[apparmor] [patch 1/3] dovecot profiles: introduce tunables/dovecot

John Johansen john.johansen at canonical.com
Thu Jan 23 14:45:03 UTC 2014


On 01/23/2014 06:37 AM, Christian Boltz wrote:
> Hello,
> 
> Am Donnerstag, 23. Januar 2014 schrieb John Johansen:
>> On 01/19/2014 08:58 AM, Christian Boltz wrote:
>>> this patch introduces tunables/dovecot (with @{DOVECOT_MAILSTORE})
>>> and replaces the mail storage location in various dovecot-related
>>> profiles with this variable.
>>>
>>> It also adds nice copyright headers (I hope I got the bzr log right
>>> ;-)
>> a few comments inline
>>
>>> === added file 'profiles/apparmor.d/tunables/dovecot'
>>> --- profiles/apparmor.d/tunables/dovecot	1970-01-01 00:00:00 +0000
>>> +++ profiles/apparmor.d/tunables/dovecot	2014-01-19 16:08:06
> ...
>>> +# @{DOVECOT_MAILSTORE} is a space-separated list of all directories
>>> +# where dovecot is allowed to store and read mails
>>> +#
>>> +# The default value is quite broad to avoid breaking existing
>>> setups. +# Please change @{DOVECOT_MAILSTORE} to (only) contain the
>>> directory +# you use, and remove everything else.
>>> +
>>> +@{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ @{HOME}/mail/ @{HOME}/Mail/
>>> /var/vmail/ /var/mail/ /var/spool/mail/
> 
> 
> 
> 
>>> === modified file 'profiles/apparmor.d/usr.lib.dovecot.imap'
>>> --- profiles/apparmor.d/usr.lib.dovecot.imap	2011-08-26 23:12:10
>>> +0000 +++ profiles/apparmor.d/usr.lib.dovecot.imap	2014-01-19
> ...
>>> -  @{HOME} r,
>>> -  @{HOME}/Maildir/ rw,
>>> -  @{HOME}/Maildir/** klrw,
>>> -  @{HOME}/Mail/ rw,
>>> -  @{HOME}/Mail/* klrw,
>>> -  @{HOME}/Mail/.imap/** klrw,
>>> -  @{HOME}/mail/ rw,
>>> -  @{HOME}/mail/* klrw,
>>> -  @{HOME}/mail/.imap/** klrw,
>>> +  @{DOVECOT_MAILSTORE}/ rw,
>>> +  @{DOVECOT_MAILSTORE}/** rwkl,
>>
>> so this is slightly wider perms than
>>
>>> -  @{HOME}/{m,M}ail/* klrw,
>>> -  @{HOME}/{m,M}ail/.imap/** klrw,
>>
>> is this what we want?
> 
> The idea of @{DOVECOT_MAILSTORE} is to allow the directories that were 
> allowed in the old profile, and getting all profiles in sync so that for 
> example IMAP and POP3 allow access to the same directory.
> 
> I know the list got quite long - but that's what you get from checking 
> the current dovecot-related profiles. (Maybe also a location from a 
> bugreport on bnc sneaked in, I'd have to check that ;-)
> 
> I'd happily shorten the list to just /var/vmail/, but I'm sure users 
> would kill me for doing it ;-)
> 
> The perfect solution would be to auto-generate @{DOVECOT_MAILSTORE} from 
> the dovecot config, but unfortunately that isn't as easy as it looks. 
> (Proposals and scripts welcome ;-)
> 
> 
Not quite what I meant by widening of the perms (though I would love to
have the list generated from the config too). The list for
@{DOVECOT_MAILSTORE} is fine.

What I meant was that for the case of @{HOME}/mail/ and @{HOME}/Mail/ we
used to have
  @{HOME}/{m,M}ail/* klrw,
  @{HOME}/{m,M}ail/.imap/** klrw,

but we now have
  @{HOME}/{m,M}ail/** klrw,

the difference being that we only allowed the recursive ** for the .imap
dir.

I just wanted to make sure this widening of permissions was intentional



>>> +  @{HOME} r, # ???
>>
>> why the ???, not sure if this rule is required
> 
> above, you'll find
>     > > -  @{HOME} r,
> 
> I'm also not sure if it's required (that's why I added "???"), but 
> wanted to keep it for backwards compability (there must be a reason why 
> it's there ;-)
> 
> (If you are sure we can remove it, this should be a separate patch 
> titled "break the profile" or so ;-)
> 
>>>    /usr/lib/dovecot/imap mr,
>>>
>>> -  /var/mail/* klrw,
>>> -  /var/spool/mail/* klrw,
>>
>> again a slight widening of permissions
> 
> Yes, see above.
> 
>>> === modified file 'profiles/apparmor.d/usr.lib.dovecot.pop3'
>>> --- profiles/apparmor.d/usr.lib.dovecot.pop3	2011-08-26 23:12:10
>>> +0000 +++ profiles/apparmor.d/usr.lib.dovecot.pop3	2014-01-19
>>> 16:08:30 +0000 @@ -1,6 +1,18 @@
> ...
>>> -  @{HOME} r,
>>> -  @{HOME}/mail/* klrw,
>>> -  @{HOME}/mail/.imap/** klrw,
>>> -  @{HOME}/Maildir/ rw,
>>> -  @{HOME}/Maildir/** klrw,
>>> +  @{DOVECOT_MAILSTORE}/ rw,
>>> +  @{DOVECOT_MAILSTORE}/** rwkl,
>>> +
>>> +  @{HOME} r, # ???
>>
>> again the change in allowed permissions
> 
> again see above ;-)
> 
> 
> Regards,
> 
> Christian Boltz
> 




More information about the AppArmor mailing list