[apparmor] [patch 1/3] dovecot profiles: introduce tunables/dovecot

Sun Jan 26 20:22:31 UTC 2014

Hello,

Am Donnerstag, 23. Januar 2014 schrieb John Johansen:
> On 01/23/2014 06:37 AM, Christian Boltz wrote:
> > Am Donnerstag, 23. Januar 2014 schrieb John Johansen:
> >> On 01/19/2014 08:58 AM, Christian Boltz wrote:
> >>> this patch introduces tunables/dovecot (with @{DOVECOT_MAILSTORE})
> >>> and replaces the mail storage location in various dovecot-related
> >>> profiles with this variable.
> >>> 
> >>> It also adds nice copyright headers (I hope I got the bzr log
> >>> right
> >>> ;-)
> >> 
> >> a few comments inline
> >> 
> >>> === added file 'profiles/apparmor.d/tunables/dovecot'
> >>> --- profiles/apparmor.d/tunables/dovecot	1970-01-01 00:00:00
> >>> +++ profiles/apparmor.d/tunables/dovecot	2014-01-19 16:08:06
> > 
> > ...
> > 
> >>> +# @{DOVECOT_MAILSTORE} is a space-separated list of all
> >>> directories
> >>> +# where dovecot is allowed to store and read mails
> >>> +#
> >>> +# The default value is quite broad to avoid breaking existing
> >>> setups. +# Please change @{DOVECOT_MAILSTORE} to (only) contain
> >>> the
> >>> directory +# you use, and remove everything else.
> >>> +
> >>> +@{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ @{HOME}/mail/ @{HOME}/Mail/
> >>> /var/vmail/ /var/mail/ /var/spool/mail/
> >>> 
> >>> 
> >>> 
> >>> 
> >>> === modified file 'profiles/apparmor.d/usr.lib.dovecot.imap'
> >>> --- profiles/apparmor.d/usr.lib.dovecot.imap	2011-08-26 
23:12:10
> >>> +0000 +++ profiles/apparmor.d/usr.lib.dovecot.imap	2014-01-19
> > 
> > ...
> > 
> >>> -  @{HOME} r,
> >>> -  @{HOME}/Maildir/ rw,
> >>> -  @{HOME}/Maildir/** klrw,
> >>> -  @{HOME}/Mail/ rw,
> >>> -  @{HOME}/Mail/* klrw,
> >>> -  @{HOME}/Mail/.imap/** klrw,
> >>> -  @{HOME}/mail/ rw,
> >>> -  @{HOME}/mail/* klrw,
> >>> -  @{HOME}/mail/.imap/** klrw,
> >>> +  @{DOVECOT_MAILSTORE}/ rw,
> >>> +  @{DOVECOT_MAILSTORE}/** rwkl,
> >> 
> >> so this is slightly wider perms than
> >> 
> >>> -  @{HOME}/{m,M}ail/* klrw,
> >>> -  @{HOME}/{m,M}ail/.imap/** klrw,
> >> 
> >> is this what we want?
> > 
> > The idea of @{DOVECOT_MAILSTORE} is to allow the directories that
> > were allowed in the old profile, and getting all profiles in sync
> > so that for example IMAP and POP3 allow access to the same
> > directory.
> > 
> > I know the list got quite long - but that's what you get from
> > checking the current dovecot-related profiles. (Maybe also a
> > location from a bugreport on bnc sneaked in, I'd have to check that
> > ;-)
> > 
> > I'd happily shorten the list to just /var/vmail/, but I'm sure users
> > would kill me for doing it ;-)
> > 
> > The perfect solution would be to auto-generate @{DOVECOT_MAILSTORE}
> > from the dovecot config, but unfortunately that isn't as easy as it
> > looks. (Proposals and scripts welcome ;-)
> 
> Not quite what I meant by widening of the perms (though I would love
> to have the list generated from the config too). The list for
> @{DOVECOT_MAILSTORE} is fine.
> 
> What I meant was that for the case of @{HOME}/mail/ and @{HOME}/Mail/
> we used to have
>   @{HOME}/{m,M}ail/* klrw,
>   @{HOME}/{m,M}ail/.imap/** klrw,
> 
> but we now have
>   @{HOME}/{m,M}ail/** klrw,
> 
> the difference being that we only allowed the recursive ** for the
> .imap dir.
> 
> I just wanted to make sure this widening of permissions was
> intentional

More or less ;-)
I'd call it the price we have to pay to get it configurable in 
@{DOVECOT_MAILSTORE} - which also means permissions for ~/{m,M}ail can 
easily be removed. 

Besides that, only allowing the .imap/** subdirectory doesn't match the 
other allowed directories, especially ~/Maildir/** which we already have 
in the profile.

Regards,

Christian Boltz
-- 
> if ( ! ifdef $root ) { [...] }
ifdef?
Da hat einer zusammengerollte Makefiles geraucht...
[> Christian Boltz und Ratti in fontlinge-devel]