[apparmor] [patch 2/3] dovecot profiles: add profiles for new dovecot 2.x binaries
John Johansen
john.johansen at canonical.com
Thu Jan 23 12:18:55 UTC 2014
On 01/19/2014 08:58 AM, Christian Boltz wrote:
> Hello,
>
> dovecot 2.x comes with several new binaries in /usr/lib/dovecot.
> This patch adds profiles for
>
> /usr/lib/dovecot/anvil
> /usr/lib/dovecot/auth
> /usr/lib/dovecot/config
> /usr/lib/dovecot/dict
> /usr/lib/dovecot/dovecot-lda
> /usr/lib/dovecot/lmtp
> /usr/lib/dovecot/log
> /usr/lib/dovecot/managesieve
> /usr/lib/dovecot/ssl-params
>
> References: https://bugzilla.novell.com/show_bug.cgi?id=851984
ugh thats quite the list. It all looks good to me
Acked-by: John Johansen <john.johansen at canonical.com>
>
>
> === added file 'profiles/apparmor.d/usr.lib.dovecot.anvil'
> --- profiles/apparmor.d/usr.lib.dovecot.anvil 1970-01-01 00:00:00 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.anvil 2014-01-19 16:08:30 +0000
> @@ -0,0 +1,25 @@
> +# ------------------------------------------------------------------
> +#
> +# Copyright (C) 2013 Christian Boltz
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of version 2 of the GNU General Public
> +# License published by the Free Software Foundation.
> +#
> +# ------------------------------------------------------------------
> +# vim: ft=apparmor
> +
> +#include <tunables/global>
> +
> +/usr/lib/dovecot/anvil {
> + #include <abstractions/base>
> +
> + capability setgid,
> + capability setuid,
> + capability sys_chroot,
> +
> + /usr/lib/dovecot/anvil mr,
> +
> + # Site-specific additions and overrides. See local/README for details.
> + #include <local/usr.lib.dovecot.anvil>
> +}
>
> === added file 'profiles/apparmor.d/usr.lib.dovecot.auth'
> --- profiles/apparmor.d/usr.lib.dovecot.auth 1970-01-01 00:00:00 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.auth 2014-01-19 16:08:30 +0000
> @@ -0,0 +1,38 @@
> +# ------------------------------------------------------------------
> +#
> +# Copyright (C) 2013 Christian Boltz
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of version 2 of the GNU General Public
> +# License published by the Free Software Foundation.
> +#
> +# ------------------------------------------------------------------
> +# vim: ft=apparmor
> +
> +#include <tunables/global>
> +
> +/usr/lib/dovecot/auth {
> + #include <abstractions/authentication>
> + #include <abstractions/base>
> + #include <abstractions/mysql>
> + #include <abstractions/nameservice>
> +
> + deny capability block_suspend,
> +
> + capability audit_write,
> + capability setgid,
> + capability setuid,
> +
> + /etc/dovecot/dovecot-database.conf.ext r,
> + /etc/dovecot/dovecot-sql.conf.ext r,
> + /usr/lib/dovecot/auth mr,
> +
> + # kerberos replay cache
> + /var/tmp/imap_* rw,
> + /var/tmp/pop_* rw,
> + /var/tmp/sieve_* rw,
> + /var/tmp/smtp_* rw,
> +
> + # Site-specific additions and overrides. See local/README for details.
> + #include <local/usr.lib.dovecot.auth>
> +}
>
> === added file 'profiles/apparmor.d/usr.lib.dovecot.config'
> --- profiles/apparmor.d/usr.lib.dovecot.config 1970-01-01 00:00:00 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.config 2014-01-19 16:08:30 +0000
> @@ -0,0 +1,32 @@
> +# ------------------------------------------------------------------
> +#
> +# Copyright (C) 2013 Christian Boltz
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of version 2 of the GNU General Public
> +# License published by the Free Software Foundation.
