[game-data-packager] 279/293: quake4*: add experimental AppArmor profiles
Simon McVittie
smcv at debian.org
Fri Oct 14 00:12:33 UTC 2016
This is an automated email from the git hooks/post-receive script.
smcv pushed a commit to branch quake
in repository game-data-packager.
commit 43a5e794ad5d322f5cd9141844eb63980d5313ef
Author: Simon McVittie <smcv at debian.org>
Date: Wed Jan 20 07:53:01 2016 +0000
quake4*: add experimental AppArmor profiles
---
debian/apparmor.d/usr.lib.quake4.q4ded.x86 | 23 ++++++++
debian/apparmor.d/usr.lib.quake4.quake4.x86 | 83 +++++++++++++++++++++++++++++
debian/changelog | 1 +
debian/control | 1 +
debian/copyright | 7 ++-
debian/quake4-server.install | 1 +
debian/quake4.install | 1 +
debian/rules | 5 ++
8 files changed, 120 insertions(+), 2 deletions(-)
diff --git a/debian/apparmor.d/usr.lib.quake4.q4ded.x86 b/debian/apparmor.d/usr.lib.quake4.q4ded.x86
new file mode 100644
index 0000000..0cb15cb
--- /dev/null
+++ b/debian/apparmor.d/usr.lib.quake4.q4ded.x86
@@ -0,0 +1,23 @@
+# Quake 4 dedicated server AppArmor profile
+# Copyright © 2016 Simon McVittie
+# Redistribution and use in source and compiled forms, with or without
+# modification, are permitted under any circumstances. No warranty.
+
+#include <tunables/global>
+
+/usr/lib/quake4/q4ded.x86 flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ network inet dgram,
+ network inet stream,
+ network inet6 dgram,
+ network inet6 stream,
+
+ /etc/quake4-server/** r,
+ /usr/lib/quake4/q4ded.x86 mr,
+ /usr/lib/quake4/* r,
+ /usr/share/games/quake4/** r,
+ owner @{HOME}/.quake4/** rwk,
+ owner /var/games/quake4-server/** rwk,
+}
diff --git a/debian/apparmor.d/usr.lib.quake4.quake4.x86 b/debian/apparmor.d/usr.lib.quake4.quake4.x86
new file mode 100644
index 0000000..efdb170
--- /dev/null
+++ b/debian/apparmor.d/usr.lib.quake4.quake4.x86
@@ -0,0 +1,83 @@
+# Quake 4 client AppArmor profile
+# Copyright © 2016 Simon McVittie
+# Redistribution and use in source and compiled forms, with or without
+# modification, are permitted under any circumstances. No warranty.
+
+#include <tunables/global>
+
+/usr/lib/quake4/quake4.x86 flags=(complain) {
+ #include <abstractions/X>
+ #include <abstractions/audio>
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/nvidia>
+ #include <abstractions/private-files-strict>
+
+ network inet dgram,
+ network inet stream,
+ network inet6 dgram,
+ network inet6 stream,
+
+ /usr/lib/quake4/quake4.x86 mr,
+ /usr/lib/quake4/* r,
+ /usr/share/games/quake4/** r,
+ owner @{HOME}/.quake4/** rwk,
+
+ # the audio and X abstractions don't allow mmapping these
+ /dev/dri/* m,
+ owner /{run,dev}/shm/pulse-shm* m,
+
+ # udev device enumeration
+ /etc/udev/udev.conf r,
+ /run/udev/data/+pci:* r,
+ /sys/devices/pci[0-9]*/**/uevent r,
+
+ /usr/bin/xdg-open Cxr -> xdgopen,
+
+ profile xdgopen flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/ubuntu-browsers>
+ #include <abstractions/ubuntu-helpers>
+ /usr/bin/xdg-open rm,
+ /{usr/,}bin/dash rmix,
+ }
+}
+
+/usr/lib/quake4/quake4smp.x86 flags=(complain) {
+ #include <abstractions/X>
+ #include <abstractions/audio>
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/nvidia>
+ #include <abstractions/private-files-strict>
+
+ network inet dgram,
+ network inet stream,
