Merge ~ahasenack/ubuntu/+source/squid:disco-squid-merge into ubuntu/+source/squid:debian/sid

Proposed by Andreas Hasenack
Status: Merged
Approved by: Robie Basak
Approved revision: b68f6ab89baa162cda6b30823dbf5710e45e6726
Merge reported by: Andreas Hasenack
Merged at revision: b68f6ab89baa162cda6b30823dbf5710e45e6726
Proposed branch: ~ahasenack/ubuntu/+source/squid:disco-squid-merge
Merge into: ubuntu/+source/squid:debian/sid
Diff against target: 461 lines (+336/-5)
11 files modified
debian/changelog (+123/-0)
debian/control (+5/-3)
debian/patches/90-cf.data.ubuntu.patch (+16/-0)
debian/patches/99-ubuntu-ssl-cert-snakeoil.patch (+22/-0)
debian/patches/fix-rotate-assertion.patch (+26/-0)
debian/patches/fix-uninitialized-var.patch (+25/-0)
debian/patches/series (+4/-0)
debian/rules (+11/-2)
debian/squid.install (+3/-0)
debian/squid.preinst (+15/-0)
debian/usr.sbin.squid (+86/-0)
Reviewer Review Type Date Requested Status
Robie Basak Approve
Canonical Server Team Pending
Review via email: mp+359001@code.launchpad.net

Description of the change

Merge from debian's latest squid.

Dropped a good portion of the delta that was pushed to Debian during the squid3->squid4 work from the previous cycle.

Of the 3 added changes, two (d/rules -latomic, and d/NEWS) were submitted to Debian:
- d/rules -latomic: https://salsa.debian.org/squid-team/squid/merge_requests/6
- d/NEWS: https://salsa.debian.org/squid-team/squid/merge_requests/7

The third one is about apparmor which Debian isn't using.

The work to push our apparmor profile upstream still needs to be done, but I left that for another time.

Bileto ticket and related ppa: https://bileto.ubuntu.com/#/ticket/3524

The armhf dep8 always-failed error I believe might be related to the use of lxd on arm, as the other tests run in a VM via ssh. I tried locally on amd64 with lxd and the test passed, though.

To post a comment you must log in.
Revision history for this message
Robie Basak (racb) wrote :

merge-changelogs run, update-maintainer run. A study of "git range-diff" output indicates that the changelog accurately describes the set of changes made. All delta dropped verified now present in Debian.

Review of new changes:

-latomic change looks correct. NEWS rename seems reasonable. AppArmor profile change looks reasonable and verified by jdstrand in the bug.

New changelog version string and target release are correct. There is no merge bug reference to close.

lgtm. Nice job getting the delta down!

