Ubuntu
squid package

Merge ~ahasenack/ubuntu/+source/squid:disco-squid-merge into ubuntu/+source/squid:debian/sid

  1. Git
  2. lp:~ahasenack/ubuntu/+source/squid
  3. disco-squid-merge
  4. Merge into debian/sid
Proposed by Andreas Hasenack
Status: Merged
Approved by: Robie Basak
Approved revision: b68f6ab89baa162cda6b30823dbf5710e45e6726
Merge reported by: Andreas Hasenack
Merged at revision: b68f6ab89baa162cda6b30823dbf5710e45e6726
Proposed branch: ~ahasenack/ubuntu/+source/squid:disco-squid-merge
Merge into: ubuntu/+source/squid:debian/sid
Diff against target: 461 lines (+336/-5)
11 files modified
debian/changelog (+123/-0)
debian/control (+5/-3)
debian/patches/90-cf.data.ubuntu.patch (+16/-0)
debian/patches/99-ubuntu-ssl-cert-snakeoil.patch (+22/-0)
debian/patches/fix-rotate-assertion.patch (+26/-0)
debian/patches/fix-uninitialized-var.patch (+25/-0)
debian/patches/series (+4/-0)
debian/rules (+11/-2)
debian/squid.install (+3/-0)
debian/squid.preinst (+15/-0)
debian/usr.sbin.squid (+86/-0)
Reviewer Review Type Date Requested Status
Robie Basak Approve
Canonical Server Pending
Review via email: mp+359001@code.launchpad.net

Description of the change

Merge from debian's latest squid.

Dropped a good portion of the delta that was pushed to Debian during the squid3->squid4 work from the previous cycle.

Of the 3 added changes, two (d/rules -latomic, and d/NEWS) were submitted to Debian:
- d/rules -latomic: https://salsa.debian.org/squid-team/squid/merge_requests/6
- d/NEWS: https://salsa.debian.org/squid-team/squid/merge_requests/7

The third one is about apparmor which Debian isn't using.

The work to push our apparmor profile upstream still needs to be done, but I left that for another time.

Bileto ticket and related ppa: https://bileto.ubuntu.com/#/ticket/3524

The armhf dep8 always-failed error I believe might be related to the use of lxd on arm, as the other tests run in a VM via ssh. I tried locally on amd64 with lxd and the test passed, though.

To post a comment you must log in.
Revision history for this message
Robie Basak (racb) wrote :

merge-changelogs run, update-maintainer run. A study of "git range-diff" output indicates that the changelog accurately describes the set of changes made. All delta dropped verified now present in Debian.

Review of new changes:

-latomic change looks correct. NEWS rename seems reasonable. AppArmor profile change looks reasonable and verified by jdstrand in the bug.

New changelog version string and target release are correct. There is no merge bug reference to close.

lgtm. Nice job getting the delta down!

