From 7359b017129be9048cfddeb214e7cfad0b159656 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Danis?= <frederic.danis@collabora.com>
Date: Fri, 3 Dec 2021 14:05:01 +0100
Subject: [PATCH] Add AppArmor rules
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
---
debian/apparmor.d/usr.libexec.geoclue | 31 +++++++++++++++++++++++++++
debian/geoclue-2.0.install | 1 +
2 files changed, 32 insertions(+)
create mode 100644 debian/apparmor.d/usr.libexec.geoclue
diff --git a/debian/apparmor.d/usr.libexec.geoclue b/debian/apparmor.d/usr.libexec.geoclue
new file mode 100644
index 0000000..871ab42
--- /dev/null
+++ b/debian/apparmor.d/usr.libexec.geoclue
@@ -0,0 +1,31 @@
+#include <tunables/global>
+
+/usr/libexec/geoclue {
+ #include <abstractions/chaiwala-base>
+ #include <abstractions/dbus-strict>
+
+ dbus send
+ bus=system
+ path=/org/freedesktop/DBus
+ interface=org.freedesktop.DBus
+ member={RequestName,ReleaseName}
+ peer=(name=org.freedesktop.DBus),
+ dbus bind bus=system name=org.freedesktop.GeoClue2,
+ dbus (send, receive) bus=system peer=(label=unconfined),
+ dbus (send, receive) bus=system peer=(label=avahi-daemon),
+
+ network netlink,
+ network inet,
+ network inet6,
+
+ /etc/gai.conf r,
+ /etc/geoclue/ r,
+ /etc/geoclue/** r,
+ /etc/hosts r,
+ /etc/host.conf r,
+ /etc/nsswitch.conf r,
+ /etc/ssl/openssl.cnf r,
+ /run/connman/resolv.conf r,
+
+ @{PROC}/@{pid}/cgroup r,
+}
diff --git a/debian/geoclue-2.0.install b/debian/geoclue-2.0.install
index a0b40fe..cb8bd44 100644
--- a/debian/geoclue-2.0.install
+++ b/debian/geoclue-2.0.install
@@ -1,3 +1,4 @@
+debian/apparmor.d/* /etc/apparmor.d/
debian/local/geoclue-2.0.pkla var/lib/polkit-1/localauthority/10-vendor.d/
debian/local/geoclue-2.0.rules usr/share/polkit-1/rules.d/
etc/dbus-1/system.d/
--
GitLab