[apparmor] [patch] profiles: add dovecot-common abstraction
Steve Beattie
steve at nxnw.org
Mon Jul 7 22:56:55 UTC 2014
On Tue, Jul 01, 2014 at 11:06:06PM +0200, Christian Boltz wrote:
> Am Freitag, 27. Juni 2014 schrieb Steve Beattie:
> > Here's the dovecot-common abstraction as well as the patches to
> > the profiles for dovecot's helper binaries to make use of it. The
> > important addition is the ability for the dovecot master process to
> > send signals to the helpers.
>
> I know this was commited already (and it looks good in general), but let
> me ask nevertheless:
>
> > Index: b/profiles/apparmor.d/abstractions/dovecot-common
> > ===================================================================
> > --- /dev/null
> > +++ b/profiles/apparmor.d/abstractions/dovecot-common
> ...
> > + capability setgid,
> > +
> > + deny capability block_suspend,
> > +
> > + # dovecot's master can send us signals
> > + signal receive peer=/usr/sbin/dovecot,
> > +
> > + /{var/,}run/dovecot/config rw,
>
> What's the reason for the "/{var/,}run/dovecot/config rw," rule?
>
> None of the dovecot profiles did contain this rule before...
Honestly, I'm not enough of a dovecot expert to know for sure, but it's
a socket that the /usr/lib/dovecot/config process listens to. It shares
common code with the doveconf utility (src/config/ in the dovecot
source tree[1]); I'm *guessing* it lets other dovecot processes avoid
running doveconf to get parsed dovecot configuration info, but finding
documentation on it on the dovecot wiki site seems beyond my abilities.
[1] http://hg.dovecot.org/dovecot-2.2/file/16d4cf2c0d65/src/config
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140707/65b07130/attachment.pgp>
More information about the AppArmor
mailing list