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks, upload tag pushed and package uploaded. I'll watch over migration.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I migrated, marking as merged.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/NEWS.debian b/debian/NEWS
2similarity index 100%
3rename from debian/NEWS.debian
4rename to debian/NEWS
5diff --git a/debian/changelog b/debian/changelog
6index 275f795..01aab06 100644
7--- a/debian/changelog
8+++ b/debian/changelog
9@@ -1,3 +1,47 @@
10+squid (4.4-1ubuntu1) disco; urgency=medium
11+
12+ * Merge with Debian unstable. Remaining changes:
13+ - Use snakeoil certificates.
14+ - Add an example refresh pattern for debs.
15+ - Add disabled by default AppArmor profile.
16+ - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized
17+ error in parse_time_t, triggered on ppc64el due to the build using -O3
18+ in that architecture.
19+ - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
20+ building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
21+ -O2 and that triggers a format-truncation error on pcon.cc. See
22+ See https://bugs.squid-cache.org/show_bug.cgi?id=4875
23+ - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
24+ Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553)
25+ * Drop:
26+ - d/rules: enable cdbs parallel build
27+ [Fixed in 4.2-1]
28+ - d/t/test-squid.py: fix apparmor profile filename
29+ [Fixed in 4.2-1]
30+ - d/t/test-squid.py: fix the process name. The PID points at the parent.
31+ [Fixed in 4.2-1]
32+ - d/t/upstream-test-suite: also make libmem.la, needed by the tests.
33+ [Fixed in 4.2-1]
34+ - d/t/0003-installed-binary-for-debian-ci.patch: use the squid
35+ binary from the system, instead of the one from the source tree.
36+ [Fixed in 4.2-1]
37+ - d/t/upstream-test-suite: drop the sed line, since patch
38+ 0003-installed-binary-for-debian-ci.patch is doing this work now.
39+ (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839)
40+ [Fixed in 4.2-1]
41+ * Added changes:
42+ - d/rules: Only use -latomic with the intended architectures, instead of
43+ all of them. This matches what was suggested in
44+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5
45+ - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that
46+ dh_installchangelogs can pick it up. dh_installchangelogs handles
47+ d/NEWS or d/<package>.NEWS, but not NEWS.debian.
48+ - d/usr.sbin.squid: fix the apparmor profile (LP: #1796189):
49+ + allow net_admin capability
50+ + add attach_disconnected flag
51+
52+ -- Andreas Hasenack <andreas@canonical.com> Mon, 19 Nov 2018 10:51:18 -0200
53+
54 squid (4.4-1) unstable; urgency=high
55
56 * Urgency high due to security fixes
57@@ -62,6 +106,85 @@ squid (4.2-1) unstable; urgency=high
58
59 -- Luigi Gangitano <luigi@debian.org> Wed, 22 Aug 2018 13:57:15 +0200
60
61+squid (4.1-1ubuntu3) cosmic; urgency=medium
62+
63+ * d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
64+ Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP: #1794553)
65+
66+ -- Andreas Hasenack <andreas@canonical.com> Tue, 09 Oct 2018 14:00:36 -0300
67+
68+squid (4.1-1ubuntu2) cosmic; urgency=medium
69+
70+ * d/usr.sbin.squid: Update apparmor profile to grant read access to squid
71+ binary (LP: #1792728)
72+
73+ -- Simon Deziel <simon@sdeziel.info> Sat, 15 Sep 2018 13:55:32 -0400
74+
75+squid (4.1-1ubuntu1) cosmic; urgency=medium
76+
77+ * Merged with Debian unstable (LP: #1780944, LP: #1097032, LP: #16669).
78+ Remaining changes:
79+ - Use snakeoil certificates.
80+ [Updated to use the correct config setting names]
81+ - Add an example refresh pattern for debs.
82+ [Improved the refresh patterns based on the configuration from
83+ squid-deb-proxy package]
84+ - Add disabled by default AppArmor profile.
