Hello, Am Donnerstag, 23. Januar 2014 schrieb John Johansen: > On 01/23/2014 06:37 AM, Christian Boltz wrote: > > Am Donnerstag, 23. Januar 2014 schrieb John Johansen: > >> On 01/19/2014 08:58 AM, Christian Boltz wrote: > >>> this patch introduces tunables/dovecot (with @{DOVECOT_MAILSTORE}) > >>> and replaces the mail storage location in various dovecot-related > >>> profiles with this variable. > >>> > >>> It also adds nice copyright headers (I hope I got the bzr log > >>> right > >>> ;-) > >> > >> a few comments inline > >> > >>> === added file 'profiles/apparmor.d/tunables/dovecot' > >>> --- profiles/apparmor.d/tunables/dovecot 1970-01-01 00:00:00 > >>> +++ profiles/apparmor.d/tunables/dovecot 2014-01-19 16:08:06 > > > > ... > > > >>> +# @{DOVECOT_MAILSTORE} is a space-separated list of all > >>> directories > >>> +# where dovecot is allowed to store and read mails > >>> +# > >>> +# The default value is quite broad to avoid breaking existing > >>> setups. +# Please change @{DOVECOT_MAILSTORE} to (only) contain > >>> the > >>> directory +# you use, and remove everything else. > >>> + > >>> +@{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ @{HOME}/mail/ @{HOME}/Mail/ > >>> /var/vmail/ /var/mail/ /var/spool/mail/ > >>> > >>> > >>> > >>> > >>> === modified file 'profiles/apparmor.d/usr.lib.dovecot.imap' > >>> --- profiles/apparmor.d/usr.lib.dovecot.imap 2011-08-26 23:12:10 > >>> +0000 +++ profiles/apparmor.d/usr.lib.dovecot.imap 2014-01-19 > > > > ... > > > >>> - @{HOME} r, > >>> - @{HOME}/Maildir/ rw, > >>> - @{HOME}/Maildir/** klrw, > >>> - @{HOME}/Mail/ rw, > >>> - @{HOME}/Mail/* klrw, > >>> - @{HOME}/Mail/.imap/** klrw, > >>> - @{HOME}/mail/ rw, > >>> - @{HOME}/mail/* klrw, > >>> - @{HOME}/mail/.imap/** klrw, > >>> + @{DOVECOT_MAILSTORE}/ rw, > >>> + @{DOVECOT_MAILSTORE}/** rwkl, > >> > >> so this is slightly wider perms than > >> > >>> - @{HOME}/{m,M}ail/* klrw, > >>> - @{HOME}/{m,M}ail/.imap/** klrw, > >> > >> is this what we want? > > > > The idea of @{DOVECOT_MAILSTORE} is to allow the directories that > > were allowed in the old profile, and getting all profiles in sync > > so that for example IMAP and POP3 allow access to the same > > directory. > > > > I know the list got quite long - but that's what you get from > > checking the current dovecot-related profiles. (Maybe also a > > location from a bugreport on bnc sneaked in, I'd have to check that > > ;-) > > > > I'd happily shorten the list to just /var/vmail/, but I'm sure users > > would kill me for doing it ;-) > > > > The perfect solution would be to auto-generate @{DOVECOT_MAILSTORE} > > from the dovecot config, but unfortunately that isn't as easy as it > > looks. (Proposals and scripts welcome ;-) > > Not quite what I meant by widening of the perms (though I would love > to have the list generated from the config too). The list for > @{DOVECOT_MAILSTORE} is fine. > > What I meant was that for the case of @{HOME}/mail/ and @{HOME}/Mail/ > we used to have > @{HOME}/{m,M}ail/* klrw, > @{HOME}/{m,M}ail/.imap/** klrw, > > but we now have > @{HOME}/{m,M}ail/** klrw, > > the difference being that we only allowed the recursive ** for the > .imap dir. > > I just wanted to make sure this widening of permissions was > intentional
More or less ;-) I'd call it the price we have to pay to get it configurable in @{DOVECOT_MAILSTORE} - which also means permissions for ~/{m,M}ail can easily be removed. Besides that, only allowing the .imap/** subdirectory doesn't match the other allowed directories, especially ~/Maildir/** which we already have in the profile. Regards, Christian Boltz -- > if ( ! ifdef $root ) { [...] } ifdef? Da hat einer zusammengerollte Makefiles geraucht... [> Christian Boltz und Ratti in fontlinge-devel] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor