Hello, attached to this mail is a set of profiles for dovecot 2.x. Some are already in bzr in an older version (see the "diff" file for the changes), others are completely new.
I'm also introducing tunables/dovecot which contains @{DOVECOT_MAILSTORE} containing the location of the mailboxes, which is needed in several profiles (and replaces quite some lines in the already existing dovecot profiles.) References: https://bugzilla.novell.com/show_bug.cgi?id=851984 I doubt if this is the final version, but nevertheless I'd welcome comments ;-) (I'll propose the profiles to be added to profiles/apparmor.d/ when they are finished, and also release them as update for at least openSUSE 13.1.) Note: some profiles don't have the #include <local/...> - that's on my TODO list. Also the "paperwork" (copyright headers) is still missing. Regards, Christian Boltz -- * mrdocs wonders when darix sleeps <sshaw> mrdocs: robots don't need sleep [from #opensuse-buildservice]
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.deliver' --- profiles/apparmor.d/usr.lib.dovecot.deliver 2012-01-06 16:34:44 +0000 +++ profiles/apparmor.d/usr.lib.dovecot.deliver 2013-12-15 14:56:00 +0000 @@ -1,6 +1,8 @@ # Author: Dulmandakh Sukhbaatar <dulmand...@gmail.com> #include <tunables/global> +#include <tunables/dovecot> + /usr/lib/dovecot/deliver { #include <abstractions/base> #include <abstractions/nameservice> @@ -8,20 +10,16 @@ capability setgid, capability setuid, + @{DOVECOT_MAILSTORE}/ rw, + @{DOVECOT_MAILSTORE}/** rwkl, + # http://www.postfix.org/SASL_README.html#server_dovecot /etc/dovecot/dovecot.conf r, /etc/dovecot/{auth,conf}.d/*.conf r, /etc/dovecot/dovecot-postfix.conf r, @{HOME} r, - @{HOME}/Maildir/ rw, - @{HOME}/Maildir/** klrw, - @{HOME}/mail/ rw, - @{HOME}/mail/* klrw, - @{HOME}/mail/.imap/** klrw, /usr/lib/dovecot/deliver mr, - /var/mail/* klrw, - /var/spool/mail/* klrw, # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.dovecot.deliver> === modified file 'profiles/apparmor.d/usr.lib.dovecot.imap' --- profiles/apparmor.d/usr.lib.dovecot.imap 2011-08-26 23:12:10 +0000 +++ profiles/apparmor.d/usr.lib.dovecot.imap 2013-12-13 12:48:02 +0000 @@ -1,6 +1,8 @@ # Author: Kees Cook <k...@ubuntu.com> #include <tunables/global> +#include <tunables/dovecot> + /usr/lib/dovecot/imap { #include <abstractions/base> #include <abstractions/nameservice> @@ -8,18 +10,11 @@ capability setgid, capability setuid, - @{HOME} r, - @{HOME}/Maildir/ rw, - @{HOME}/Maildir/** klrw, - @{HOME}/Mail/ rw, - @{HOME}/Mail/* klrw, - @{HOME}/Mail/.imap/** klrw, - @{HOME}/mail/ rw, - @{HOME}/mail/* klrw, - @{HOME}/mail/.imap/** klrw, + @{DOVECOT_MAILSTORE}/ rw, + @{DOVECOT_MAILSTORE}/** rwkl, + + @{HOME} r, # ??? /usr/lib/dovecot/imap mr, - /var/mail/* klrw, - /var/spool/mail/* klrw, # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.dovecot.imap> === modified file 'profiles/apparmor.d/usr.lib.dovecot.pop3' --- profiles/apparmor.d/usr.lib.dovecot.pop3 2011-08-26 23:12:10 +0000 +++ profiles/apparmor.d/usr.lib.dovecot.pop3 2013-12-13 12:49:33 +0000 @@ -1,6 +1,8 @@ # Author: Kees Cook <k...@ubuntu.com> #include <tunables/global> +#include <tunables/dovecot> + /usr/lib/dovecot/pop3 { #include <abstractions/base> #include <abstractions/nameservice> @@ -8,13 +10,10 @@ capability setgid, capability setuid, - /var/mail/* klrw, - /var/spool/mail/* klrw, - @{HOME} r, - @{HOME}/mail/* klrw, - @{HOME}/mail/.imap/** klrw, - @{HOME}/Maildir/ rw, - @{HOME}/Maildir/** klrw, + @{DOVECOT_MAILSTORE}/ rw, + @{DOVECOT_MAILSTORE}/** rwkl, + + @{HOME} r, # ??? /usr/lib/dovecot/pop3 mr, # Site-specific additions and overrides. See local/README for details. === modified file 'profiles/apparmor.d/usr.sbin.dovecot' --- profiles/apparmor.d/usr.sbin.dovecot 2013-01-02 23:34:38 +0000 +++ profiles/apparmor.d/usr.sbin.dovecot 2013-12-13 12:56:25 +0000 @@ -1,6 +1,8 @@ # Author: Kees Cook <k...