85+ [Updated to include the ssl_certs abstraction and suggestions on how to
86+ deal with the snakeoil private key and other keys in /etc/ssl.]
87+ * Dropped changes:
88+ - Add additional dep8 tests.
89+ [Adopted in 4.0.21-1~exp5, albeit a stripped down version]
90+ - Correct attribution and add explanatory note in d/NEWS.debian.
91+ [That particular upgrade path has happened long ago.]
92+ - Drop wrong short-circuiting of various invocations; we always want to
93+ call the debhelper block.
94+ [This was for the transitional squid3 package, and that transition has
95+ already happened.]
96+ - Revert "Set pidfile for systemd's sysv-generator" from Debian.
97+ [Not needed anymore since we have a native systemd service file
98+ and no longer rely on the generator.]
99+ - Enable autoreconf. This is no longer required for the security updates,
100+ but is needed for the seddery of test-suite/Makefile.am in
101+ d/t/upstream-test-suite.
102+ [Replaced by patch 0003-installed-binary-for-debian-ci.patch]
103+ - Adjust seddery for upstream test squid binary location.
104+ [sed no longer necessary since patch,
105+ 0003-installed-binary-for-debian-ci.patch, will be dropped
106+ entirely.]
107+ - Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration
108+ happened in Xenial, so no upgrade path still requires this code. This
109+ reduces upgrade ordering difficulty.
110+ [Again we have a migration, but this time from squid3 to squid, so we
111+ need this].
112+ - GCC7 FTBFS fixes (LP: #1712668):
113+ + d/rules: don't error when hitting the "deprecated" and
114+ "format-truncation" gcc7 warnings. Upstream 3.5.27 has fixes for these,
115+ but one in Format.cc that affects 32bit builds was deemed too intrusive
116+ for the 3.5 stable series and is only in squid 4.x
117+ [No longer needed with squid 4.x]
118+ - Do not force gcc-6
119+ [It was a temporary workaround in Debian that got dropped]
120+ * Added changes:
121+ - d/rules: enable cdbs parallel build
122+ - d/t/test-squid.py: fix apparmor profile filename
123+ - d/t/test-squid.py: fix the process name. The PID points at the parent.
124+ - d/t/upstream-test-suite: also make libmem.la, needed by the tests.
125+ - d/t/0003-installed-binary-for-debian-ci.patch: use the squid
126+ binary from the system, instead of the one from the source tree.
127+ - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized
128+ error in parse_time_t, triggered on ppc64el due to the build using -O3
129+ in that architecture.
130+ - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
131+ building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
132+ -O2 and that triggers a format-truncation error on pcon.cc. See
133+ See https://bugs.squid-cache.org/show_bug.cgi?id=4875
134+ - d/t/upstream-test-suite: drop the sed line, since patch
135+ 0003-installed-binary-for-debian-ci.patch is doing this work now.
136+ (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839)
137+
138+ -- Andreas Hasenack <andreas@canonical.com> Thu, 16 Aug 2018 12:33:17 -0300
139+
140 squid (4.1-1) unstable; urgency=high
141
142 * New Upstream Release (Closes: #896120)
143diff --git a/debian/control b/debian/control
144index 2c6a5b4..8d7e6b5 100644
145--- a/debian/control
146+++ b/debian/control
147@@ -1,7 +1,8 @@
148 Source: squid
149 Section: web
150 Priority: optional
151-Maintainer: Luigi Gangitano <luigi@debian.org>
152+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
153+XSBC-Original-Maintainer: Luigi Gangitano <luigi@debian.org>
154 Uploaders: Santiago Garcia Mantinan <manty@debian.org>
155 Homepage: http://www.squid-cache.org
156 Standards-Version: 4.2.1
157@@ -24,6 +25,7 @@ Build-Depends: ed, libltdl-dev, pkg-config
158 , libsasl2-dev
159 , libxml2-dev
160 , nettle-dev
161+ , dh-apparmor
162