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks, upload tag pushed and package uploaded. I'll watch over migration.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I migrated, marking as merged.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/NEWS.debian b/debian/NEWS
0similarity index 100%0similarity index 100%
1rename from debian/NEWS.debian1rename from debian/NEWS.debian
2rename to debian/NEWS2rename to debian/NEWS
diff --git a/debian/changelog b/debian/changelog
index 275f795..01aab06 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,47 @@
1squid (4.4-1ubuntu1) disco; urgency=medium
2
3 * Merge with Debian unstable. Remaining changes:
4 - Use snakeoil certificates.
5 - Add an example refresh pattern for debs.
6 - Add disabled by default AppArmor profile.
7 - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized
8 error in parse_time_t, triggered on ppc64el due to the build using -O3
9 in that architecture.
10 - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
11 building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
12 -O2 and that triggers a format-truncation error on pcon.cc. See
13 See https://bugs.squid-cache.org/show_bug.cgi?id=4875
14 - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
15 Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP #1794553)
16 * Drop:
17 - d/rules: enable cdbs parallel build
18 [Fixed in 4.2-1]
19 - d/t/test-squid.py: fix apparmor profile filename
20 [Fixed in 4.2-1]
21 - d/t/test-squid.py: fix the process name. The PID points at the parent.
22 [Fixed in 4.2-1]
23 - d/t/upstream-test-suite: also make libmem.la, needed by the tests.
24 [Fixed in 4.2-1]
25 - d/t/0003-installed-binary-for-debian-ci.patch: use the squid
26 binary from the system, instead of the one from the source tree.
27 [Fixed in 4.2-1]
28 - d/t/upstream-test-suite: drop the sed line, since patch
29 0003-installed-binary-for-debian-ci.patch is doing this work now.
30 (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839)
31 [Fixed in 4.2-1]
32 * Added changes:
33 - d/rules: Only use -latomic with the intended architectures, instead of
34 all of them. This matches what was suggested in
35 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5
36 - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that
37 dh_installchangelogs can pick it up. dh_installchangelogs handles
38 d/NEWS or d/<package>.NEWS, but not NEWS.debian.
39 - d/usr.sbin.squid: fix the apparmor profile (LP: #1796189):
40 + allow net_admin capability
41 + add attach_disconnected flag
42
43 -- Andreas Hasenack <andreas@canonical.com> Mon, 19 Nov 2018 10:51:18 -0200
44
1squid (4.4-1) unstable; urgency=high45squid (4.4-1) unstable; urgency=high
246
3 * Urgency high due to security fixes47 * Urgency high due to security fixes
@@ -62,6 +106,85 @@ squid (4.2-1) unstable; urgency=high
62106
63 -- Luigi Gangitano <luigi@debian.org> Wed, 22 Aug 2018 13:57:15 +0200107 -- Luigi Gangitano <luigi@debian.org> Wed, 22 Aug 2018 13:57:15 +0200
64108
109squid (4.1-1ubuntu3) cosmic; urgency=medium
110
111 * d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
112 Thanks to Vitaly Lavrov <vel21ripn@gmail.com>. (LP: #1794553)
113
114 -- Andreas Hasenack <andreas@canonical.com> Tue, 09 Oct 2018 14:00:36 -0300
115
116squid (4.1-1ubuntu2) cosmic; urgency=medium
117
118 * d/usr.sbin.squid: Update apparmor profile to grant read access to squid
119 binary (LP: #1792728)
120
121 -- Simon Deziel <simon@sdeziel.info> Sat, 15 Sep 2018 13:55:32 -0400
122
123squid (4.1-1ubuntu1) cosmic; urgency=medium
124
125 * Merged with Debian unstable (LP: #1780944, LP: #1097032, LP: #16669).
126 Remaining changes:
127 - Use snakeoil certificates.
128 [Updated to use the correct config setting names]
129 - Add an example refresh pattern for debs.
130 [Improved the refresh patterns based on the configuration from
131 squid-deb-proxy package]
132 - Add disabled by default AppArmor profile.
