[apparmor] [patch 1/3] dovecot profiles: introduce tunables/dovecot
Christian Boltz
apparmor at cboltz.de
Sun Jan 19 16:58:00 UTC 2014
Hello,
this patch introduces tunables/dovecot (with @{DOVECOT_MAILSTORE}) and
replaces the mail storage location in various dovecot-related profiles
with this variable.
It also adds nice copyright headers (I hope I got the bzr log right ;-)
=== added file 'profiles/apparmor.d/tunables/dovecot'
--- profiles/apparmor.d/tunables/dovecot 1970-01-01 00:00:00 +0000
+++ profiles/apparmor.d/tunables/dovecot 2014-01-19 16:08:06 +0000
@@ -0,0 +1,20 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:ft=apparmor
+
+# @{DOVECOT_MAILSTORE} is a space-separated list of all directories
+# where dovecot is allowed to store and read mails
+#
+# The default value is quite broad to avoid breaking existing setups.
+# Please change @{DOVECOT_MAILSTORE} to (only) contain the directory
+# you use, and remove everything else.
+
+@{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ @{HOME}/mail/ @{HOME}/Mail/ /var/vmail/ /var/mail/ /var/spool/mail/
+
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.deliver'
--- profiles/apparmor.d/usr.lib.dovecot.deliver 2012-01-06 16:34:44 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.deliver 2014-01-19 16:08:30 +0000
@@ -1,6 +1,19 @@
-# Author: Dulmandakh Sukhbaatar <dulmandakh at gmail.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009 Dulmandakh Sukhbaatar <dulmandakh at gmail.com>
+# Copyright (C) 2009-2012 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+#include <tunables/dovecot>
+
/usr/lib/dovecot/deliver {
#include <abstractions/base>
#include <abstractions/nameservice>
@@ -8,20 +21,16 @@
capability setgid,
capability setuid,
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
# http://www.postfix.org/SASL_README.html#server_dovecot
/etc/dovecot/dovecot.conf r,
/etc/dovecot/{auth,conf}.d/*.conf r,
- /etc/dovecot/dovecot-postfix.conf r,
+ /etc/dovecot/dovecot-postfix.conf r, # ???
- @{HOME} r,
- @{HOME}/Maildir/ rw,
- @{HOME}/Maildir/** klrw,
- @{HOME}/mail/ rw,
- @{HOME}/mail/* klrw,
- @{HOME}/mail/.imap/** klrw,
+ @{HOME} r, # ???
/usr/lib/dovecot/deliver mr,
- /var/mail/* klrw,
- /var/spool/mail/* klrw,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.deliver>
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.dovecot-auth'
--- profiles/apparmor.d/usr.lib.dovecot.dovecot-auth 2013-01-02 23:34:38 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.dovecot-auth 2014-01-19 16:12:08 +0000
@@ -1,6 +1,17 @@
-# Author: Kees Cook <kees at ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2013 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+
/usr/lib/dovecot/dovecot-auth {
#include <abstractions/authentication>
#include <abstractions/base>
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.imap'
--- profiles/apparmor.d/usr.lib.dovecot.imap 2011-08-26 23:12:10 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.imap 2014-01-19 16:08:30 +0000
@@ -1,6 +1,18 @@
-# Author: Kees Cook <kees at ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2010 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+#include <tunables/dovecot>
+
/usr/lib/dovecot/imap {
#include <abstractions/base>
#include <abstractions/nameservice>
@@ -8,18 +20,11 @@
capability setgid,
capability setuid,
- @{HOME} r,
- @{HOME}/Maildir/ rw,
- @{HOME}/Maildir/** klrw,
- @{HOME}/Mail/ rw,
- @{HOME}/Mail/* klrw,
- @{HOME}/Mail/.imap/** klrw,
- @{HOME}/mail/ rw,
- @{HOME}/mail/* klrw,
- @{HOME}/mail/.imap/** klrw,
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ @{HOME} r, # ???
/usr/lib/dovecot/imap mr,
- /var/mail/* klrw,
- /var/spool/mail/* klrw,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.imap>
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.imap-login'
--- profiles/apparmor.d/usr.lib.dovecot.imap-login 2012-04-05 21:51:17 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.imap-login 2014-01-19 16:08:30 +0000
@@ -1,4 +1,14 @@
-# Author: Kees Cook <kees at ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2011 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/imap-login {
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.managesieve-login'
--- profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2011-07-14 12:57:57 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2014-01-19 16:08:30 +0000
@@ -1,4 +1,15 @@
-# Author: Dulmandakh Sukhbaatar <dulmandakh at gmail.com>
+# ------------------------------------------------------------------
+#
+# Copyright (c) 2009 Dulmandakh Sukhbaatar <dulmandakh at gmail.com>
+# Copyright (C) 2009-2011 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/managesieve-login {
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.pop3'
--- profiles/apparmor.d/usr.lib.dovecot.pop3 2011-08-26 23:12:10 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.pop3 2014-01-19 16:08:30 +0000
@@ -1,6 +1,18 @@
-# Author: Kees Cook <kees at ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2010 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+#include <tunables/dovecot>
+
/usr/lib/dovecot/pop3 {
#include <abstractions/base>
#include <abstractions/nameservice>
@@ -8,13 +20,10 @@
capability setgid,
capability setuid,
- /var/mail/* klrw,
- /var/spool/mail/* klrw,
- @{HOME} r,
- @{HOME}/mail/* klrw,
- @{HOME}/mail/.imap/** klrw,
- @{HOME}/Maildir/ rw,
- @{HOME}/Maildir/** klrw,
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ @{HOME} r, # ???
/usr/lib/dovecot/pop3 mr,
# Site-specific additions and overrides. See local/README for details.
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.pop3-login'
--- profiles/apparmor.d/usr.lib.dovecot.pop3-login 2011-07-14 12:57:57 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.pop3-login 2014-01-19 16:08:30 +0000
@@ -1,6 +1,17 @@
-# Author: Kees Cook <kees at ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2011 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+
/usr/lib/dovecot/pop3-login {
#include <abstractions/base>
#include <abstractions/nameservice>
Regards,
Christian Boltz
--
[SuSE 8.2] Auch die Paketverwaltung via YaST2 ist endlich einigermaßen
brauchbar: Du kannst ein Paket auf ein permanentes "Tabu" setzen und -
jetzt kommt die Überraschung - er überschreibt es _wirklich_ nicht! ;-)
[René Matthäi in suse-linux]
More information about the AppArmor
mailing list