163 Package: squid3
164 Architecture: all
165@@ -40,8 +42,8 @@ Description: Transitional package
166 Package: squid
167 Architecture: any
168 Pre-Depends: adduser
169-Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl
170-Suggests: squidclient, squid-cgi, squid-purge, resolvconf (>= 0.40), smbclient, ufw, winbindd
171+Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl, ssl-cert
172+Suggests: squidclient, squid-cgi, squid-purge, resolvconf (>= 0.40), smbclient, ufw, winbindd, apparmor
173 Recommends: libcap2-bin [linux-any], ca-certificates
174 Conflicts: squid3 (<< ${binary:Version})
175 Replaces: squid3
176diff --git a/debian/patches/90-cf.data.ubuntu.patch b/debian/patches/90-cf.data.ubuntu.patch
177new file mode 100644
178index 0000000..9dfa5b4
179--- /dev/null
180+++ b/debian/patches/90-cf.data.ubuntu.patch
181@@ -0,0 +1,16 @@
182+--- a/src/cf.data.pre
183++++ b/src/cf.data.pre
184+@@ -5859,6 +5862,12 @@ NOCOMMENT_START
185+ refresh_pattern ^ftp: 1440 20% 10080
186+ refresh_pattern ^gopher: 1440 0% 1440
187+ refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
188++refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
189++refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
190++refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
191++refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
192++# example pattern for deb packages
193++#refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600
194+ refresh_pattern . 0 20% 4320
195+ NOCOMMENT_END
196+ DOC_END
197+
198diff --git a/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch
199new file mode 100644
200index 0000000..40b5306
201--- /dev/null
202+++ b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch
203@@ -0,0 +1,22 @@
204+--- a/src/cf.data.pre
205++++ b/src/cf.data.pre
206+@@ -3516,6 +3516,19 @@
207+ reference a PEM file containing both the certificate
208+ and private key.
209+
210++ Notes:
211++
212++ On Debian/Ubuntu systems a default snakeoil certificate is
213++ available in /etc/ssl and users can set:
214++
215++ sslcert=/etc/ssl/certs/ssl-cert-snakeoil.pem
216++
217++ and
218++
219++ sslkey=/etc/ssl/private/ssl-cert-snakeoil.key
220++
221++ for testing.
222++
223+ sslcipher=... The list of valid SSL ciphers to use when connecting
224+ to this peer.
225+
226diff --git a/debian/patches/fix-rotate-assertion.patch b/debian/patches/fix-rotate-assertion.patch
227new file mode 100644
228index 0000000..820cf0e
229--- /dev/null
230+++ b/debian/patches/fix-rotate-assertion.patch
231@@ -0,0 +1,26 @@
232+Description: Fix assertion error when rotating logs
233+ Upstream is still discussing
234+ (https://github.com/squid-cache/squid/pull/257#issuecomment-428250856)
235+ the details of the patch, but there are no big cons for now. The PR will be
236+ monitored and the squid package updated accordingly when needed.
237+Author: Vitaly Lavrov <vel21ripn@gmail.com>
238+Origin: other, https://github.com/squid-cache/squid/pull/257#issuecomment-427271426
239+Bug: https://bugs.squid-cache.org/show_bug.cgi?id=4796
240+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=910337
241+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1794553
242+Last-Update: 2018-10-09
243+---
244+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
245+diff --git a/src/main.cc b/src/main.cc
246+index 2a7269ed..9dc0d195 100644
247+--- a/src/main.cc
248++++ b/src/main.cc
249+@@ -1152,8 +1152,6 @@ mainInitialize(void)
250+
251+ _db_init(Debug::cache_log, Debug::debugOptions);
252+
253+- fd_open(fileno(debug_log), FD_LOG, Debug::cache_log);
254+-
255+ debugs(1, DBG_CRITICAL, "Starting Squid Cache version " << version_string << " for " << CONFIG_HOST_TYPE << "...");
256+ debugs(1, DBG_CRITICAL, "Service Name: " << service_name);
257+
