[apparmor] [patch] profiles: update postfix-common

Christian Boltz apparmor at cboltz.de
Wed Jun 25 11:51:44 UTC 2014


Am Dienstag, 24. Juni 2014 schrieb Steve Beattie:
> Attached is a patch that updates postfix-common to take into account
> of some multiarch stuff, some chrooting that postfix does, and that
> the postfix master process sends signals to all the different utility
> processes.
> As a followup, I'd like to move postfix-common from program-chunks
> directory (and kill the directory), as it is the last remaining
> vestigial file there (the rest having been moved out in 2007!),
> and place it into the abstractions/ directory, where it would

Good idea.

> serve a similar role as the apache2-common abstraction as well as a
> dovecot-common abstraction I have in the pipeline.

Also sounds good ;-)

> Signed-off-by: Steve Beattie <steve at nxnw.org>
> ---
>  profiles/apparmor.d/program-chunks/postfix-common |   17
> +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-)
> Index: b/profiles/apparmor.d/program-chunks/postfix-common
> ===================================================================
> --- a/profiles/apparmor.d/program-chunks/postfix-common
> +++ b/profiles/apparmor.d/program-chunks/postfix-common
> @@ -1,6 +1,7 @@
>  # ------------------------------------------------------------------
>  #
>  #    Copyright (C) 2002-2005 Novell/SUSE
> +#    Copyright (C) 2014 Canonical, Ltd.
>  #
>  #    This program is free software; you can redistribute it and/or
>  #    modify it under the terms of version 2 of the GNU General Public
> @@ -14,11 +15,19 @@
>    capability            setgid,
>    capability            sys_chroot,
> +  # postfix's master can send us signals
> +  signal receive peer=/usr/lib/postfix/master,
> +
> +  /etc/mailname         r,
>    /etc/postfix/*.cf     r,
>    /etc/postfix/*.db     r,
>    @{PROC}/net/if_inet6  r,
>    /usr/lib/postfix/*.so mr,
> -  /usr/lib64/sasl2/*    mr,
> -  /usr/lib64/sasl2/     r,
> -  /usr/lib/sasl2/*      mr,
> -  /usr/lib/sasl2/       r,
> +  /usr/lib{,32,64}/sasl2/*    mr,
> +  /usr/lib{,32,64}/sasl2/     r,
> +  /usr/lib/@{multiarch}/sasl2/*      mr,
> +  /usr/lib/@{multiarch}/sasl2/       r,
> +
> +  /var/spool/postfix/etc/*        r,

I doubt this is useful - to make it useful, $chroot/etc/** would be 
needed (with just *, reading $chroot/etc/postfix/* is impossible) - but 
that would also be broader than what we allow in the non-chrooted /etc.

That said: not all postfix binaries need read access to all files in 
/etc/postfix - but I'm not sure if it's worth the effort to add detailed 
restrictions or if detailed restrictions just annoy the users because 
they have to update the profile for every little change/new config file.

The only critical file is probably /etc/postfix/sasl-passwd{,.db} which 
contains passwords if postfix is sending mails to a smarthost with SMTP 
auth. The filename is of course configureable (smtp_sasl_password_maps) 
[1] which means we can't rely on the filename.

Another interesting question is if we should simply keep chroot and non-
chroot in sync by using /{var/spool/postfix/,}etc/$whatever

> +  /var/spool/postfix/lib/lib*.so* mr,
> +  /var/spool/postfix/lib/@{multiarch}/lib*.so* mr,

Same question as above - what about /{var/spool/postfix/,}lib ?

That all reminds me that I have updated postfix profiles on my servers - 
I should probably collect and merge them and then submit patches ;-)
(but not this week ;-)

BTW: Currently, all postfix profiles are in extra (inactive). Should we 
move them to the set of active profiles after updating them?


Christian Boltz

[1] While we are talking about it: postconf(5) says about it:
        The Postfix SMTP client opens the lookup table before going to
        chroot jail, so you can leave the password file in /etc/postfix.

Schlagen. Verklagen. Z.B. bei der c't verpfeifen, auf daß es fortan
die Spatzen von den Dächern pfeifen, was für Pfeifen das bei $Firma
sind. *scnr* [David Haller in suse-linux]

More information about the AppArmor mailing list