1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
From: Philip Hands <phil@hands.com>
Date: Tue, 14 Sep 2021 12:32:44 +0200
Subject: Debian specific apparmor changes
Forwarded: not-needed
* apparmor access for local assets (debian only)
* reverse upstream inclusion of openqa-trigger-from-obs access
---
profiles/apparmor.d/usr.share.openqa.script.openqa | 66 +++-------------------
1 file changed, 8 insertions(+), 58 deletions(-)
diff --git a/profiles/apparmor.d/usr.share.openqa.script.openqa b/profiles/apparmor.d/usr.share.openqa.script.openqa
index 4a72e0a..3c150a3 100644
--- a/profiles/apparmor.d/usr.share.openqa.script.openqa
+++ b/profiles/apparmor.d/usr.share.openqa.script.openqa
@@ -101,6 +101,14 @@
owner /var/lib/openqa/share/tests/** rwl,
owner /var/lib/openqa/archive/** rwl,
+ # Debian specific access to local assets
+ /usr/share/fonts/*/fork-awesome/* r,
+ /usr/share/fonts-fork-awesome/css/* r,
+ /usr/share/javascript/** r,
+ /usr/share/sass/bootstrap/** r,
+ /usr/share/bootstrap-html/** r,
+ /usr/share/nodejs/** r,
+
profile /usr/bin/ssh {
#include <abstractions/base>
@@ -117,64 +125,6 @@
}
- # Cover hook script "openqa-trigger-from-obs"
-
- #include <abstractions/bash>
- #include <abstractions/openssl>
-
- /opt/openqa-trigger-from-obs/ r,
- /opt/openqa-trigger-from-obs/** r,
- /opt/openqa-trigger-from-obs/*:*/.* rw,
- /opt/openqa-trigger-from-obs/*:*/*/.* rw,
- /opt/openqa-trigger-from-obs/*:*/*.lst rw,
- /opt/openqa-trigger-from-obs/*:*/*/*.lst rw,
- /opt/openqa-trigger-from-obs/*:*/*products* rw,
- /opt/openqa-trigger-from-obs/*:*/*/*products* rw,
-
- /opt/os-autoinst-scripts/** rix,
- /usr/share/openqa/script/client rix,
- /usr/share/openqa/script/openqa-cli px,
- /usr/share/openqa/script/openqa-clone-job mrix,
- /usr/share/openqa/script/openqa-clone-job r,
- /{usr/,}bin/{b,d}ash rix,
- /usr/bin/cat rix,
- /usr/bin/curl rix,
- /usr/bin/date mrix,
- /usr/bin/cp ix,
- /usr/bin/dirname ix,
- /usr/bin/env mrix,
- /usr/bin/gawk mrix,
- /usr/bin/grep mrix,
- /usr/bin/head mrix,
- /usr/bin/hxselect mrix,
- /usr/bin/hxnormalize mrix,
- /usr/bin/jq rix,
- /usr/bin/markdown rix,
- /usr/bin/Markdown.pl rix,
- /usr/bin/mv ix,
- /usr/bin/mktemp rix,
- /usr/sbin/sendmail ix,
- /etc/postfix/main.cf r,
- /usr/sbin/postdrop ix,
- /var/spool/postfix/maildrop rw,
- /var/spool/postfix/maildrop/* rwl,
- /usr/bin/mailx ix,
- /usr/bin/openqa-cli rix,
- /usr/bin/perl ix,
- /usr/bin/python3 ix,
- /usr/bin/python3.6 ix,
- /usr/bin/rm rix,
- /usr/bin/rsync mrix,
- /usr/bin/sed mrix,
- /usr/bin/tac mrix,
- /usr/bin/tail mrix,
- /usr/bin/wget ix,
- /usr/bin/seq rix,
-
- owner /var/log/openqa_gru wk,
-
- /opt/openqa-trigger-from-obs/script/rsync.sh px -> /opt/openqa-trigger-from-obs/script/rsync.sh,
-
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.share.openqa.script.openqa>
}
|
