[apparmor] [patch 1/3] dovecot profiles: introduce tunables/dovecot
Christian Boltz
apparmor at cboltz.de
Sun Jan 26 20:22:31 UTC 2014
Hello,
Am Donnerstag, 23. Januar 2014 schrieb John Johansen:
> On 01/23/2014 06:37 AM, Christian Boltz wrote:
> > Am Donnerstag, 23. Januar 2014 schrieb John Johansen:
> >> On 01/19/2014 08:58 AM, Christian Boltz wrote:
> >>> this patch introduces tunables/dovecot (with @{DOVECOT_MAILSTORE})
> >>> and replaces the mail storage location in various dovecot-related
> >>> profiles with this variable.
> >>>
> >>> It also adds nice copyright headers (I hope I got the bzr log
> >>> right
> >>> ;-)
> >>
> >> a few comments inline
> >>
> >>> === added file 'profiles/apparmor.d/tunables/dovecot'
> >>> --- profiles/apparmor.d/tunables/dovecot 1970-01-01 00:00:00
> >>> +++ profiles/apparmor.d/tunables/dovecot 2014-01-19 16:08:06
> >
> > ...
> >
> >>> +# @{DOVECOT_MAILSTORE} is a space-separated list of all
> >>> directories
> >>> +# where dovecot is allowed to store and read mails
> >>> +#
> >>> +# The default value is quite broad to avoid breaking existing
> >>> setups. +# Please change @{DOVECOT_MAILSTORE} to (only) contain
> >>> the
> >>> directory +# you use, and remove everything else.
> >>> +
> >>> +@{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ @{HOME}/mail/ @{HOME}/Mail/
> >>> /var/vmail/ /var/mail/ /var/spool/mail/
> >>>
> >>>
> >>>
> >>>
> >>> === modified file 'profiles/apparmor.d/usr.lib.dovecot.imap'
> >>> --- profiles/apparmor.d/usr.lib.dovecot.imap 2011-08-26
23:12:10
> >>> +0000 +++ profiles/apparmor.d/usr.lib.dovecot.imap 2014-01-19
> >
> > ...
> >
> >>> - @{HOME} r,
> >>> - @{HOME}/Maildir/ rw,
> >>> - @{HOME}/Maildir/** klrw,
> >>> - @{HOME}/Mail/ rw,
> >>> - @{HOME}/Mail/* klrw,
> >>> - @{HOME}/Mail/.imap/** klrw,
> >>> - @{HOME}/mail/ rw,
> >>> - @{HOME}/mail/* klrw,
> >>> - @{HOME}/mail/.imap/** klrw,
> >>> + @{DOVECOT_MAILSTORE}/ rw,
> >>> + @{DOVECOT_MAILSTORE}/** rwkl,
> >>
> >> so this is slightly wider perms than
> >>
> >>> - @{HOME}/{m,M}ail/* klrw,
> >>> - @{HOME}/{m,M}ail/.imap/** klrw,
> >>
> >> is this what we want?
> >
> > The idea of @{DOVECOT_MAILSTORE} is to allow the directories that
> > were allowed in the old profile, and getting all profiles in sync
> > so that for example IMAP and POP3 allow access to the same
> > directory.
> >
> > I know the list got quite long - but that's what you get from
> > checking the current dovecot-related profiles. (Maybe also a
> > location from a bugreport on bnc sneaked in, I'd have to check that
> > ;-)
> >
> > I'd happily shorten the list to just /var/vmail/, but I'm sure users
> > would kill me for doing it ;-)
> >
> > The perfect solution would be to auto-generate @{DOVECOT_MAILSTORE}
> > from the dovecot config, but unfortunately that isn't as easy as it
> > looks. (Proposals and scripts welcome ;-)
>
> Not quite what I meant by widening of the perms (though I would love
> to have the list generated from the config too). The list for
> @{DOVECOT_MAILSTORE} is fine.
>
> What I meant was that for the case of @{HOME}/mail/ and @{HOME}/Mail/
> we used to have
> @{HOME}/{m,M}ail/* klrw,
> @{HOME}/{m,M}ail/.imap/** klrw,
>
> but we now have
> @{HOME}/{m,M}ail/** klrw,
>
> the difference being that we only allowed the recursive ** for the
> .imap dir.
>
> I just wanted to make sure this widening of permissions was
> intentional
More or less ;-)
I'd call it the price we have to pay to get it configurable in
@{DOVECOT_MAILSTORE} - which also means permissions for ~/{m,M}ail can
easily be removed.
Besides that, only allowing the .imap/** subdirectory doesn't match the
other allowed directories, especially ~/Maildir/** which we already have
in the profile.
Regards,
Christian Boltz
--
> if ( ! ifdef $root ) { [...] }
ifdef?
Da hat einer zusammengerollte Makefiles geraucht...
[> Christian Boltz und Ratti in fontlinge-devel]
More information about the AppArmor
mailing list