Merge ~ahasenack/ubuntu/+source/squid:cosmic-squid-4.2-merge into ubuntu/+source/squid:debian/sid

Proposed by Andreas Hasenack
Status: Work in progress
Proposed branch: ~ahasenack/ubuntu/+source/squid:cosmic-squid-4.2-merge
Merge into: ubuntu/+source/squid:debian/sid
Diff against target: 417 lines (+298/-4)
11 files modified
debian/NEWS (+0/-0)
debian/changelog (+113/-0)
debian/control (+5/-3)
debian/patches/90-cf.data.ubuntu.patch (+16/-0)
debian/patches/99-ubuntu-ssl-cert-snakeoil.patch (+22/-0)
debian/patches/fix-uninitialized-var.patch (+25/-0)
debian/patches/series (+3/-0)
debian/rules (+11/-1)
debian/squid.install (+3/-0)
debian/squid.preinst (+15/-0)
debian/usr.sbin.squid (+85/-0)
Reviewer Review Type Date Requested Status
Robie Basak Approve
Canonical Server Pending
Review via email: mp+356100@code.launchpad.net

Description of the change

Bileto ticket: https://bileto.ubuntu.com/#/ticket/3450
PPA: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3450
DEP8 results: https://bileto.ubuntu.com/excuses/3450/cosmic.html

Merge from debian's 4.2-2 in an attempt to fix #1794553, where upstream commented that the crash might be due to incomplete gcc8 fixes that are in 4.1 and that were improved in 4.2.

There is no evidence yet that 4.2-2 fixes the reported crash, though. Also, upstream's 4.3 has further gcc8 fixes. I'm also using squid from cosmic in my home proxy and haven't seen it crash yet.

This MP is to have a review in place, and address any issues it raises, so that if the reporter of the crash bug can eventually confirm that the crash is gone, we can land this branch without further delays.

I had to introduce one small delta to correct the last debian change which was to add -latomic to certain architectures. The way it was done, it was being added to all arches, not just the listed ones. I pushed a PR to salsa to fix that.

I spent some time investigating this debian change: "Add upstream pr264 patch for systemd (Closes: #903165)". It claims to also resolve launchpad bug #1103362, but I'm not sure. I can confirm that squid fails to start if it cannot resolve a hostname in an acl, but I failed to reproduce that case in a normal boot of the system, even when bind9 was installed and configured (via netplan) to be the sole dns resolver of this system.

Also of note about that fix is the fact that what was eventually merged upstream did not include the "Wants=network-online.target" line that the debian patch has, just the "After=" change. Compare:

debian's patch: https://salsa.debian.org/squid-team/squid/blob/447e7b7587841230ab0829d47fb951c6f5d5ba0b/debian/patches/0004-upstream-pr264.patch

Upstream commit: https://github.com/squid-cache/squid/commit/c321737de30e69b0d31944b8962eccd4e88b7267

The debian patch is now removed in salsa for the upcoming 4.3 release, exactly because upstream adopted it, but sans the "Wants=" line.

I can adopt the exact same change that upstream did, or keep debian's from 4.2-2. Right now this MP has debian's patch. As I said, I couldn't reproduce the mentioned bug (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903165 or https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1103362)

About the remaining gcc8 fixes, upstream hasn't committed all of them yet, so I kept my two changes in that regard: d/p/fix-uninitialized-var.patch, and -Wno-format-truncation.

To post a comment you must log in.
Revision history for this message
Robie Basak (racb) wrote :

lgtm

The use of empty commits in the final branch to mark the Dropped changes for use by reconstruct-changelog are interfering with range-diff. Something to talk about with Christian perhaps from a workflow perspective. But we can discuss that later.

review: Approve
1190dd5... by Andreas Hasenack

    - Rename d/NEWS.debian to d/NEWS, so that it can be handled by
      dh_installchangelogs.

9b5b0c6... by Andreas Hasenack

merge-changelogs

8538d8f... by Andreas Hasenack

reconstruct-changelog

bb82787... by Andreas Hasenack

update-maintainer

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks for the review. I find it convenient to use empty commits for the dropped changes (just not when I forget to use --keep-empty when rebasing ;).