> +#
> +# ------------------------------------------------------------------
> +# vim: ft=apparmor
> +
> +#include <tunables/global>
> +
> +/usr/lib/dovecot/config {
> + #include <abstractions/base>
> + #include <abstractions/nameservice>
> + #include <abstractions/ssl_keys>
> +
> + deny capability block_suspend,
> +
> + capability dac_override,
> + capability setgid,
> +
> +
> + /etc/dovecot/** r,
> + /usr/bin/doveconf rix,
> + /usr/lib/dovecot/config mr,
> + /usr/lib/dovecot/managesieve Px,
> +
> + # Site-specific additions and overrides. See local/README for details.
> + #include <local/usr.lib.dovecot.config>
> +}
>
> === added file 'profiles/apparmor.d/usr.lib.dovecot.dict'
> --- profiles/apparmor.d/usr.lib.dovecot.dict 1970-01-01 00:00:00 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.dict 2014-01-19 16:08:30 +0000
> @@ -0,0 +1,31 @@
> +# ------------------------------------------------------------------
> +#
> +# Copyright (C) 2013 Christian Boltz
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of version 2 of the GNU General Public
> +# License published by the Free Software Foundation.
> +#
> +# ------------------------------------------------------------------
> +# vim: ft=apparmor
> +
> +#include <tunables/global>
> +
> +/usr/lib/dovecot/dict {
> + #include <abstractions/base>
> + #include <abstractions/mysql>
> +
> + capability setgid,
> + capability setuid,
> +
> + network inet stream,
> +
> + /etc/dovecot/dovecot-database.conf.ext r,
> + /etc/dovecot/dovecot-dict-sql.conf.ext r,
> + /etc/nsswitch.conf r,
> + /etc/services r,
> + /usr/lib/dovecot/dict mr,
> +
> + # Site-specific additions and overrides. See local/README for details.
> + #include <local/usr.lib.dovecot.dict>
> +}
>
> === added file 'profiles/apparmor.d/usr.lib.dovecot.dovecot-lda'
> --- profiles/apparmor.d/usr.lib.dovecot.dovecot-lda 1970-01-01 00:00:00 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.dovecot-lda 2014-01-19 16:08:30 +0000
> @@ -0,0 +1,33 @@
> +# ------------------------------------------------------------------
> +#
> +# Copyright (C) 2013 Christian Boltz
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of version 2 of the GNU General Public
> +# License published by the Free Software Foundation.
> +#
> +# ------------------------------------------------------------------
> +# vim: ft=apparmor
> +
> +#include <tunables/global>
> +#include <tunables/dovecot>
> +
> +/usr/lib/dovecot/dovecot-lda {
> + #include <abstractions/base>
> + #include <abstractions/nameservice>
> +
> + capability setgid,
> + capability setuid,
> +
> + @{DOVECOT_MAILSTORE}/ rw,
> + @{DOVECOT_MAILSTORE}/** rwkl,
> +
> + /etc/dovecot/** r,
> + /proc/*/mounts r,
> + /{var/,}run/dovecot/mounts r,
> + /usr/bin/doveconf mrix,
> + /usr/lib/dovecot/dovecot-lda mrix,
> +
> + # Site-specific additions and overrides. See local/README for details.
> + #include <local/usr.lib.dovecot.dovecot-lda>
> +}
>
> === added file 'profiles/apparmor.d/usr.lib.dovecot.lmtp'
> --- profiles/apparmor.d/usr.lib.dovecot.lmtp 1970-01-01 00:00:00 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.lmtp 2014-01-19 16:08:30 +0000
> @@ -0,0 +1,35 @@
> +# ------------------------------------------------------------------
> +#
> +# Copyright (C) 2013 Christian Boltz
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of version 2 of the GNU General Public
> +# License published by the Free Software Foundation.