258diff --git a/debian/patches/fix-uninitialized-var.patch b/debian/patches/fix-uninitialized-var.patch
259new file mode 100644
260index 0000000..a682703
261--- /dev/null
262+++ b/debian/patches/fix-uninitialized-var.patch
263@@ -0,0 +1,25 @@
264+Description: Workaround gcc's maybe-uninitialized error in parse_time_t
265+ Function parse_time_t() passes an unitialized variable to parseTimeLine(),
266+ which will fill it in as the return value. gcc's -Wmaybe-unitialized setting
267+ trips over this when the build is done with -O3, as is the case in ppc64el.
268+ This fix is suggested in https://github.com/squid-cache/squid/pull/270, but
269+ not accepted yet. It was remarked that a better fix can be done, instead of
270+ just working around the gcc misfire.
271+Origin: other, https://github.com/squid-cache/squid/pull/270
272+Bug: https://bugs.squid-cache.org/show_bug.cgi?id=4875
273+Last-Update: 2018-08-14
274+---
275+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
276+diff --git a/src/cache_cf.cc b/src/cache_cf.cc
277+index 006a42d..96fe36f 100644
278+--- a/src/cache_cf.cc
279++++ b/src/cache_cf.cc
280+@@ -2925,7 +2925,7 @@ dump_time_t(StoreEntry * entry, const char *name, time_t var)
281+ void
282+ parse_time_t(time_t * var)
283+ {
284+- time_msec_t tval;
285++ time_msec_t tval = 0;
286+ parseTimeLine(&tval, T_SECOND_STR, false);
287+ *var = static_cast<time_t>(tval/1000);
288+ }
289diff --git a/debian/patches/series b/debian/patches/series
290index 6bff1ed..4c80674 100644
291--- a/debian/patches/series
292+++ b/debian/patches/series
293@@ -1,3 +1,7 @@
294 0001-Default-configuration-file-for-debian.patch
295 0002-Change-default-file-locations-for-debian.patch
296 0003-installed-binary-for-debian-ci.patch
297+90-cf.data.ubuntu.patch
298+99-ubuntu-ssl-cert-snakeoil.patch
299+fix-uninitialized-var.patch
300+fix-rotate-assertion.patch
301diff --git a/debian/rules b/debian/rules
302index 9b2b1ed..3923dac 100755
303--- a/debian/rules
304+++ b/debian/rules
305@@ -3,12 +3,17 @@
306 export DEB_BUILD_MAINT_OPTIONS = hardening=+all
307 export DEB_CFLAGS_MAINT_APPEND = -Wall
308
309-DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed -latomic
310+DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed
311 ifneq (,$(filter $(DEB_HOST_ARCH), armel m68k mips mipsel powerpc powerpcspe sh4))
312 DEB_LDFLAGS_MAINT_APPEND += -latomic
313 endif
314 export DEB_LDFLAGS_MAINT_APPEND
315-
316+# On ppc64el, dpkg-buildflags sets -O3 instead of the usual
317+# -O2. This makes gcc emit a format-truncation error on
318+# pconn.cc. See https://bugs.squid-cache.org/show_bug.cgi?id=4875
319+ifeq ($(shell dpkg-architecture -qDEB_HOST_ARCH),ppc64el)
320+ export DEB_CXXFLAGS_MAINT_APPEND = -Wno-format-truncation
321+endif
322 export DEB_BUILD_PARALLEL = yes
323 include /usr/share/dpkg/buildflags.mk
324
325@@ -95,3 +100,7 @@ install/squid::
326 install -m 755 -g root -d $(INSTALLDIR)/usr/share/man/man1
327 mv $(INSTALLDIR)/usr/bin/purge $(INSTALLDIR)/usr/bin/squid-purge
328 mv $(INSTALLDIR)/usr/share/man/man1/purge.1 $(INSTALLDIR)/usr/share/man/man1/squid-purge.1
329+ install -m 755 -g root -d $(INSTALLDIR)/etc/apparmor.d/force-complain
330+ install -m 755 -g root -d $(INSTALLDIR)/etc/apparmor.d/disable
331+ install -m 644 -g root debian/usr.sbin.squid $(INSTALLDIR)/etc/apparmor.d
332+ dh_apparmor --profile-name=usr.sbin.squid -psquid
333diff --git a/debian/squid.install b/debian/squid.install
334index 95ebe1a..d13050d 100644
335--- a/debian/squid.install
336+++ b/debian/squid.install
337@@ -28,3 +28,6 @@ usr/share/man/man8/negotiate_kerberos_auth.8
338 usr/share/man/man8/security_fake_certverify.8
339 usr/share/man/man8/storeid_file_rewrite.8
340 usr/share/man/man8/squid.8
341+etc/apparmor.d/disable
342+etc/apparmor.d/force-complain