I added one more "added change" on top of 1b9f272ef961a00a82024b0d144a166e3a5e63e8 after a discussion with infinity yesterday, where he noted that the NEWS file wasn't being included in the packages because its name was incorrect:

commit 1190dd579521af635443445f2d2b09b0a35fd957 (tag: before-merge-finish)
Author: Andreas Hasenack <email address hidden>
Date: Thu Oct 4 09:43:47 2018 -0300

        - Rename d/NEWS.debian to d/NEWS, so that it can be handled by
          dh_installchangelogs.

commit 1b9f272ef961a00a82024b0d144a166e3a5e63e8
Author: Andreas Hasenack <email address hidden>
Date: Tue Oct 2 20:02:13 2018 -0300

      * Added:
        - d/rules: only use -latomic with the intended architectures, instead
          of all of them
          (https://salsa.debian.org/squid-team/squid/merge_requests/6 and see also
          https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5)

I then regenerated the changelog after that, so all the way up to 1b9f272ef961a00a82024b0d144a166e3a5e63e8 it's like you reviewed, and after that it's the NEWS change plus metadata/changelog.

I submitted this to debian at https://salsa.debian.org/squid-team/squid/merge_requests/7

Revision history for this message
Robie Basak (racb) wrote :

+1 for bb82787 (diffed against previous +1'd commit 40a925 for verification)

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

The bug was reproduced and turns out the new version doesn't fix it. It's still an open bug upstream at https://bugs.squid-cache.org/show_bug.cgi?id=4796

I'll remove this MP from review for now.

Unmerged commits

bb82787... by Andreas Hasenack

update-maintainer

8538d8f... by Andreas Hasenack

reconstruct-changelog

9b5b0c6... by Andreas Hasenack

merge-changelogs

1190dd5... by Andreas Hasenack

    - Rename d/NEWS.debian to d/NEWS, so that it can be handled by
      dh_installchangelogs.

1b9f272... by Andreas Hasenack

  * Added:
    - d/rules: only use -latomic with the intended architectures, instead
      of all of them
      (https://salsa.debian.org/squid-team/squid/merge_requests/6 and see also
      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5)

9e2270c... by Andreas Hasenack

    - d/t/upstream-test-suite: drop the sed line, since patch
      0003-installed-binary-for-debian-ci.patch is doing this work now.
      (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839)
      [Fixed in 4.2-1]

75cd25d... by Andreas Hasenack

    - d/t/0003-installed-binary-for-debian-ci.patch: use the squid
      binary from the system, instead of the one from the source tree.
      [Included in 4.2-1]

5573dde... by Andreas Hasenack

    - d/t/upstream-test-suite: also make libmem.la, needed by the tests.
      [Fixed in 4.2-1]

de21835... by Andreas Hasenack

    - d/t/test-squid.py: fix the process name. The PID points at the parent.
      [Fixed in 4.2-1]

ec27139... by Andreas Hasenack

    - d/t/test-squid.py: fix apparmor profile filename
      [Fixed in 4.2-1]