> +#
> +# ------------------------------------------------------------------
> +# vim: ft=apparmor
> +
> +#include <tunables/global>
> +#include <tunables/dovecot>
> +
> +/usr/lib/dovecot/lmtp {
> + #include <abstractions/base>
> +
> + deny capability block_suspend,
> +
> + capability dac_override,
> + capability setgid,
> + capability setuid,
> +
> + @{DOVECOT_MAILSTORE}/ rw,
> + @{DOVECOT_MAILSTORE}/** rwkl,
> +
> + /etc/resolv.conf r,
> + /proc/*/mounts r,
> + /tmp/dovecot.lmtp.* rw,
> + /usr/lib/dovecot/lmtp mr,
> + /{var/,}run/dovecot/mounts r,
> +
> + # Site-specific additions and overrides. See local/README for details.
> + #include <local/usr.lib.dovecot.lmtp>
> +}
>
> === added file 'profiles/apparmor.d/usr.lib.dovecot.log'
> --- profiles/apparmor.d/usr.lib.dovecot.log 1970-01-01 00:00:00 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.log 2014-01-19 16:08:30 +0000
> @@ -0,0 +1,25 @@
> +# ------------------------------------------------------------------
> +#
> +# Copyright (C) 2013 Christian Boltz
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of version 2 of the GNU General Public
> +# License published by the Free Software Foundation.
> +#
> +# ------------------------------------------------------------------
> +# vim: ft=apparmor
> +
> +#include <tunables/global>
> +
> +/usr/lib/dovecot/log {
> + #include <abstractions/base>
> +
> + deny capability block_suspend,
> +
> + capability setgid,
> +
> + /usr/lib/dovecot/log mr,
> +
> + # Site-specific additions and overrides. See local/README for details.
> + #include <local/usr.lib.dovecot.log>
> +}
>
> === added file 'profiles/apparmor.d/usr.lib.dovecot.managesieve'
> --- profiles/apparmor.d/usr.lib.dovecot.managesieve 1970-01-01 00:00:00 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.managesieve 2014-01-19 16:08:30 +0000
> @@ -0,0 +1,23 @@
> +# ------------------------------------------------------------------
> +#
> +# Copyright (C) 2013 Christian Boltz
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of version 2 of the GNU General Public
> +# License published by the Free Software Foundation.
> +#
> +# ------------------------------------------------------------------
> +# vim: ft=apparmor
> +
> +#include <tunables/global>
> +
> +/usr/lib/dovecot/managesieve {
> + #include <abstractions/base>
> +
> + /etc/dovecot/** r,
> + /usr/bin/doveconf rix,
> + /usr/lib/dovecot/managesieve mrix,
> +
> + # Site-specific additions and overrides. See local/README for details.
> + #include <local/usr.lib.dovecot.managesieve>
> +}
>
> === added file 'profiles/apparmor.d/usr.lib.dovecot.ssl-params'
> --- profiles/apparmor.d/usr.lib.dovecot.ssl-params 1970-01-01 00:00:00 +0000
> +++ profiles/apparmor.d/usr.lib.dovecot.ssl-params 2014-01-19 16:08:30 +0000
> @@ -0,0 +1,27 @@
> +# ------------------------------------------------------------------
> +#
> +# Copyright (C) 2013 Christian Boltz
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of version 2 of the GNU General Public
> +# License published by the Free Software Foundation.
> +#
> +# ------------------------------------------------------------------
> +# vim: ft=apparmor
> +
> +#include <tunables/global>
> +
> +/usr/lib/dovecot/ssl-params {
> + #include <abstractions/base>
> +
> + deny capability block_suspend,
> +
> + capability setgid,
> +
> + /usr/lib/dovecot/ssl-params mr,
> + /var/lib/dovecot/ssl-parameters.dat rw,
> + /var/lib/dovecot/ssl-parameters.dat.tmp rwk,
> +
> + # Site-specific additions and overrides. See local/README for details.
> + #include <local/usr.lib.dovecot.ssl-params>
> +}
>
>
> Regards,
>
> Christian Boltz
>
More information about the AppArmor
mailing list