343+etc/apparmor.d/usr.sbin.squid
344diff --git a/debian/squid.preinst b/debian/squid.preinst
345index 941d4f2..65f81c4 100644
346--- a/debian/squid.preinst
347+++ b/debian/squid.preinst
348@@ -63,6 +63,21 @@ then
349 chsh -s /bin/sh proxy
350 fi
351
352+disable_profile() {
353+ APP_CONFFILE="/etc/apparmor.d/usr.sbin.squid"
354+ APP_DISABLE="/etc/apparmor.d/disable/usr.sbin.squid"
355+ # Create a symlink to the yet-to-be-unpacked profile
356+ if [ ! -e "$APP_CONFFILE" ]; then
357+ mkdir -p `dirname $APP_DISABLE` 2>/dev/null || true
358+ ln -sf $APP_CONFFILE $APP_DISABLE
359+ fi
360+}
361+
362+if [ "$1" = "install" ]; then
363+ # Disable AppArmor profile on install
364+ disable_profile
365+fi
366+
367 # dh_installdeb will replace this with shell code automatically
368 # generated by other debhelper scripts.
369
370diff --git a/debian/usr.sbin.squid b/debian/usr.sbin.squid
371new file mode 100644
372index 0000000..df3a9a3
373--- /dev/null
374+++ b/debian/usr.sbin.squid
375@@ -0,0 +1,86 @@
376+# Author: Simon Deziel
377+# Jamie Strandboge
378+# vim:syntax=apparmor
379+#include <tunables/global>
380+
381+/usr/sbin/squid flags=(attach_disconnected) {
382+ #include <abstractions/base>
383+ #include <abstractions/kerberosclient>
384+ #include <abstractions/nameservice>
385+ #include <abstractions/ssl_certs>
386+
387+ # If you are using squid with the default snakeoil certificates, you will
388+ # probably have to uncomment the line below so that squid can read the
389+ # private key:
390+ #/etc/ssl/private/ssl-cert-snakeoil.key r,
391+
392+ # For a more generous permission, but also less secure, you could
393+ # alternatively include the <abstractions/ssl_keys> abstraction, which
394+ # gives read access to the entire contents of /etc/ssl
395+
396+ capability net_admin,
397+ capability net_raw,
398+ capability setuid,
399+ capability setgid,
400+ capability sys_chroot,
401+
402+ # allow child processes to run execvp(argv[0], [kidname, ...])
403+ /usr/sbin/squid rix,
404+
405+ # pinger
406+ network inet raw,
407+ network inet6 raw,
408+
409+ /etc/mtab r,
410+ @{PROC}/[0-9]*/mounts r,
411+ @{PROC}/mounts r,
412+
413+ # squid3 configuration
414+ /etc/squid/** r,
415+ /{,var/}run/squid.pid rwk,
416+ /var/spool/squid/ r,
417+ /var/spool/squid/** rwk,
418+ /usr/lib/squid{,3}/* rmix,
419+ /usr/share/squid/** r,
420+ /var/log/squid/* rw,
421+
422+ # squid-langpack
423+ /usr/share/squid-langpack/** r,
424+
425+ # maas-proxy
426+ /var/lib/maas/maas-proxy.conf r,
427+ /var/log/maas/proxy/** rw,
428+ /var/spool/maas-proxy/ r,
429+ /var/spool/maas-proxy/** rwk,
430+
431+ # squid-deb-proxy
432+ /etc/squid-deb-proxy/** r,
433+ /{,var/}run/squid-deb-proxy.pid rwk,
434+ /var/cache/squid-deb-proxy/ r,
435+ /var/cache/squid-deb-proxy/** rwk,
436+ /var/log/squid-deb-proxy/* rw,
437+ owner /dev/shm/** rmw,
438+
439+ # squidguard
440+ /usr/bin/squidGuard Cx -> squidguard,
441+ profile squidguard {
442+ #include <abstractions/base>
443+
444+ /etc/squid/squidGuard.conf r,
445+ /var/log/squid{,3}/squidGuard.log w,
446+ /var/lib/squidguard/** rw,
447+
448+ # squidguard by default uses /var/log/squid as its logdir, however, we
449+ # don't want it to access squid's logs, only its own. Explicitly deny
450+ # access to squid's files but allow all others since the user may specify
451+ # anything for the squidGurad 'log' directive.
452+ /var/log/squid{,3}/* rw,
453+ audit deny /var/log/squid{,3}/{access,cache,store}.log* rw,
454+
455+ # Site-specific additions and overrides. See local/README for details.
456+ #include <local/usr.sbin.squid>
457+ }
458+
459+ # Site-specific additions and overrides. See local/README for details.
460+ #include <local/usr.sbin.squid>
461+}

Subscribers

People subscribed via source and target branches