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/NEWS.debian b/debian/NEWS
2index 9936193..9936193 100644
3--- a/debian/NEWS.debian
4+++ b/debian/NEWS
5diff --git a/debian/changelog b/debian/changelog
6index 57cb2bd..5906596 100644
7--- a/debian/changelog
8+++ b/debian/changelog
9@@ -1,3 +1,44 @@
10+squid (4.2-2ubuntu1) cosmic; urgency=medium
11+
12+ * Merge with Debian unstable (LP: #1794553). Remaining changes:
13+ - Use snakeoil certificates.
14+ - Add an example refresh pattern for debs.
15+ - Add disabled by default AppArmor profile.
16+ - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized
17+ error in parse_time_t, triggered on ppc64el due to the build using -O3
18+ in that architecture.
19+ - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
20+ building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
21+ -O2 and that triggers a format-truncation error on pcon.cc. See
22+ See https://bugs.squid-cache.org/show_bug.cgi?id=4875
23+ - Update apparmor profile to grant read access to squid binary
24+ (LP #1792728)
25+ * Dropped changes:
26+ - d/rules: enable cdbs parallel build
27+ [Adopted in 4.2-1]
28+ - d/t/test-squid.py: fix apparmor profile filename
29+ [Fixed in 4.2-1]
30+ - d/t/test-squid.py: fix the process name. The PID points at the parent.
31+ [Fixed in 4.2-1]
32+ - d/t/upstream-test-suite: also make libmem.la, needed by the tests.
33+ [Fixed in 4.2-1]
34+ - d/t/0003-installed-binary-for-debian-ci.patch: use the squid
35+ binary from the system, instead of the one from the source tree.
36+ [Included in 4.2-1]
37+ - d/t/upstream-test-suite: drop the sed line, since patch
38+ 0003-installed-binary-for-debian-ci.patch is doing this work now.
39+ (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839)
40+ [Fixed in 4.2-1]
41+ * Added:
42+ - d/rules: only use -latomic with the intended architectures, instead
43+ of all of them
44+ (https://salsa.debian.org/squid-team/squid/merge_requests/6 and see also
45+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5)
46+ - Rename d/NEWS.debian to d/NEWS, so that it can be handled by
47+ dh_installchangelogs.
48+
49+ -- Andreas Hasenack <andreas@canonical.com> Thu, 04 Oct 2018 09:44:44 -0300
50+
51 squid (4.2-2) unstable; urgency=high
52
53 [ Adrian Bunk <bunk@debian.org> ]
54@@ -34,6 +75,78 @@ squid (4.2-1) unstable; urgency=high
55
56 -- Luigi Gangitano <luigi@debian.org> Wed, 22 Aug 2018 13:57:15 +0200
57
58+squid (4.1-1ubuntu2) cosmic; urgency=medium
59+
60+ * d/usr.sbin.squid: Update apparmor profile to grant read access to squid
61+ binary (LP: #1792728)
62+
63+ -- Simon Deziel <simon@sdeziel.info> Sat, 15 Sep 2018 13:55:32 -0400
64+
65+squid (4.1-1ubuntu1) cosmic; urgency=medium
66+
67+ * Merged with Debian unstable (LP: #1780944, LP: #1097032, LP: #16669).
68+ Remaining changes:
69+ - Use snakeoil certificates.
70+ [Updated to use the correct config setting names]
71+ - Add an example refresh pattern for debs.
72+ [Improved the refresh patterns based on the configuration from
73+ squid-deb-proxy package]
74+ - Add disabled by default AppArmor profile.
75+ [Updated to include the ssl_certs abstraction and suggestions on how to
76+ deal with the snakeoil private key and other keys in /etc/ssl.]
77+ * Dropped changes:
78+ - Add additional dep8 tests.
79+ [Adopted in 4.0.21-1~exp5, albeit a stripped down version]
80+ - Correct attribution and add explanatory note in d/NEWS.debian.
81+ [That particular upgrade path has happened long ago.]
82+ - Drop wrong short-circuiting of various invocations; we always want to
83+ call the debhelper block.
84+ [This was for the transitional squid3 package, and that transition has
85+ already happened.]
86+ - Revert "Set pidfile for systemd's sysv-generator" from Debian.
87+ [Not needed anymore since we have a native systemd service file
88+ and no longer rely on the generator.]
89+ - Enable autoreconf. This is no longer required for the security updates,
90+ but is needed for the seddery of test-suite/Makefile.am in
91+ d/t/upstream-test-suite.
92+ [Replaced by patch 0003-installed-binary-for-debian-ci.patch]
93+ - Adjust seddery for upstream test squid binary location.
