[apparmor] [patch 1/3] dovecot profiles: introduce tunables/dovecot
John Johansen
john.johansen at canonical.com
Thu Jan 23 14:45:03 UTC 2014
On 01/23/2014 06:37 AM, Christian Boltz wrote:
> Hello,
>
> Am Donnerstag, 23. Januar 2014 schrieb John Johansen:
>> On 01/19/2014 08:58 AM, Christian Boltz wrote:
>>> this patch introduces tunables/dovecot (with @{DOVECOT_MAILSTORE})
>>> and replaces the mail storage location in various dovecot-related
>>> profiles with this variable.
>>>
>>> It also adds nice copyright headers (I hope I got the bzr log right
>>> ;-)
>> a few comments inline
>>
>>> === added file 'profiles/apparmor.d/tunables/dovecot'
>>> --- profiles/apparmor.d/tunables/dovecot 1970-01-01 00:00:00 +0000
>>> +++ profiles/apparmor.d/tunables/dovecot 2014-01-19 16:08:06
> ...
>>> +# @{DOVECOT_MAILSTORE} is a space-separated list of all directories
>>> +# where dovecot is allowed to store and read mails
>>> +#
>>> +# The default value is quite broad to avoid breaking existing
>>> setups. +# Please change @{DOVECOT_MAILSTORE} to (only) contain the
>>> directory +# you use, and remove everything else.
>>> +
>>> +@{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ @{HOME}/mail/ @{HOME}/Mail/
>>> /var/vmail/ /var/mail/ /var/spool/mail/
>
>
>
>
>>> === modified file 'profiles/apparmor.d/usr.lib.dovecot.imap'
>>> --- profiles/apparmor.d/usr.lib.dovecot.imap 2011-08-26 23:12:10
>>> +0000 +++ profiles/apparmor.d/usr.lib.dovecot.imap 2014-01-19
> ...
>>> - @{HOME} r,
>>> - @{HOME}/Maildir/ rw,
>>> - @{HOME}/Maildir/** klrw,
>>> - @{HOME}/Mail/ rw,
>>> - @{HOME}/Mail/* klrw,
>>> - @{HOME}/Mail/.imap/** klrw,
>>> - @{HOME}/mail/ rw,
>>> - @{HOME}/mail/* klrw,
>>> - @{HOME}/mail/.imap/** klrw,
>>> + @{DOVECOT_MAILSTORE}/ rw,
>>> + @{DOVECOT_MAILSTORE}/** rwkl,
>>
>> so this is slightly wider perms than
>>
>>> - @{HOME}/{m,M}ail/* klrw,
>>> - @{HOME}/{m,M}ail/.imap/** klrw,
>>
>> is this what we want?
>
> The idea of @{DOVECOT_MAILSTORE} is to allow the directories that were
> allowed in the old profile, and getting all profiles in sync so that for
> example IMAP and POP3 allow access to the same directory.
>
> I know the list got quite long - but that's what you get from checking
> the current dovecot-related profiles. (Maybe also a location from a
> bugreport on bnc sneaked in, I'd have to check that ;-)
>
> I'd happily shorten the list to just /var/vmail/, but I'm sure users
> would kill me for doing it ;-)
>
> The perfect solution would be to auto-generate @{DOVECOT_MAILSTORE} from
> the dovecot config, but unfortunately that isn't as easy as it looks.
> (Proposals and scripts welcome ;-)
>
>
Not quite what I meant by widening of the perms (though I would love to
have the list generated from the config too). The list for
@{DOVECOT_MAILSTORE} is fine.
What I meant was that for the case of @{HOME}/mail/ and @{HOME}/Mail/ we
used to have
@{HOME}/{m,M}ail/* klrw,
@{HOME}/{m,M}ail/.imap/** klrw,
but we now have
@{HOME}/{m,M}ail/** klrw,
the difference being that we only allowed the recursive ** for the .imap
dir.
I just wanted to make sure this widening of permissions was intentional
>>> + @{HOME} r, # ???
>>
>> why the ???, not sure if this rule is required
>
> above, you'll find
> > > - @{HOME} r,
>
> I'm also not sure if it's required (that's why I added "???"), but
> wanted to keep it for backwards compability (there must be a reason why
> it's there ;-)
>
> (If you are sure we can remove it, this should be a separate patch
> titled "break the profile" or so ;-)
>
>>> /usr/lib/dovecot/imap mr,
>>>
>>> - /var/mail/* klrw,
>>> - /var/spool/mail/* klrw,
>>
>> again a slight widening of permissions
>
> Yes, see above.
>
>>> === modified file 'profiles/apparmor.d/usr.lib.dovecot.pop3'
>>> --- profiles/apparmor.d/usr.lib.dovecot.pop3 2011-08-26 23:12:10
>>> +0000 +++ profiles/apparmor.d/usr.lib.dovecot.pop3 2014-01-19
>>> 16:08:30 +0000 @@ -1,6 +1,18 @@
> ...
>>> - @{HOME} r,
>>> - @{HOME}/mail/* klrw,
>>> - @{HOME}/mail/.imap/** klrw,
>>> - @{HOME}/Maildir/ rw,
>>> - @{HOME}/Maildir/** klrw,
>>> + @{DOVECOT_MAILSTORE}/ rw,
>>> + @{DOVECOT_MAILSTORE}/** rwkl,
>>> +
>>> + @{HOME} r, # ???
>>
>> again the change in allowed permissions
>
> again see above ;-)
>
>
> Regards,
>
> Christian Boltz
>
More information about the AppArmor
mailing list