+ network inet6 dgram,
+ network inet6 stream,
+
+ /usr/lib/quake4/quake4smp.x86 mr,
+ /usr/lib/quake4/libSDL-1.2.id.so.0 mr,
+ /usr/lib/quake4/* r,
+ /usr/share/games/quake4/** r,
+ owner @{HOME}/.quake4/** rwk,
+
+ # the audio and X abstractions don't allow mmapping these
+ /dev/dri/* m,
+ owner /{run,dev}/shm/pulse-shm* m,
+
+ # udev device enumeration
+ /etc/udev/udev.conf r,
+ /run/udev/data/+pci:* r,
+ /sys/devices/pci[0-9]*/**/uevent r,
+
+ /usr/bin/xdg-open Cxr -> xdgopen,
+
+ profile xdgopen flags=(complain) {
+ #include <abstractions/base>
+ #include <abstractions/ubuntu-browsers>
+ #include <abstractions/ubuntu-helpers>
+ /usr/bin/xdg-open rm,
+ /{usr/,}bin/dash rmix,
+ }
+}
diff --git a/debian/changelog b/debian/changelog
index 654ca5b..4ff796d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -24,6 +24,7 @@ quake (17) UNRELEASED; urgency=medium
(<https://github.com/ValveSoftware/steam-for-linux/issues/3855>)
* quake*.desktop: stop using Roman numerals, so they sort in
the correct order
+ * quake4*: add experimental AppArmor profiles
-- Simon McVittie <smcv at debian.org> Thu, 10 Dec 2015 00:44:21 +0100
diff --git a/debian/control b/debian/control
index 6665889..57c669b 100644
--- a/debian/control
+++ b/debian/control
@@ -7,6 +7,7 @@ Section: contrib/games
Priority: optional
Build-Depends:
debhelper (>= 9),
+ dh-apparmor [i386],
dh-systemd,
imagemagick,
inkscape,
diff --git a/debian/copyright b/debian/copyright
index 8c20cc4..9c891a9 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -26,8 +26,11 @@ Copyright:
© 2015 Alexandre Detiste
License: GPL-2+
-Files: quake1+2.svg
-Copyright: © 2011 Simon McVittie
+Files:
+ quake1+2.svg
+ debian/apparmor.d/*
+Copyright:
+ © 2011-2016 Simon McVittie
License: ikiwiki-basewiki
Redistribution and use in source and compiled forms, with or without
modification, are permitted under any circumstances. No warranty.
diff --git a/debian/quake4-server.install b/debian/quake4-server.install
index 308425c..b185375 100644
--- a/debian/quake4-server.install
+++ b/debian/quake4-server.install
@@ -1,3 +1,4 @@
README.quake4-data usr/share/doc/quake4-server
build/quake4-dedicated usr/games
debian/q4/server.cfg etc/quake4-server
+debian/apparmor.d/usr.lib.quake4.q4ded.x86 etc/apparmor.d
diff --git a/debian/quake4.install b/debian/quake4.install
index 621bd4f..7d86e05 100644
--- a/debian/quake4.install
+++ b/debian/quake4.install
@@ -11,3 +11,4 @@ README.quake4-data usr/lib/quake4
need-data.sh usr/lib/quake4
confirm-binary-only.sh usr/lib/quake4
quake4.desktop usr/share/applications
+debian/apparmor.d/usr.lib.quake4.quake4.x86 etc/apparmor.d
diff --git a/debian/rules b/debian/rules
index ade9d70..6066f55 100755
--- a/debian/rules
+++ b/debian/rules
@@ -6,6 +6,11 @@
override_dh_auto_build:
dh_auto_build -- distro=$(shell dpkg-vendor --query Vendor)
+override_dh_install-arch:
+ dh_install -a
+ dh_apparmor -pquake4 --profile-name=usr.lib.quake4.quake4.x86
+ dh_apparmor -pquake4-server --profile-name=usr.lib.quake4.q4ded.x86
+
override_dh_installinit:
dh_installinit -pquake4-server --noscripts
dh_installinit -petqw-server --noscripts
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-games/game-data-packager.git
More information about the Pkg-games-commits
mailing list