94+ [sed no longer necessary since patch,
95+ 0003-installed-binary-for-debian-ci.patch, will be dropped
96+ entirely.]
97+ - Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration
98+ happened in Xenial, so no upgrade path still requires this code. This
99+ reduces upgrade ordering difficulty.
100+ [Again we have a migration, but this time from squid3 to squid, so we
101+ need this].
102+ - GCC7 FTBFS fixes (LP: #1712668):
103+ + d/rules: don't error when hitting the "deprecated" and
104+ "format-truncation" gcc7 warnings. Upstream 3.5.27 has fixes for these,
105+ but one in Format.cc that affects 32bit builds was deemed too intrusive
106+ for the 3.5 stable series and is only in squid 4.x
107+ [No longer needed with squid 4.x]
108+ - Do not force gcc-6
109+ [It was a temporary workaround in Debian that got dropped]
110+ * Added changes:
111+ - d/rules: enable cdbs parallel build
112+ - d/t/test-squid.py: fix apparmor profile filename
113+ - d/t/test-squid.py: fix the process name. The PID points at the parent.
114+ - d/t/upstream-test-suite: also make libmem.la, needed by the tests.
115+ - d/t/0003-installed-binary-for-debian-ci.patch: use the squid
116+ binary from the system, instead of the one from the source tree.
117+ - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized
118+ error in parse_time_t, triggered on ppc64el due to the build using -O3
119+ in that architecture.
120+ - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
121+ building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
122+ -O2 and that triggers a format-truncation error on pcon.cc. See
123+ See https://bugs.squid-cache.org/show_bug.cgi?id=4875
124+ - d/t/upstream-test-suite: drop the sed line, since patch
125+ 0003-installed-binary-for-debian-ci.patch is doing this work now.
126+ (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839)
127+
128+ -- Andreas Hasenack <andreas@canonical.com> Thu, 16 Aug 2018 12:33:17 -0300
129+
130 squid (4.1-1) unstable; urgency=high
131
132 * New Upstream Release (Closes: #896120)
133diff --git a/debian/control b/debian/control
134index a7cd938..d6f27cc 100644
135--- a/debian/control
136+++ b/debian/control
137@@ -1,7 +1,8 @@
138 Source: squid
139 Section: web
140 Priority: optional
141-Maintainer: Luigi Gangitano <luigi@debian.org>
142+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
143+XSBC-Original-Maintainer: Luigi Gangitano <luigi@debian.org>
144 Uploaders: Santiago Garcia Mantinan <manty@debian.org>
145 Homepage: http://www.squid-cache.org
146 Standards-Version: 4.2.0.0
147@@ -24,6 +25,7 @@ Build-Depends: ed, libltdl-dev, pkg-config
148 , libsasl2-dev
149 , libxml2-dev
150 , nettle-dev
151+ , dh-apparmor
152
153 Package: squid3
154 Architecture: all
155@@ -40,8 +42,8 @@ Description: Transitional package
156 Package: squid
157 Architecture: any
158 Pre-Depends: adduser
159-Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl
160-Suggests: squidclient, squid-cgi, squid-purge, resolvconf (>= 0.40), smbclient, ufw, winbindd
161+Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl, ssl-cert
162+Suggests: squidclient, squid-cgi, squid-purge, resolvconf (>= 0.40), smbclient, ufw, winbindd, apparmor
163 Recommends: libcap2-bin [linux-any], ca-certificates
164 Conflicts: squid3 (<< ${binary:Version})
165 Replaces: squid3
166diff --git a/debian/patches/90-cf.data.ubuntu.patch b/debian/patches/90-cf.data.ubuntu.patch
167new file mode 100644
168index 0000000..9dfa5b4
169--- /dev/null
170+++ b/debian/patches/90-cf.data.ubuntu.patch
171@@ -0,0 +1,16 @@
172+--- a/src/cf.data.pre
173++++ b/src/cf.data.pre
174+@@ -5859,6 +5862,12 @@ NOCOMMENT_START
175+ refresh_pattern ^ftp: 1440 20% 10080
176+ refresh_pattern ^gopher: 1440 0% 1440
177+ refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
178++refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
179++refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
180++refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
181++refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
182++# example pattern for deb packages
183++#refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600
