diff options
| author | Cameron Norman <camerontnorman@gmail.com> | 2017-10-10 23:18:22 -0700 |
|---|---|---|
| committer | Cameron Norman <camerontnorman@gmail.com> | 2017-10-10 23:24:21 -0700 |
| commit | 122a26ac790c56a124397966293ddf110f768db8 (patch) | |
| tree | 832e8e2c7dda78c66e1a2d2afaa7991494666cca | |
| parent | Merge pull request #527 from jonls/fix-osx-build (diff) | |
| download | redshift-ng-122a26ac790c56a124397966293ddf110f768db8.tar.gz redshift-ng-122a26ac790c56a124397966293ddf110f768db8.tar.bz2 redshift-ng-122a26ac790c56a124397966293ddf110f768db8.tar.xz | |
Add AppArmor profile
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | Makefile.am | 20 | ||||
| -rw-r--r-- | configure.ac | 16 | ||||
| -rw-r--r-- | data/apparmor/usr.bin.redshift.in | 42 |
4 files changed, 77 insertions, 2 deletions
@@ -56,6 +56,7 @@ src/redshift-gtk/__pycache__/ /data/appdata/redshift-gtk.appdata.xml /data/applications/redshift.desktop /data/applications/redshift-gtk.desktop +/data/apparmor/usr.bin.redshift *.su *.gch diff --git a/Makefile.am b/Makefile.am index 3f941d6..7e58f08 100644 --- a/Makefile.am +++ b/Makefile.am @@ -39,6 +39,9 @@ SYSTEMD_USER_UNIT_IN_FILES = \ APPDATA_IN_FILES = \ data/appdata/redshift-gtk.appdata.xml.in +APPARMOR_IN_FILES = \ + data/apparmor/usr.bin.redshift.in + # Icons if ENABLE_GUI @@ -103,6 +106,17 @@ appdata_DATA = $(APPDATA_IN_FILES:.xml.in=.xml) endif +# AppArmor profile +if ENABLE_APPARMOR +apparmordir = @sysconfdir@/apparmor.d +apparmor_DATA = $(APPARMOR_IN_FILES:.in=) + +$(apparmor_DATA): $(APPARMOR_IN_FILES) Makefile + $(AM_V_GEN)$(MKDIR_P) $(@D) && \ + sed -e "s|\@bindir\@|$(bindir)|g" "$(srcdir)/$(@:=.in)" > $@ +endif + + EXTRA_DIST = \ $(EXTRA_ROOTDOC_FILES) \ @@ -111,12 +125,14 @@ EXTRA_DIST = \ $(_UBUNTU_MONO_LIGHT_FILES) \ $(DESKTOP_IN_FILES) \ $(SYSTEMD_USER_UNIT_IN_FILES) \ - $(APPDATA_IN_FILES) + $(APPDATA_IN_FILES) \ + $(APPARMOR_IN_FILES) CLEANFILES = \ $(desktop_DATA) \ $(systemduserunit_DATA) \ - $(appdata_DATA) + $(appdata_DATA) \ + $(apparmor_DATA) # Update PO translations diff --git a/configure.ac b/configure.ac index 14663e2..be0b51a 100644 --- a/configure.ac +++ b/configure.ac @@ -331,6 +331,21 @@ AS_IF([test -n "$with_systemduserunitdir" -a "x$with_systemduserunitdir" != xno] AM_CONDITIONAL([ENABLE_SYSTEMD], [test "x$enable_systemd" != xno]) +# Check for AppArmor +AC_MSG_CHECKING([whether to enable AppArmor profile]) +AC_ARG_ENABLE([apparmor], [AC_HELP_STRING([--enable-apparmor], + [enable AppArmor profile])], + [enable_apparmor=$enableval],[enable_apparmor=no]) +AS_IF([test "x$enable_apparmor" != xno], [ + AC_MSG_RESULT([yes]) + enable_apparmor=yes +], [ + AC_MSG_RESULT([no]) + enable_apparmor=no +]) +AM_CONDITIONAL([ENABLE_APPARMOR], [test "x$enable_apparmor" != xno]) + + # Checks for header files. AC_CHECK_HEADERS([locale.h stdint.h stdlib.h string.h unistd.h signal.h]) @@ -373,4 +388,5 @@ echo " GUI: ${enable_gui} Ubuntu icons: ${enable_ubuntu} systemd units: ${enable_systemd} ${systemduserunitdir} + AppArmor profile: ${enable_apparmor} " diff --git a/data/apparmor/usr.bin.redshift.in b/data/apparmor/usr.bin.redshift.in new file mode 100644 index 0000000..d6696db --- /dev/null +++ b/data/apparmor/usr.bin.redshift.in @@ -0,0 +1,42 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2015 Cameron Norman <camerontnorman@gmail.com> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +# ------------------------------------------------------------------ + +#include <tunables/global> +@bindir@/redshift { + #include <abstractions/base> + #include <abstractions/nameservice> + #include <abstractions/dbus-strict> + #include <abstractions/X> + + dbus send + bus=system + path=/org/freedesktop/GeoClue2/Client/[0-9]*, + + dbus receive + bus=system + path=/org/freedesktop/GeoClue2/Manager, + + # Allow but log any other dbus activity + audit dbus bus=system, + + owner @{HOME}/.config/redshift.conf r, + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.bin.redshift> +} |