[apparmor] [patch 1/3] dovecot profiles: introduce tunables/dovecot

Sun Jan 26 21:27:49 UTC 2014

On 01/26/2014 12:22 PM, Christian Boltz wrote:
> Hello,
> 
> Am Donnerstag, 23. Januar 2014 schrieb John Johansen:
>> On 01/23/2014 06:37 AM, Christian Boltz wrote:
>>> Am Donnerstag, 23. Januar 2014 schrieb John Johansen:
>>>> On 01/19/2014 08:58 AM, Christian Boltz wrote:
>>>>> this patch introduces tunables/dovecot (with @{DOVECOT_MAILSTORE})
>>>>> and replaces the mail storage location in various dovecot-related
>>>>> profiles with this variable.
>>>>>
>>>>> It also adds nice copyright headers (I hope I got the bzr log
>>>>> right
>>>>> ;-)
>>>>
>>>> a few comments inline
>>>>
>>>>> === added file 'profiles/apparmor.d/tunables/dovecot'
>>>>> --- profiles/apparmor.d/tunables/dovecot	1970-01-01 00:00:00
>>>>> +++ profiles/apparmor.d/tunables/dovecot	2014-01-19 16:08:06
>>>
>>> ...
>>>
>>>>> +# @{DOVECOT_MAILSTORE} is a space-separated list of all
>>>>> directories
>>>>> +# where dovecot is allowed to store and read mails
>>>>> +#
>>>>> +# The default value is quite broad to avoid breaking existing
>>>>> setups. +# Please change @{DOVECOT_MAILSTORE} to (only) contain
>>>>> the
>>>>> directory +# you use, and remove everything else.
>>>>> +
>>>>> +@{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ @{HOME}/mail/ @{HOME}/Mail/
>>>>> /var/vmail/ /var/mail/ /var/spool/mail/
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> === modified file 'profiles/apparmor.d/usr.lib.dovecot.imap'
>>>>> --- profiles/apparmor.d/usr.lib.dovecot.imap	2011-08-26 
> 23:12:10
>>>>> +0000 +++ profiles/apparmor.d/usr.lib.dovecot.imap	2014-01-19
>>>
>>> ...
>>>
>>>>> -  @{HOME} r,
>>>>> -  @{HOME}/Maildir/ rw,
>>>>> -  @{HOME}/Maildir/** klrw,
>>>>> -  @{HOME}/Mail/ rw,
>>>>> -  @{HOME}/Mail/* klrw,
>>>>> -  @{HOME}/Mail/.imap/** klrw,
>>>>> -  @{HOME}/mail/ rw,
>>>>> -  @{HOME}/mail/* klrw,
>>>>> -  @{HOME}/mail/.imap/** klrw,
>>>>> +  @{DOVECOT_MAILSTORE}/ rw,
>>>>> +  @{DOVECOT_MAILSTORE}/** rwkl,
>>>>
>>>> so this is slightly wider perms than
>>>>
>>>>> -  @{HOME}/{m,M}ail/* klrw,
>>>>> -  @{HOME}/{m,M}ail/.imap/** klrw,
>>>>
>>>> is this what we want?
>>>
>>> The idea of @{DOVECOT_MAILSTORE} is to allow the directories that
>>> were allowed in the old profile, and getting all profiles in sync
>>> so that for example IMAP and POP3 allow access to the same
>>> directory.
>>>
>>> I know the list got quite long - but that's what you get from
>>> checking the current dovecot-related profiles. (Maybe also a
>>> location from a bugreport on bnc sneaked in, I'd have to check that
>>> ;-)
>>>
>>> I'd happily shorten the list to just /var/vmail/, but I'm sure users
>>> would kill me for doing it ;-)
>>>
>>> The perfect solution would be to auto-generate @{DOVECOT_MAILSTORE}
>>> from the dovecot config, but unfortunately that isn't as easy as it
>>> looks. (Proposals and scripts welcome ;-)
>>
>> Not quite what I meant by widening of the perms (though I would love
>> to have the list generated from the config too). The list for
>> @{DOVECOT_MAILSTORE} is fine.
>>
>> What I meant was that for the case of @{HOME}/mail/ and @{HOME}/Mail/
>> we used to have
>>   @{HOME}/{m,M}ail/* klrw,
>>   @{HOME}/{m,M}ail/.imap/** klrw,
>>
>> but we now have
>>   @{HOME}/{m,M}ail/** klrw,
>>
>> the difference being that we only allowed the recursive ** for the
>> .imap dir.
>>
>> I just wanted to make sure this widening of permissions was
>> intentional
> 
> More or less ;-)
> I'd call it the price we have to pay to get it configurable in 
> @{DOVECOT_MAILSTORE} - which also means permissions for ~/{m,M}ail can 
> easily be removed. 
> 
> Besides that, only allowing the .imap/** subdirectory doesn't match the 
> other allowed directories, especially ~/Maildir/** which we already have 
> in the profile.
> 

in that case

Acked-by: John Johansen <john.johansen at canonical.com>