184+ refresh_pattern . 0 20% 4320
185+ NOCOMMENT_END
186+ DOC_END
187+
188diff --git a/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch
189new file mode 100644
190index 0000000..40b5306
191--- /dev/null
192+++ b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch
193@@ -0,0 +1,22 @@
194+--- a/src/cf.data.pre
195++++ b/src/cf.data.pre
196+@@ -3516,6 +3516,19 @@
197+ reference a PEM file containing both the certificate
198+ and private key.
199+
200++ Notes:
201++
202++ On Debian/Ubuntu systems a default snakeoil certificate is
203++ available in /etc/ssl and users can set:
204++
205++ sslcert=/etc/ssl/certs/ssl-cert-snakeoil.pem
206++
207++ and
208++
209++ sslkey=/etc/ssl/private/ssl-cert-snakeoil.key
210++
211++ for testing.
212++
213+ sslcipher=... The list of valid SSL ciphers to use when connecting
214+ to this peer.
215+
216diff --git a/debian/patches/fix-uninitialized-var.patch b/debian/patches/fix-uninitialized-var.patch
217new file mode 100644
218index 0000000..a682703
219--- /dev/null
220+++ b/debian/patches/fix-uninitialized-var.patch
221@@ -0,0 +1,25 @@
222+Description: Workaround gcc's maybe-uninitialized error in parse_time_t
223+ Function parse_time_t() passes an unitialized variable to parseTimeLine(),
224+ which will fill it in as the return value. gcc's -Wmaybe-unitialized setting
225+ trips over this when the build is done with -O3, as is the case in ppc64el.
226+ This fix is suggested in https://github.com/squid-cache/squid/pull/270, but
227+ not accepted yet. It was remarked that a better fix can be done, instead of
228+ just working around the gcc misfire.
229+Origin: other, https://github.com/squid-cache/squid/pull/270
230+Bug: https://bugs.squid-cache.org/show_bug.cgi?id=4875
231+Last-Update: 2018-08-14
232+---
233+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
234+diff --git a/src/cache_cf.cc b/src/cache_cf.cc
235+index 006a42d..96fe36f 100644
236+--- a/src/cache_cf.cc
237++++ b/src/cache_cf.cc
238+@@ -2925,7 +2925,7 @@ dump_time_t(StoreEntry * entry, const char *name, time_t var)
239+ void
240+ parse_time_t(time_t * var)
241+ {
242+- time_msec_t tval;
243++ time_msec_t tval = 0;
244+ parseTimeLine(&tval, T_SECOND_STR, false);
245+ *var = static_cast<time_t>(tval/1000);
246+ }
247diff --git a/debian/patches/series b/debian/patches/series
248index bb3fd54..04ec64b 100644
249--- a/debian/patches/series
250+++ b/debian/patches/series
251@@ -2,3 +2,6 @@
252 0002-Change-default-file-locations-for-debian.patch
253 0003-installed-binary-for-debian-ci.patch
254 0004-upstream-pr264.patch
255+90-cf.data.ubuntu.patch
256+99-ubuntu-ssl-cert-snakeoil.patch
257+fix-uninitialized-var.patch
258diff --git a/debian/rules b/debian/rules
259index 9b2b1ed..0a1f109 100755
260--- a/debian/rules
261+++ b/debian/rules
262@@ -3,12 +3,18 @@
263 export DEB_BUILD_MAINT_OPTIONS = hardening=+all
264 export DEB_CFLAGS_MAINT_APPEND = -Wall
265
266-DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed -latomic
267+DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed
268 ifneq (,$(filter $(DEB_HOST_ARCH), armel m68k mips mipsel powerpc powerpcspe sh4))
269 DEB_LDFLAGS_MAINT_APPEND += -latomic
270 endif
271 export DEB_LDFLAGS_MAINT_APPEND
272
273+# On ppc64el, dpkg-buildflags sets -O3 instead of the usual
274+# -O2. This makes gcc emit a format-truncation error on
275+# pconn.cc. See https://bugs.squid-cache.org/show_bug.cgi?id=4875
276+ifeq ($(shell dpkg-architecture -qDEB_HOST_ARCH),ppc64el)
277+ export DEB_CXXFLAGS_MAINT_APPEND = -Wno-format-truncation
278+endif
279 export DEB_BUILD_PARALLEL = yes
280 include /usr/share/dpkg/buildflags.mk
281
282@@ -95,3 +101,7 @@ install/squid::
283 install -m 755 -g root -d $(INSTALLDIR)/usr/share/man/man1
284 mv $(INSTALLDIR)/usr/bin/purge $(INSTALLDIR)/usr/bin/squid-purge
285 mv $(INSTALLDIR)/usr/share/man/man1/purge.1 $(INSTALLDIR)/usr/share/man/man1/squid-purge.1
286+ install -m 755 -g root -d $(INSTALLDIR)/etc/apparmor.d/force-complain
287+ install -m 755 -g root -d $(INSTALLDIR)/etc/apparmor.d/disable
288+ install -m 644 -g root debian/usr.sbin.squid $(INSTALLDIR)/etc/apparmor.d
