[apparmor] [patch 1/3] dovecot profiles: introduce tunables/dovecot
John Johansen
john.johansen at canonical.com
Thu Jan 23 12:14:20 UTC 2014
On 01/19/2014 08:58 AM, Christian Boltz wrote:
> Hello,
>
> this patch introduces tunables/dovecot (with @{DOVECOT_MAILSTORE}) and
> replaces the mail storage location in various dovecot-related profiles
> with this variable.
>
> It also adds nice copyright headers (I hope I got the bzr log right ;-)
>
a few comments inline
>
>
> === added file 'profiles/apparmor.d/tunables/dovecot'
> --- profiles/apparmor.d/tunables/dovecot 1970-01-01 00:00:00 +0000
> +++ profiles/apparmor.d/tunables/dovecot 2014-01-19 16:08:06 +0000
> @@ -0,0 +1,20 @@
> +# ------------------------------------------------------------------
> +#
> +# Copyright (C) 2013 Christian Boltz
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of version 2 of the GNU General Public
> +# License published by the Free Software Foundation.
> +#
> +# ------------------------------------------------------------------
> +# vim:ft=apparmor
> +
> +# @{DOVECOT_MAILSTORE} is a space-separated list of all directories
> +# where dovecot is allowed to store and read mails
> +#
> +# The default value is quite broad to avoid breaking existing setups.
> +# Please change @{DOVECOT_MAILSTORE} to (only) contain the directory
> +# you use, and remove everything else.
> +
> +@{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ @{HOME}/mail/ @{HOME}/Mail/ /var/vmail/ /var/mail/ /var/spool/mail/
> +
>
> === modified file 'profiles/apparmor.d/usr.lib.dovecot.deliver'
> --- profiles/apparmor.d/usr.lib.dovecot.deliver 2012-01-06 16:34:44 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.deliver 2014-01-19 16:08:30 +0000
> @@ -1,6 +1,19 @@
> -# Author: Dulmandakh Sukhbaatar <dulmandakh at gmail.com>
> +# ------------------------------------------------------------------
> +#
> +# Copyright (C) 2009 Dulmandakh Sukhbaatar <dulmandakh at gmail.com>
> +# Copyright (C) 2009-2012 Canonical Ltd.
> +# Copyright (C) 2011-2013 Christian Boltz
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of version 2 of the GNU General Public
> +# License published by the Free Software Foundation.
> +#
> +# ------------------------------------------------------------------
> +# vim: ft=apparmor
>
> #include <tunables/global>
> +#include <tunables/dovecot>
> +
> /usr/lib/dovecot/deliver {
> #include <abstractions/base>
> #include <abstractions/nameservice>
> @@ -8,20 +21,16 @@
> capability setgid,
> capability setuid,
>
> + @{DOVECOT_MAILSTORE}/ rw,
> + @{DOVECOT_MAILSTORE}/** rwkl,
> +
> # http://www.postfix.org/SASL_README.html#server_dovecot
> /etc/dovecot/dovecot.conf r,
> /etc/dovecot/{auth,conf}.d/*.conf r,
> - /etc/dovecot/dovecot-postfix.conf r,
> + /etc/dovecot/dovecot-postfix.conf r, # ???
>
> - @{HOME} r,
> - @{HOME}/Maildir/ rw,
> - @{HOME}/Maildir/** klrw,
> - @{HOME}/mail/ rw,
> - @{HOME}/mail/* klrw,
> - @{HOME}/mail/.imap/** klrw,
> + @{HOME} r, # ???
> /usr/lib/dovecot/deliver mr,
> - /var/mail/* klrw,
> - /var/spool/mail/* klrw,
>
> # Site-specific additions and overrides. See local/README for details.
> #include <local/usr.lib.dovecot.deliver>
>
> === modified file 'profiles/apparmor.d/usr.lib.dovecot.dovecot-auth'
> --- profiles/apparmor.d/usr.lib.dovecot.dovecot-auth 2013-01-02 23:34:38 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.dovecot-auth 2014-01-19 16:12:08 +0000
> @@ -1,6 +1,17 @@
> -# Author: Kees Cook <kees at ubuntu.com>
> +# ------------------------------------------------------------------
> +#
> +# Copyright (C) 2009-2013 Canonical Ltd.
> +# Copyright (C) 2013 Christian Boltz
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of version 2 of the GNU General Public
> +# License published by the Free Software Foundation.
> +#
> +# ------------------------------------------------------------------
> +# vim: ft=apparmor
>
> #include <tunables/global>
> +
> /usr/lib/dovecot/dovecot-auth {
> #include <abstractions/authentication>
> #include <abstractions/base>
>
> === modified file 'profiles/apparmor.d/usr.lib.dovecot.imap'
> --- profiles/apparmor.d/usr.lib.dovecot.imap 2011-08-26 23:12:10 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.imap 2014-01-19 16:08:30 +0000
> @@ -1,6 +1,18 @@
> -# Author: Kees Cook <kees at ubuntu.com>
> +# ------------------------------------------------------------------
> +#
> +# Copyright (C) 2009-2010 Canonical Ltd.
> +# Copyright (C) 2011-2013 Christian Boltz
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of version 2 of the GNU General Public
> +# License published by the Free Software Foundation.
