonadi will work again) and log what would be denied. The logging will go into /var/log/audit/audit.log - after using Akonadi for a while, either open a bugreport and attach audit.log, or sent it to me by mail (off-list) so that I can fix the profiles. Regards, Christian Boltz PS: Thanks to Vojtěch and Marius for the positive feedback with MariaDB. @Marius: Restarting AppArmor is not really needed - the package loads the profiles in %post. -- Just if you wonder: Most of the time, people there are asking questions about RPMs on download.opensuse.org that are not there any more, because OBS did a rebuild... [Lars Vogdt in heroes about mails to webmaster@o.o]
Hello, Am Dienstag, 29. Juni 2021, 16:39:08 CEST schrieb Christian Boltz:
OK, this means the profiles will need some changes to work with Postgresql.
Alexander helped me (off-list) to update that profile and confirmed that everything works now. Thanks for the help! The updated profile for Akonadi using Postgresql is included in one of the latest Tumbleweed snapshots (and was also accepted upstream). So - whoever didn't install the akonadi-server-apparmor package yet, please do so now ;-) Regards, Christian Boltz -- Ja, Suuuse... die machen bald auch ein "system32"-Verzeichnis auf. :-) [Ratti in fontlinge-devel]
Am Sonntag, 27. Juni 2021, 15:48:26 CEST schrieb Christian Boltz:
Short version: zypper in akonadi-server-apparmor then re-login (or reboot or "akonadictl restart") to enable enforcement of the profiles on Akonadi.
I assume before restarting Akonadi one should also start `apparmor.service`.
Please also let me know if the profiles "just work" for you, for example with a short mail.
It seems to work here. I'm also using MariaDB (but not the system-wide database).
participants (4)
-
AW
-
Christian Boltz
-
Marius Kittler
-
Vojtěch Zeisek