289+ dh_apparmor --profile-name=usr.sbin.squid -psquid
290diff --git a/debian/squid.install b/debian/squid.install
291index 95ebe1a..d13050d 100644
292--- a/debian/squid.install
293+++ b/debian/squid.install
294@@ -28,3 +28,6 @@ usr/share/man/man8/negotiate_kerberos_auth.8
295 usr/share/man/man8/security_fake_certverify.8
296 usr/share/man/man8/storeid_file_rewrite.8
297 usr/share/man/man8/squid.8
298+etc/apparmor.d/disable
299+etc/apparmor.d/force-complain
300+etc/apparmor.d/usr.sbin.squid
301diff --git a/debian/squid.preinst b/debian/squid.preinst
302index 6b490e0..593ffa9 100644
303--- a/debian/squid.preinst
304+++ b/debian/squid.preinst
305@@ -63,6 +63,21 @@ then
306 chsh -s /bin/sh proxy
307 fi
308
309+disable_profile() {
310+ APP_CONFFILE="/etc/apparmor.d/usr.sbin.squid"
311+ APP_DISABLE="/etc/apparmor.d/disable/usr.sbin.squid"
312+ # Create a symlink to the yet-to-be-unpacked profile
313+ if [ ! -e "$APP_CONFFILE" ]; then
314+ mkdir -p `dirname $APP_DISABLE` 2>/dev/null || true
315+ ln -sf $APP_CONFFILE $APP_DISABLE
316+ fi
317+}
318+
319+if [ "$1" = "install" ]; then
320+ # Disable AppArmor profile on install
321+ disable_profile
322+fi
323+
324 # dh_installdeb will replace this with shell code automatically
325 # generated by other debhelper scripts.
326
327diff --git a/debian/usr.sbin.squid b/debian/usr.sbin.squid
328new file mode 100644
329index 0000000..07a9642
330--- /dev/null
331+++ b/debian/usr.sbin.squid
332@@ -0,0 +1,85 @@
333+# Author: Simon Deziel
334+# Jamie Strandboge
335+# vim:syntax=apparmor
336+#include <tunables/global>
337+
338+/usr/sbin/squid {
339+ #include <abstractions/base>
340+ #include <abstractions/kerberosclient>
341+ #include <abstractions/nameservice>
342+ #include <abstractions/ssl_certs>
343+
344+ # If you are using squid with the default snakeoil certificates, you will
345+ # probably have to uncomment the line below so that squid can read the
346+ # private key:
347+ #/etc/ssl/private/ssl-cert-snakeoil.key r,
348+
349+ # For a more generous permission, but also less secure, you could
350+ # alternatively include the <abstractions/ssl_keys> abstraction, which
351+ # gives read access to the entire contents of /etc/ssl
352+
353+ capability net_raw,
354+ capability setuid,
355+ capability setgid,
356+ capability sys_chroot,
357+
358+ # allow child processes to run execvp(argv[0], [kidname, ...])
359+ /usr/sbin/squid rix,
360+
361+ # pinger
362+ network inet raw,
363+ network inet6 raw,
364+
365+ /etc/mtab r,
366+ @{PROC}/[0-9]*/mounts r,
367+ @{PROC}/mounts r,
368+
369+ # squid3 configuration
370+ /etc/squid/** r,
371+ /{,var/}run/squid.pid rwk,
372+ /var/spool/squid/ r,
373+ /var/spool/squid/** rwk,
374+ /usr/lib/squid{,3}/* rmix,
375+ /usr/share/squid/** r,
376+ /var/log/squid/* rw,
377+
378+ # squid-langpack
379+ /usr/share/squid-langpack/** r,
380+
381+ # maas-proxy
382+ /var/lib/maas/maas-proxy.conf r,
383+ /var/log/maas/proxy/** rw,
384+ /var/spool/maas-proxy/ r,
385+ /var/spool/maas-proxy/** rwk,
386+
387+ # squid-deb-proxy
388+ /etc/squid-deb-proxy/** r,
389+ /{,var/}run/squid-deb-proxy.pid rwk,
390+ /var/cache/squid-deb-proxy/ r,
391+ /var/cache/squid-deb-proxy/** rwk,
392+ /var/log/squid-deb-proxy/* rw,
393+ owner /dev/shm/** rmw,
394+
395+ # squidguard
396+ /usr/bin/squidGuard Cx -> squidguard,
397+ profile squidguard {
398+ #include <abstractions/base>
399+
400+ /etc/squid/squidGuard.conf r,
401+ /var/log/squid{,3}/squidGuard.log w,
402+ /var/lib/squidguard/** rw,
403+
404+ # squidguard by default uses /var/log/squid as its logdir, however, we
405+ # don't want it to access squid's logs, only its own. Explicitly deny
406+ # access to squid's files but allow all others since the user may specify
407+ # anything for the squidGurad 'log' directive.
408+ /var/log/squid{,3}/* rw,
409+ audit deny /var/log/squid{,3}/{access,cache,store}.log* rw,
410+
411+ # Site-specific additions and overrides. See local/README for details.
412+ #include <local/usr.sbin.squid>
413+ }
414+
415+ # Site-specific additions and overrides. See local/README for details.
416+ #include <local/usr.sbin.squid>
417+}

Subscribers

People subscribed via source and target branches