Package: fish Severity: wishlist Tags: patch Hello,
I have attached a patch that will ship an apparmor profile to confine fishd (but not fish). I would be very appreciative if you tested and included it. See the following links for more information: https://wiki.debian.org/AppArmor https://wiki.debian.org/AppArmor/Contribute/FirstTimeProfileImport https://wiki.debian.org/AppArmor/Debug#Testing Thank you, -- Cameron Norman
diff --git a/debian/control b/debian/control index c1f9134..15b1679 100644 --- a/debian/control +++ b/debian/control @@ -14,6 +14,7 @@ Build-Depends: autoconf, doxygen, quilt, dh-autoreconf, + dh-apparmor, Standards-Version: 3.9.6 Homepage: http://fishshell.com/ Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/fish.git diff --git a/debian/copyright b/debian/copyright index 257b54b..fc5864b 100644 --- a/debian/copyright +++ b/debian/copyright @@ -22,6 +22,10 @@ Copyright: 2005-2009 James Vega <james...@jamessan.com> 2015 Tristan Seligmann <mithra...@debian.org> License: GPL-2 +Files: debian/usr.bin.fishd +Copyright: 2015 Cameron Norman <camerontnor...@gmail.com> +License: GPL-2 + Files: xdgmime.cpp xdgmime.h xdgmimealias.cpp xdgmimealias.h xdgmimeint.cpp xdgmimeint.h xdgmimemagic.cpp xdgmimemagic.h xdgmimeparent.cpp xdgmimeparent.h diff --git a/debian/fish-common.install b/debian/fish-common.install index 4ebd1b3..6852ccd 100644 --- a/debian/fish-common.install +++ b/debian/fish-common.install @@ -1,3 +1,4 @@ debian/tmp/etc debian/tmp/usr/share debian/completions/dupload.fish usr/share/fish/completions +debian/usr.bin.fishd etc/apparmor.d/ diff --git a/debian/rules b/debian/rules index 28c6cea..e863831 100755 --- a/debian/rules +++ b/debian/rules @@ -4,6 +4,10 @@ %: dh $@ --with autotools-dev,autoreconf --parallel +override_dh_install: + dh_apparmor --profile-name=usr.bin.fishd -pfish-common + dh_install + override_dh_strip: dh_strip --dbg-package=fish-dbg diff --git a/debian/usr.bin.fishd b/debian/usr.bin.fishd new file mode 100644 index 0000000..ca3c0ee --- /dev/null +++ b/debian/usr.bin.fishd @@ -0,0 +1,24 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2015 Cameron Norman <camerontnor...@gmail.com> +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include <tunables/global> +/usr/bin/fishd { + #include <abstractions/base> + + owner @{HOME}/.config/fish/fishd.* rw, + owner /{,var/}run/user/*/fishd.{socket,log.*} rw, + owner /{,var/}run/user/*/fishd.socket.lock* rwl, + owner /tmp/fishd.socket.* rwl, + owner /tmp/fish.*/ rw, + owner /tmp/fish.*/** rwl, + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.bin.fishd> +}
