--- debian/apparmor-profile.orig 2009-12-17 09:01:27.000205796 -0600 +++ debian/apparmor-profile 2009-12-17 08:40:26.522736225 -0600 @@ -0,0 +1,29 @@ +# vim:syntax=apparmor + +#include + +/usr/sbin/squid { + #include + #include + #include + #include + + capability setgid, + capability setuid, + + network inet raw, + + /dev/tty rw, + /etc/mtab r, + /etc/squid/* r, + /usr/lib/squid/* rmix, + + /var/run/squid.pid lrw, + @{PROC}/[0-9]*/mounts r, + @{PROC}/mounts r, + + /var/spool/squid/** lrw, + /var/spool/squid/ rw, + + /var/log/squid/* rw, +} --- debian/control.orig 2009-12-17 08:33:12.590204996 -0600 +++ debian/control 2009-12-17 08:39:47.790206207 -0600 @@ -15,7 +15,7 @@ Depends: ${shlibs:Depends}, netbase, adduser, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base (>= 3.2-14), ssl-cert (>= 1.0-11ubuntu1) Conflicts: squid-novm, sarg (<< 1.1.1-2) Replaces: squid-novm -Suggests: squidclient, squid-cgi, logcheck-database, resolvconf (>= 0.40), smbclient, winbind +Suggests: squidclient, squid-cgi, logcheck-database, resolvconf (>= 0.40), smbclient, winbind, apparmor (>= 2.1+1075-0ubuntu6 Description: Internet object cache (WWW proxy cache) This package provides the Squid Internet Object Cache developed by the National Laboratory for Applied Networking Research (NLANR) and --- debian/postinst.orig 2009-12-17 08:43:35.710186869 -0600 +++ debian/postinst 2009-12-17 08:52:36.332687703 -0600 @@ -168,6 +168,11 @@ getent group winbindd_priv >/dev/null 2>&1 && adduser --quiet proxy winbindd_priv + APP_PROFILE="/etc/apparmor.d/usr.sbin.squid" + if [ -f "$APP_PROFILE" ] && aa-status --enabled 2>/dev/null; then + apparmor_parser -r "$APP_PROFILE" || true + fi + ;; abort-upgrade|abort-remove|abort-deconfigure) ;; --- debian/postrm.orig 2009-12-17 08:52:56.650200986 -0600 +++ debian/postrm 2009-12-17 08:53:45.060206018 -0600 @@ -25,6 +25,11 @@ rm -f /etc/default/squid fi + + APP_PROFILE="usr.sbin.squid" + rm -f /etc/apparmor.d/force-complain/$APP_PROFILE >/dev/null 2>&1 || true + rm -f /etc/apparmor.d/disable/$APP_PROFILE >/dev/null 2>&1 || true + # # We do not remove /var/spool/squid because that might # take a lot of time. Most of the time it is on a seperate --- debian/preinst.orig 2009-12-17 08:58:26.110205940 -0600 +++ debian/preinst 2009-12-17 08:57:59.960204737 -0600 @@ -32,6 +32,19 @@ mv /etc/squid.conf /etc/squid/squid.conf touch /etc/squid/conffile-moved fi + + if [ -e "$APP_CONFFILE" ]; then + md5sum="`md5sum \"$APP_CONFFILE\" | sed -e \"s/ .*//\"`" + pkg_md5sum="`sed -n -e \"/^Conffiles:/,/^[^ ]/{\\\\' $APP_CONFFILE'{s/.* //;p}}\" /var/lib/dpkg/status`" + if [ "$md5sum" = "$pkg_md5sum" ]; then + # force-complain on upgrade from pre-shipped profile and + # existing profile is same as in conffiles + ln -sf $APP_CONFFILE $APP_COMPLAIN + else + # force-complain on upgrade from pre-shipped profile and # there is no existing profile + ln -sf $APP_CONFFILE $APP_COMPLAIN + fi + fi fi # --- debian/README.Debian.orig 2009-12-17 08:58:57.370203448 -0600 +++ debian/README.Debian 2009-12-17 08:59:21.040204987 -0600 @@ -112,4 +112,12 @@ http://www.ircache.net/cgi-bin/cacheability.py . It will check an URL for you and tell you if it is or isn't cachable and why. +Apparmor Profile +---------------- +If your system uses AppArmor, please note that the shipped enforcing profile +works with the default installation, and changes in your configuration may +require changes to the installed apparmor profile. Please see +https://wiki.ubuntu.com/DebuggingApparmor before filing a bug against this +software. + -- Luigi Gangitano , Mon, 04 Aug 2004 18:08:00 +0200 --- debian/rules.orig 2009-12-17 08:59:37.260205154 -0600 +++ debian/rules 2009-12-17 09:00:14.970204646 -0600 @@ -242,6 +242,7 @@ $(INSTALL_DIR) $(tmp)/var/{log,spool} install -m 750 -o proxy -g proxy -d $(tmp)/var/log/squid install -m 750 -o proxy -g proxy -d $(tmp)/var/spool/squid + install -D -m 0644 debian/apparmor-profile debian/squid/etc/apparmor.d/usr.sbin.squid $(INSTALL_DIR) $(tmp)/usr/share/man/man8 # $(INSTALL_PROGRAM) src/squid $(tmp)/usr/sbin