133 [Updated to include the ssl_certs abstraction and suggestions on how to
134 deal with the snakeoil private key and other keys in /etc/ssl.]
135 * Dropped changes:
136 - Add additional dep8 tests.
137 [Adopted in 4.0.21-1~exp5, albeit a stripped down version]
138 - Correct attribution and add explanatory note in d/NEWS.debian.
139 [That particular upgrade path has happened long ago.]
140 - Drop wrong short-circuiting of various invocations; we always want to
141 call the debhelper block.
142 [This was for the transitional squid3 package, and that transition has
143 already happened.]
144 - Revert "Set pidfile for systemd's sysv-generator" from Debian.
145 [Not needed anymore since we have a native systemd service file
146 and no longer rely on the generator.]
147 - Enable autoreconf. This is no longer required for the security updates,
148 but is needed for the seddery of test-suite/Makefile.am in
149 d/t/upstream-test-suite.
150 [Replaced by patch 0003-installed-binary-for-debian-ci.patch]
151 - Adjust seddery for upstream test squid binary location.
152 [sed no longer necessary since patch,
153 0003-installed-binary-for-debian-ci.patch, will be dropped
154 entirely.]
155 - Drop Conflicts/Replaces of squid against squid3. In Ubuntu, the migration
156 happened in Xenial, so no upgrade path still requires this code. This
157 reduces upgrade ordering difficulty.
158 [Again we have a migration, but this time from squid3 to squid, so we
159 need this].
160 - GCC7 FTBFS fixes (LP: #1712668):
161 + d/rules: don't error when hitting the "deprecated" and
162 "format-truncation" gcc7 warnings. Upstream 3.5.27 has fixes for these,
163 but one in Format.cc that affects 32bit builds was deemed too intrusive
164 for the 3.5 stable series and is only in squid 4.x
165 [No longer needed with squid 4.x]
166 - Do not force gcc-6
167 [It was a temporary workaround in Debian that got dropped]
168 * Added changes:
169 - d/rules: enable cdbs parallel build
170 - d/t/test-squid.py: fix apparmor profile filename
171 - d/t/test-squid.py: fix the process name. The PID points at the parent.
172 - d/t/upstream-test-suite: also make libmem.la, needed by the tests.
173 - d/t/0003-installed-binary-for-debian-ci.patch: use the squid
174 binary from the system, instead of the one from the source tree.
175 - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized
176 error in parse_time_t, triggered on ppc64el due to the build using -O3
177 in that architecture.
178 - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
179 building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
180 -O2 and that triggers a format-truncation error on pcon.cc. See
181 See https://bugs.squid-cache.org/show_bug.cgi?id=4875
182 - d/t/upstream-test-suite: drop the sed line, since patch
183 0003-installed-binary-for-debian-ci.patch is doing this work now.
184 (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839)
185
186 -- Andreas Hasenack <andreas@canonical.com> Thu, 16 Aug 2018 12:33:17 -0300
187
65squid (4.1-1) unstable; urgency=high188squid (4.1-1) unstable; urgency=high
66189
67 * New Upstream Release (Closes: #896120)190 * New Upstream Release (Closes: #896120)
diff --git a/debian/control b/debian/control
index 2c6a5b4..8d7e6b5 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,8 @@
1Source: squid1Source: squid
2Section: web2Section: web
3Priority: optional3Priority: optional
4Maintainer: Luigi Gangitano <luigi@debian.org>4Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
5XSBC-Original-Maintainer: Luigi Gangitano <luigi@debian.org>
5Uploaders: Santiago Garcia Mantinan <manty@debian.org>6Uploaders: Santiago Garcia Mantinan <manty@debian.org>
6Homepage: http://www.squid-cache.org7Homepage: http://www.squid-cache.org
7Standards-Version: 4.2.18Standards-Version: 4.2.1
@@ -24,6 +25,7 @@ Build-Depends: ed, libltdl-dev, pkg-config
24 , libsasl2-dev25 , libsasl2-dev
25 , libxml2-dev26 , libxml2-dev
26 , nettle-dev27 , nettle-dev
28 , dh-apparmor