@ubuntu.com> #include <tunables/global> +#include <tunables/dovecot> + /usr/sbin/dovecot { #include <abstractions/authentication> #include <abstractions/base> @@ -9,29 +11,42 @@ #include <abstractions/ssl_keys> capability chown, + capability dac_override, + capability fsetid, + capability kill, capability net_bind_service, capability setgid, capability setuid, capability sys_chroot, - capability fsetid, + + + + @{DOVECOT_MAILSTORE}/ rw, + @{DOVECOT_MAILSTORE}/** rwkl, /etc/dovecot/** r, /etc/mtab r, /etc/lsb-release r, /etc/SuSE-release r, @{PROC}/@{pid}/mounts r, + /usr/bin/doveconf rix, + /usr/lib/dovecot/anvil Px, + /usr/lib/dovecot/auth Px, + /usr/lib/dovecot/config Px, /usr/lib/dovecot/dovecot-auth Pxmr, /usr/lib/dovecot/imap Pxmr, /usr/lib/dovecot/imap-login Pxmr, + /usr/lib/dovecot/log Px, + /usr/lib/dovecot/managesieve Px, + /usr/lib/dovecot/managesieve-login Pxmr, /usr/lib/dovecot/pop3 Px, /usr/lib/dovecot/pop3-login Pxmr, - # temporarily commented out while testing - #/usr/lib/dovecot/managesieve Px, - /usr/lib/dovecot/managesieve-login Pxmr, - /usr/lib/dovecot/ssl-build-param ixr, - /usr/sbin/dovecot mr, + /usr/lib/dovecot/ssl-build-param rix, + /usr/lib/dovecot/ssl-params Px, + /usr/sbin/dovecot mrix, /var/lib/dovecot/ w, - /var/lib/dovecot/* krw, + /var/lib/dovecot/* rwkl, + /var/spool/postfix/private/* w, /{,var/}run/dovecot/ rw, /{,var/}run/dovecot/** rw, link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,
# ------------------------------------------------------------------ # # Copyright (C) 2013 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ # vim:ft=apparmor # @{DOVECOT_MAILSTORE} is a space-separated list of all directories # where dovecot is allowed to store and read mails @{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ @{HOME}/mail/ @{HOME}/Mail/ /var/vmail/ /var/mail/ /var/spool/mail/
# Last Modified: Wed May 9 20:23:50 2012 #include <tunables/global> /usr/lib/dovecot/anvil flags=(complain) { #include <abstractions/base> capability setgid, capability setuid, capability sys_chroot, /usr/lib/dovecot/anvil mr, }
# Last Modified: Wed May 9 20:23:50 2012 #include <tunables/global> /usr/lib/dovecot/auth flags=(complain) { #include <abstractions/authentication> #include <abstractions/base> #include <abstractions/mysql> #include <abstractions/nameservice> deny capability block_suspend, capability audit_write, capability setgid, capability setuid, network inet stream, /etc/dovecot/dovecot-database.conf.ext r, /etc/dovecot/dovecot-sql.conf.ext r, /usr/lib/dovecot/auth mr, }
# Author: Kees Cook <k...@ubuntu.com> #include <tunables/global> #include <tunables/dovecot> /usr/lib/dovecot/imap { #include <abstractions/base> #include <abstractions/nameservice> capability setgid, capability setuid, @{DOVECOT_MAILSTORE}/ rw, @{DOVECOT_MAILSTORE}/** rwkl, @{HOME} r, # ??? /usr/lib/dovecot/imap mr, # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.dovecot.imap> }
# Last Modified: Wed May 9 19:33:09 2012 #include <tunables/global> /usr/lib/dovecot/config flags=(complain) { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/ssl_keys> deny capability block_suspend, capability dac_override, capability setgid, /etc/dovecot/** r, /usr/bin/doveconf rix, /usr/lib/dovecot/config mr, /usr/lib/dovecot/managesieve Px, }
# Author: Dulmandakh Sukhbaatar <dulmand...@gmail.com> #include <tunables/global> #include <tunables/dovecot> /usr/lib/dovecot/deliver { #include <abstractions/base> #include <abstractions/nameservice> capability setgid, capability setuid, @{DOVECOT_MAILSTORE}/ rw, @{DOVECOT_MAILSTORE}/** rwkl, # http://www.postfix.org/SASL_README.html#server_dovecot /etc/dovecot/dovecot.conf r, /etc/dovecot/{auth,conf}.d/*.conf r, /etc/dovecot/dovecot-postfix.conf r, @{HOME} r, /usr/lib/dovecot/deliver mr, # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.dovecot.deliver> }
# Author: Kees Cook <k...@ubuntu.com> #include <tunables/global> /usr/lib/dovecot/dovecot-auth { #include <abstractions/authentication> #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/wutmp> capability setgid, capability chown, capability dac_override, @{PROC}/@{pid}/mounts r, /usr/lib/dovecot/dovecot-auth mr, /{,var/}run/dovecot/** rw, # required for postfix+dovecot integration /var/spool/postfix/private/dovecot-auth w, # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.dovecot.dovecot-auth> }
# Author: Kees Cook <k...@ubuntu.com> #include <tunables/global> /usr/lib/dovecot/imap-login { #include <abstractions/base> #include <abstractions/ssl_certs> #include <abstractions/ssl_keys> capability setgid, capability setuid, capability sys_chroot, network inet stream, network inet6 stream, /usr/lib/dovecot/imap-login mr, /{,var/}run/dovecot/login/ r, /{,var/}run/dovecot/login/* rw, # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.dovecot.imap-login> }
# Last Modified: Wed May 9 19:33:09 2012 #include <tunables/global> /usr/lib/dovecot/log flags=(complain) { #include <abstractions/base> deny capability block_suspend, capability setgid, /usr/lib/dovecot/log mr, }
# Last Modified: Wed May 9 20:23:50 2012 #include <tunables/global> /usr/lib/dovecot/managesieve flags=(complain) { #include <abstractions/base> /etc/dovecot/** r, /usr/bin/doveconf rix, /usr/lib/dovecot/managesieve mrix, }
# Author: Dulmandakh Sukhbaatar <dulmand...@gmail.com> #include <tunables/global> /usr/lib/dovecot/managesieve-login { #include <abstractions/base> #include <abstractions/ssl_certs> #include <abstractions/ssl_keys> capability setgid, capability setuid, capability sys_chroot, network inet stream, /usr/lib/dovecot/managesieve-login mr, /{,var/}run/dovecot/login/ r, /{,var/}run/dovecot/login/* rw, # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.dovecot.managesieve-login> }
# Author: Kees Cook <k...@ubuntu.com> #include <tunables/global> #include <tunables/dovecot> /usr/lib/dovecot/pop3 { #include <abstractions/base> #include <abstractions/nameservice> capability setgid, capability setuid, @{DOVECOT_MAILSTORE}/ rw, @{DOVECOT_MAILSTORE}/** rwkl, @{HOME} r, # ??? /usr/lib/dovecot/pop3 mr, # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.dovecot.pop3> }
# Author: Kees Cook <k...@ubuntu.com> #include <tunables/global> /usr/lib/dovecot/pop3-login { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/ssl_certs> #include <abstractions/ssl_keys> capability setgid, capability setuid, capability sys_chroot, /usr/lib/dovecot/pop3-login mr, /{,var/}run/dovecot/login/ r, /{,var/}run/dovecot/login/* rw, # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.dovecot.pop3-login> }
# Last Modified: Wed May 9 19:33:09 2012 #include <tunables/global> /usr/lib/dovecot/ssl-params flags=(complain) { #include <abstractions/base> deny capability block_suspend, capability setgid, /usr/lib/dovecot/ssl-params mr, /var/lib/dovecot/ssl-parameters.dat rw, /var/lib/dovecot/ssl-parameters.dat.tmp rwk, }
# Author: Kees Cook <k...@ubuntu.com> #include <tunables/global> #include <tunables/dovecot> /usr/sbin/dovecot { #include <abstractions/authentication> #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/ssl_certs> #include <abstractions/ssl_keys> capability chown, capability dac_override, capability fsetid, capability kill, capability net_bind_service, capability setgid, capability setuid, capability sys_chroot, @{DOVECOT_MAILSTORE}/ rw, @{DOVECOT_MAILSTORE}/** rwkl, /etc/dovecot/** r, /etc/mtab r, /etc/lsb-release r, /etc/SuSE-release r, @{PROC}/@{pid}/mounts r, /usr/bin/doveconf rix, /usr/lib/dovecot/anvil Px, /usr/lib/dovecot/auth Px, /usr/lib/dovecot/config Px, /usr/lib/dovecot/dovecot-auth Pxmr, /usr/lib/dovecot/imap Pxmr, /usr/lib/dovecot/imap-login Pxmr, /usr/lib/dovecot/log Px, /usr/lib/dovecot/managesieve Px, /usr/lib/dovecot/managesieve-login Pxmr, /usr/lib/dovecot/pop3 Px, /usr/lib/dovecot/pop3-login Pxmr, /usr/lib/dovecot/ssl-build-param rix, /usr/lib/dovecot/ssl-params Px, /usr/sbin/dovecot mrix, /var/lib/dovecot/ w, /var/lib/dovecot/* rwkl, /var/spool/postfix/private/* w, /{,var/}run/dovecot/ rw, /{,var/}run/dovecot/** rw, link /{,var/}run/dovecot/** -> /var/lib/dovecot/**, # Site-specific additions and overrides. See local/README for details. #include <local/usr.sbin.dovecot> }
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor