Update the postfix-common abstraction to cope with signal and unix socket mediation, update the access to the sasl library locations in a multiarch compliant way, and allow access to limited bits of the filesystem paths under which postfix chroots itself to (/var/spool/postfix/ on Ubuntu).
Nominated for trunk and 2.9.
Signed-off-by: Steve Beattie <st...@nxnw.org>
---
profiles/apparmor.d/abstractions/postfix-common | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
Index: b/profiles/apparmor.d/abstractions/postfix-common
===================================================================
--- a/profiles/apparmor.d/abstractions/postfix-common
+++ b/profiles/apparmor.d/abstractions/postfix-common
@@ -1,6 +1,7 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
+# Copyright (C) 2015 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -14,11 +15,21 @@
capability setgid,
capability sys_chroot,
+ # postfix's master can send us signals
+ signal receive peer=/usr/lib/postfix/master,
+
+ unix (send, receive) peer=(label=/usr/lib/postfix/master),
+
+ /etc/mailname r,
/etc/postfix/*.cf r,
/etc/postfix/*.db r,
@{PROC}/net/if_inet6 r,
/usr/lib/postfix/*.so mr,
- /usr/lib64/sasl2/* mr,
- /usr/lib64/sasl2/ r,
- /usr/lib/sasl2/* mr,
- /usr/lib/sasl2/ r,
+ /usr/lib{,32,64}/sasl2/* mr,
+ /usr/lib{,32,64}/sasl2/ r,
+ /usr/lib/@{multiarch}/sasl2/* mr,
+ /usr/lib/@{multiarch}/sasl2/ r,
+
+ /var/spool/postfix/etc/* r,
+ /var/spool/postfix/lib/lib*.so* mr,
+ /var/spool/postfix/lib/@{multiarch}/lib*.so* mr,
--
Steve Beattie
<sbeat...@ubuntu.com>
http://NxNW.org/~steve/
signature.asc
Description: Digital signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