> +#
> +# ------------------------------------------------------------------
> +# vim: ft=apparmor
>
> #include <tunables/global>
> +#include <tunables/dovecot>
> +
> /usr/lib/dovecot/imap {
> #include <abstractions/base>
> #include <abstractions/nameservice>
> @@ -8,18 +20,11 @@
> capability setgid,
> capability setuid,
>
> - @{HOME} r,
> - @{HOME}/Maildir/ rw,
> - @{HOME}/Maildir/** klrw,
> - @{HOME}/Mail/ rw,
> - @{HOME}/Mail/* klrw,
> - @{HOME}/Mail/.imap/** klrw,
> - @{HOME}/mail/ rw,
> - @{HOME}/mail/* klrw,
> - @{HOME}/mail/.imap/** klrw,
> + @{DOVECOT_MAILSTORE}/ rw,
> + @{DOVECOT_MAILSTORE}/** rwkl,
so this is slightly wider perms than
> - @{HOME}/{m,M}ail/* klrw,
> - @{HOME}/{m,M}ail/.imap/** klrw,
is this what we want?
> +
> + @{HOME} r, # ???
why the ???, not sure if this rule is required
> /usr/lib/dovecot/imap mr,
> - /var/mail/* klrw,
> - /var/spool/mail/* klrw,
>
again a slight widening of permissions
> # Site-specific additions and overrides. See local/README for details.
> #include <local/usr.lib.dovecot.imap>
>
> === modified file 'profiles/apparmor.d/usr.lib.dovecot.imap-login'
> --- profiles/apparmor.d/usr.lib.dovecot.imap-login 2012-04-05 21:51:17 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.imap-login 2014-01-19 16:08:30 +0000
> @@ -1,4 +1,14 @@
> -# Author: Kees Cook <kees at ubuntu.com>
> +# ------------------------------------------------------------------
> +#
> +# Copyright (C) 2009-2011 Canonical Ltd.
> +# Copyright (C) 2013 Christian Boltz
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of version 2 of the GNU General Public
> +# License published by the Free Software Foundation.
> +#
> +# ------------------------------------------------------------------
> +# vim: ft=apparmor
>
> #include <tunables/global>
> /usr/lib/dovecot/imap-login {
>
> === modified file 'profiles/apparmor.d/usr.lib.dovecot.managesieve-login'
> --- profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2011-07-14 12:57:57 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2014-01-19 16:08:30 +0000
> @@ -1,4 +1,15 @@
> -# Author: Dulmandakh Sukhbaatar <dulmandakh at gmail.com>
> +# ------------------------------------------------------------------
> +#
> +# Copyright (c) 2009 Dulmandakh Sukhbaatar <dulmandakh at gmail.com>
> +# Copyright (C) 2009-2011 Canonical Ltd.
> +# Copyright (C) 2013 Christian Boltz
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of version 2 of the GNU General Public
> +# License published by the Free Software Foundation.
> +#
> +# ------------------------------------------------------------------
> +# vim: ft=apparmor
>
> #include <tunables/global>
> /usr/lib/dovecot/managesieve-login {
>
> === modified file 'profiles/apparmor.d/usr.lib.dovecot.pop3'
> --- profiles/apparmor.d/usr.lib.dovecot.pop3 2011-08-26 23:12:10 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.pop3 2014-01-19 16:08:30 +0000
> @@ -1,6 +1,18 @@
> -# Author: Kees Cook <kees at ubuntu.com>
> +# ------------------------------------------------------------------
> +#
> +# Copyright (C) 2009-2010 Canonical Ltd.
> +# Copyright (C) 2011-2013 Christian Boltz
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of version 2 of the GNU General Public
> +# License published by the Free Software Foundation.
> +#
> +# ------------------------------------------------------------------
> +# vim: ft=apparmor
>
> #include <tunables/global>
> +#include <tunables/dovecot>
> +
> /usr/lib/dovecot/pop3 {
> #include <abstractions/base>
> #include <abstractions/nameservice>
> @@ -8,13 +20,10 @@
> capability setgid,
> capability setuid,
>
> - /var/mail/* klrw,
> - /var/spool/mail/* klrw,
> - @{HOME} r,
> - @{HOME}/mail/* klrw,
> - @{HOME}/mail/.imap/** klrw,
> - @{HOME}/Maildir/ rw,
> - @{HOME}/Maildir/** klrw,
> + @{DOVECOT_MAILSTORE}/ rw,
> + @{DOVECOT_MAILSTORE}/** rwkl,
> +
> + @{HOME} r, # ???
again the change in allowed permissions
> /usr/lib/dovecot/pop3 mr,
>
> # Site-specific additions and overrides. See local/README for details.
>
> === modified file 'profiles/apparmor.d/usr.lib.dovecot.pop3-login'
> --- profiles/apparmor.d/usr.lib.dovecot.pop3-login 2011-07-14 12:57:57 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.pop3-login 2014-01-19 16:08:30 +0000
> @@ -1,6 +1,17 @@
> -# Author: Kees Cook <kees at ubuntu.com>
> +# ------------------------------------------------------------------
> +#
> +# Copyright (C) 2009-2011 Canonical Ltd.
> +# Copyright (C) 2013 Christian Boltz
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of version 2 of the GNU General Public
> +# License published by the Free Software Foundation.
> +#
> +# ------------------------------------------------------------------
> +# vim: ft=apparmor
>
> #include <tunables/global>
> +
> /usr/lib/dovecot/pop3-login {
> #include <abstractions/base>
> #include <abstractions/nameservice>
>
>
>
> Regards,
>
> Christian Boltz
>
More information about the AppArmor
mailing list