2729
28Package: squid330Package: squid3
29Architecture: all31Architecture: all
@@ -40,8 +42,8 @@ Description: Transitional package
40Package: squid42Package: squid
41Architecture: any43Architecture: any
42Pre-Depends: adduser44Pre-Depends: adduser
43Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl45Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl, ssl-cert
44Suggests: squidclient, squid-cgi, squid-purge, resolvconf (>= 0.40), smbclient, ufw, winbindd46Suggests: squidclient, squid-cgi, squid-purge, resolvconf (>= 0.40), smbclient, ufw, winbindd, apparmor
45Recommends: libcap2-bin [linux-any], ca-certificates47Recommends: libcap2-bin [linux-any], ca-certificates
46Conflicts: squid3 (<< ${binary:Version})48Conflicts: squid3 (<< ${binary:Version})
47Replaces: squid349Replaces: squid3
diff --git a/debian/patches/90-cf.data.ubuntu.patch b/debian/patches/90-cf.data.ubuntu.patch
48new file mode 10064450new file mode 100644
index 0000000..9dfa5b4
--- /dev/null
+++ b/debian/patches/90-cf.data.ubuntu.patch
@@ -0,0 +1,16 @@
1--- a/src/cf.data.pre
2+++ b/src/cf.data.pre
3@@ -5859,6 +5862,12 @@ NOCOMMENT_START
4 refresh_pattern ^ftp: 1440 20% 10080
5 refresh_pattern ^gopher: 1440 0% 1440
6 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
7+refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
8+refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
9+refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
10+refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
11+# example pattern for deb packages
12+#refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600
13 refresh_pattern . 0 20% 4320
14 NOCOMMENT_END
15 DOC_END
16
diff --git a/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch
0new file mode 10064417new file mode 100644
index 0000000..40b5306
--- /dev/null
+++ b/debian/patches/99-ubuntu-ssl-cert-snakeoil.patch
@@ -0,0 +1,22 @@
1--- a/src/cf.data.pre
2+++ b/src/cf.data.pre
3@@ -3516,6 +3516,19 @@
4 reference a PEM file containing both the certificate
5 and private key.
6
7+ Notes:
8+
9+ On Debian/Ubuntu systems a default snakeoil certificate is
10+ available in /etc/ssl and users can set:
11+
12+ sslcert=/etc/ssl/certs/ssl-cert-snakeoil.pem
13+
14+ and
15+
16+ sslkey=/etc/ssl/private/ssl-cert-snakeoil.key
17+
18+ for testing.
19+
20 sslcipher=... The list of valid SSL ciphers to use when connecting
21 to this peer.
22
diff --git a/debian/patches/fix-rotate-assertion.patch b/debian/patches/fix-rotate-assertion.patch
0new file mode 10064423new file mode 100644
index 0000000..820cf0e
--- /dev/null
+++ b/debian/patches/fix-rotate-assertion.patch
@@ -0,0 +1,26 @@
1Description: Fix assertion error when rotating logs
2 Upstream is still discussing
3 (https://github.com/squid-cache/squid/pull/257#issuecomment-428250856)
4 the details of the patch, but there are no big cons for now. The PR will be
5 monitored and the squid package updated accordingly when needed.
6Author: Vitaly Lavrov <vel21ripn@gmail.com>
7Origin: other, https://github.com/squid-cache/squid/pull/257#issuecomment-427271426
8Bug: https://bugs.squid-cache.org/show_bug.cgi?id=4796
9Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=910337
10Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1794553
11Last-Update: 2018-10-09
12---
13This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
14diff --git a/src/main.cc b/src/main.cc
15index 2a7269ed..9dc0d195 100644
16--- a/src/main.cc
17+++ b/src/main.cc
18@@ -1152,8 +1152,6 @@ mainInitialize(void)
19
20 _db_init(Debug::cache_log, Debug::debugOptions);
21
22- fd_open(fileno(debug_log), FD_LOG, Debug::cache_log);
23-
24 debugs(1, DBG_CRITICAL, "Starting Squid Cache version " << version_string << " for " << CONFIG_HOST_TYPE << "...");
25 debugs(1, DBG_CRITICAL, "Service Name: " << service_name);
26
diff --git a/debian/patches/fix-uninitialized-var.patch b/debian/patches/fix-uninitialized-var.patch
0new file mode 10064427new file mode 100644
index 0000000..a682703
--- /dev/null
+++ b/debian/patches/fix-uninitialized-var.patch
@@ -0,0 +1,25 @@
1Description: Workaround gcc's maybe-uninitialized error in parse_time_t
2 Function parse_time_t() passes an unitialized variable to parseTimeLine(),
3 which will fill it in as the return value. gcc's -Wmaybe-unitialized setting
4 trips over this when the build is done with -O3, as is the case in ppc64el.
5 This fix is suggested in https://github.com/squid-cache/squid/pull/270, but
6 not accepted yet. It was remarked that a better fix can be done, instead of
7 just working around the gcc misfire.
8Origin: other, https://github.com/squid-cache/squid/pull/270
9Bug: https://bugs.squid-cache.org/show_bug.cgi?id=4875
10Last-Update: 2018-08-14
11---
12This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
13diff --git a/src/cache_cf.cc b/src/cache_cf.cc
14index 006a42d..96fe36f 100644
15--- a/src/cache_cf.cc
16+++ b/src/cache_cf.cc
17@@ -2925,7 +2925,7 @@ dump_time_t(StoreEntry * entry, const char *name, time_t var)
18 void
19 parse_time_t(time_t * var)
20 {
21- time_msec_t tval;
22+ time_msec_t tval = 0;
23 parseTimeLine(&tval, T_SECOND_STR, false);
24 *var = static_cast<time_t>(tval/1000);
25 }
diff --git a/debian/patches/series b/debian/patches/series
index 6bff1ed..4c80674 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,7 @@
10001-Default-configuration-file-for-debian.patch10001-Default-configuration-file-for-debian.patch
20002-Change-default-file-locations-for-debian.patch20002-Change-default-file-locations-for-debian.patch
30003-installed-binary-for-debian-ci.patch30003-installed-binary-for-debian-ci.patch
490-cf.data.ubuntu.patch
599-ubuntu-ssl-cert-snakeoil.patch
6fix-uninitialized-var.patch
7fix-rotate-assertion.patch
diff --git a/debian/rules b/debian/rules
index 9b2b1ed..3923dac 100755
--- a/debian/rules
+++ b/debian/rules
@@ -3,12 +3,17 @@
3export DEB_BUILD_MAINT_OPTIONS = hardening=+all3export DEB_BUILD_MAINT_OPTIONS = hardening=+all
4export DEB_CFLAGS_MAINT_APPEND = -Wall4export DEB_CFLAGS_MAINT_APPEND = -Wall
55
6DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed -latomic6DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed
7ifneq (,$(filter $(DEB_HOST_ARCH), armel m68k mips mipsel powerpc powerpcspe sh4))7ifneq (,$(filter $(DEB_HOST_ARCH), armel m68k mips mipsel powerpc powerpcspe sh4))
8 DEB_LDFLAGS_MAINT_APPEND += -latomic8 DEB_LDFLAGS_MAINT_APPEND += -latomic
9endif9endif
10export DEB_LDFLAGS_MAINT_APPEND10export DEB_LDFLAGS_MAINT_APPEND
1111# On ppc64el, dpkg-buildflags sets -O3 instead of the usual
12# -O2. This makes gcc emit a format-truncation error on
13# pconn.cc. See https://bugs.squid-cache.org/show_bug.cgi?id=4875
14ifeq ($(shell dpkg-architecture -qDEB_HOST_ARCH),ppc64el)
15 export DEB_CXXFLAGS_MAINT_APPEND = -Wno-format-truncation
16endif
12export DEB_BUILD_PARALLEL = yes17export DEB_BUILD_PARALLEL = yes
13include /usr/share/dpkg/buildflags.mk18include /usr/share/dpkg/buildflags.mk
1419
@@ -95,3 +100,7 @@ install/squid::
95 install -m 755 -g root -d $(INSTALLDIR)/usr/share/man/man1100 install -m 755 -g root -d $(INSTALLDIR)/usr/share/man/man1
96 mv $(INSTALLDIR)/usr/bin/purge $(INSTALLDIR)/usr/bin/squid-purge101 mv $(INSTALLDIR)/usr/bin/purge $(INSTALLDIR)/usr/bin/squid-purge
97 mv $(INSTALLDIR)/usr/share/man/man1/purge.1 $(INSTALLDIR)/usr/share/man/man1/squid-purge.1102 mv $(INSTALLDIR)/usr/share/man/man1/purge.1 $(INSTALLDIR)/usr/share/man/man1/squid-purge.1
103 install -m 755 -g root -d $(INSTALLDIR)/etc/apparmor.d/force-complain
104 install -m 755 -g root -d $(INSTALLDIR)/etc/apparmor.d/disable
105 install -m 644 -g root debian/usr.sbin.squid $(INSTALLDIR)/etc/apparmor.d
106 dh_apparmor --profile-name=usr.sbin.squid -psquid
diff --git a/debian/squid.install b/debian/squid.install
index 95ebe1a..d13050d 100644
--- a/debian/squid.install
+++ b/debian/squid.install
@@ -28,3 +28,6 @@ usr/share/man/man8/negotiate_kerberos_auth.8
28usr/share/man/man8/security_fake_certverify.828usr/share/man/man8/security_fake_certverify.8
29usr/share/man/man8/storeid_file_rewrite.829usr/share/man/man8/storeid_file_rewrite.8
30usr/share/man/man8/squid.830usr/share/man/man8/squid.8
31etc/apparmor.d/disable
32etc/apparmor.d/force-complain
33etc/apparmor.d/usr.sbin.squid
diff --git a/debian/squid.preinst b/debian/squid.preinst
index 941d4f2..65f81c4 100644
--- a/debian/squid.preinst
+++ b/debian/squid.preinst
@@ -63,6 +63,21 @@ then
63 chsh -s /bin/sh proxy63 chsh -s /bin/sh proxy
64fi64fi
6565
66disable_profile() {
67 APP_CONFFILE="/etc/apparmor.d/usr.sbin.squid"
68 APP_DISABLE="/etc/apparmor.d/disable/usr.sbin.squid"
69 # Create a symlink to the yet-to-be-unpacked profile
70 if [ ! -e "$APP_CONFFILE" ]; then
71 mkdir -p `dirname $APP_DISABLE` 2>/dev/null || true
72 ln -sf $APP_CONFFILE $APP_DISABLE
73 fi
74}
75
76if [ "$1" = "install" ]; then
77 # Disable AppArmor profile on install
78 disable_profile
79fi
80
66# dh_installdeb will replace this with shell code automatically81# dh_installdeb will replace this with shell code automatically
67# generated by other debhelper scripts.82# generated by other debhelper scripts.
6883
diff --git a/debian/usr.sbin.squid b/debian/usr.sbin.squid
69new file mode 10064484new file mode 100644
index 0000000..df3a9a3
--- /dev/null
+++ b/debian/usr.sbin.squid
@@ -0,0 +1,86 @@
1# Author: Simon Deziel
2# Jamie Strandboge
3# vim:syntax=apparmor
4#include <tunables/global>
5
6/usr/sbin/squid flags=(attach_disconnected) {
7 #include <abstractions/base>
8 #include <abstractions/kerberosclient>
9 #include <abstractions/nameservice>
10 #include <abstractions/ssl_certs>
11
12 # If you are using squid with the default snakeoil certificates, you will
13 # probably have to uncomment the line below so that squid can read the
14 # private key:
15 #/etc/ssl/private/ssl-cert-snakeoil.key r,
16
17 # For a more generous permission, but also less secure, you could
18 # alternatively include the <abstractions/ssl_keys> abstraction, which
19 # gives read access to the entire contents of /etc/ssl
20
21 capability net_admin,
22 capability net_raw,
23 capability setuid,
24 capability setgid,
25 capability sys_chroot,
26
27 # allow child processes to run execvp(argv[0], [kidname, ...])
28 /usr/sbin/squid rix,
29
30 # pinger
31 network inet raw,
32 network inet6 raw,
33
34 /etc/mtab r,
35 @{PROC}/[0-9]*/mounts r,
36 @{PROC}/mounts r,
37
38 # squid3 configuration
39 /etc/squid/** r,
40 /{,var/}run/squid.pid rwk,
41 /var/spool/squid/ r,
42 /var/spool/squid/** rwk,
43 /usr/lib/squid{,3}/* rmix,
44 /usr/share/squid/** r,
45 /var/log/squid/* rw,
46
47 # squid-langpack
48 /usr/share/squid-langpack/** r,
49
50 # maas-proxy
51 /var/lib/maas/maas-proxy.conf r,
52 /var/log/maas/proxy/** rw,
53 /var/spool/maas-proxy/ r,
54 /var/spool/maas-proxy/** rwk,
55
56 # squid-deb-proxy
57 /etc/squid-deb-proxy/** r,
58 /{,var/}run/squid-deb-proxy.pid rwk,
59 /var/cache/squid-deb-proxy/ r,
60 /var/cache/squid-deb-proxy/** rwk,
61 /var/log/squid-deb-proxy/* rw,
62 owner /dev/shm/** rmw,
63
64 # squidguard
65 /usr/bin/squidGuard Cx -> squidguard,
66 profile squidguard {
67 #include <abstractions/base>
68
69 /etc/squid/squidGuard.conf r,
70 /var/log/squid{,3}/squidGuard.log w,
71 /var/lib/squidguard/** rw,
72
73 # squidguard by default uses /var/log/squid as its logdir, however, we
74 # don't want it to access squid's logs, only its own. Explicitly deny
75 # access to squid's files but allow all others since the user may specify
76 # anything for the squidGurad 'log' directive.
77 /var/log/squid{,3}/* rw,
78 audit deny /var/log/squid{,3}/{access,cache,store}.log* rw,
79
80 # Site-specific additions and overrides. See local/README for details.
81 #include <local/usr.sbin.squid>
82 }
83
84 # Site-specific additions and overrides. See local/README for details.
85 #include <local/usr.sbin.squid>
86}

Subscribers

People subscribed via source and target branches