[apparmor] [patch] profiles: add dovecot-common abstraction
Steve Beattie
steve at nxnw.org
Fri Jun 27 18:31:25 UTC 2014
On Wed, Jun 25, 2014 at 01:51:44PM +0200, Christian Boltz wrote:
> Am Dienstag, 24. Juni 2014 schrieb Steve Beattie:
> > serve a similar role as the apache2-common abstraction as well as a
> > dovecot-common abstraction I have in the pipeline.
>
> Also sounds good ;-)
Here's the dovecot-common abstraction as well as the patches to
the profiles for dovecot's helper binaries to make use of it. The
important addition is the ability for the dovecot master process to
send signals to the helpers.
Signed-off-by: Steve Beattie <steve at nxnw.org>
---
profiles/apparmor.d/abstractions/dovecot-common | 19 ++++++++++++++++++
profiles/apparmor.d/usr.lib.dovecot.anvil | 2 -
profiles/apparmor.d/usr.lib.dovecot.auth | 4 ---
profiles/apparmor.d/usr.lib.dovecot.config | 5 ----
profiles/apparmor.d/usr.lib.dovecot.deliver | 4 +--
profiles/apparmor.d/usr.lib.dovecot.dict | 2 -
profiles/apparmor.d/usr.lib.dovecot.dovecot-auth | 2 -
profiles/apparmor.d/usr.lib.dovecot.dovecot-lda | 2 -
profiles/apparmor.d/usr.lib.dovecot.imap | 2 -
profiles/apparmor.d/usr.lib.dovecot.imap-login | 2 -
profiles/apparmor.d/usr.lib.dovecot.lmtp | 4 ---
profiles/apparmor.d/usr.lib.dovecot.log | 5 ----
profiles/apparmor.d/usr.lib.dovecot.managesieve | 1
profiles/apparmor.d/usr.lib.dovecot.managesieve-login | 3 +-
profiles/apparmor.d/usr.lib.dovecot.pop3 | 2 -
profiles/apparmor.d/usr.lib.dovecot.pop3-login | 2 -
profiles/apparmor.d/usr.lib.dovecot.ssl-params | 5 ----
17 files changed, 37 insertions(+), 29 deletions(-)
Index: b/profiles/apparmor.d/abstractions/dovecot-common
===================================================================
--- /dev/null
+++ b/profiles/apparmor.d/abstractions/dovecot-common
@@ -0,0 +1,19 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2014 Canonical, Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# used with dovecot/*
+
+ capability setgid,
+
+ deny capability block_suspend,
+
+ # dovecot's master can send us signals
+ signal receive peer=/usr/sbin/dovecot,
+
+ /{var/,}run/dovecot/config rw,
Index: b/profiles/apparmor.d/usr.lib.dovecot.anvil
===================================================================
--- a/profiles/apparmor.d/usr.lib.dovecot.anvil
+++ b/profiles/apparmor.d/usr.lib.dovecot.anvil
@@ -13,8 +13,8 @@
/usr/lib/dovecot/anvil {
#include <abstractions/base>
+ #include <abstractions/dovecot-common>
- capability setgid,
capability setuid,
capability sys_chroot,
Index: b/profiles/apparmor.d/usr.lib.dovecot.auth
===================================================================
--- a/profiles/apparmor.d/usr.lib.dovecot.auth
+++ b/profiles/apparmor.d/usr.lib.dovecot.auth
@@ -16,11 +16,9 @@
#include <abstractions/base>
#include <abstractions/mysql>
#include <abstractions/nameservice>
-
- deny capability block_suspend,
+ #include <abstractions/dovecot-common>
capability audit_write,
- capability setgid,
capability setuid,
/etc/my.cnf r,
Index: b/profiles/apparmor.d/usr.lib.dovecot.config
===================================================================
--- a/profiles/apparmor.d/usr.lib.dovecot.config
+++ b/profiles/apparmor.d/usr.lib.dovecot.config
@@ -14,13 +14,10 @@
/usr/lib/dovecot/config {
#include <abstractions/base>
#include <abstractions/nameservice>
+ #include <abstractions/dovecot-common>
#include <abstractions/ssl_keys>
- deny capability block_suspend,
-
capability dac_override,
- capability setgid,
-
/etc/dovecot/** r,
/usr/bin/doveconf rix,
Index: b/profiles/apparmor.d/usr.lib.dovecot.deliver
===================================================================
--- a/profiles/apparmor.d/usr.lib.dovecot.deliver
+++ b/profiles/apparmor.d/usr.lib.dovecot.deliver
@@ -1,7 +1,7 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2009 Dulmandakh Sukhbaatar <dulmandakh at gmail.com>
-# Copyright (C) 2009-2012 Canonical Ltd.
+# Copyright (C) 2009-2014 Canonical Ltd.
# Copyright (C) 2011-2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
@@ -17,8 +17,8 @@
/usr/lib/dovecot/deliver {
#include <abstractions/base>
#include <abstractions/nameservice>
+ #include <abstractions/dovecot-common>
- capability setgid,
capability setuid,
@{DOVECOT_MAILSTORE}/ rw,
Index: b/profiles/apparmor.d/usr.lib.dovecot.dict
===================================================================
--- a/profiles/apparmor.d/usr.lib.dovecot.dict
+++ b/profiles/apparmor.d/usr.lib.dovecot.dict
@@ -15,8 +15,8 @@
#include <abstractions/base>
#include <abstractions/mysql>
#include <abstractions/nameservice>
+ #include <abstractions/dovecot-common>
- capability setgid,
capability setuid,
network inet stream,
Index: b/profiles/apparmor.d/usr.lib.dovecot.dovecot-auth
===================================================================
--- a/profiles/apparmor.d/usr.lib.dovecot.dovecot-auth
+++ b/profiles/apparmor.d/usr.lib.dovecot.dovecot-auth
@@ -17,8 +17,8 @@
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/wutmp>
+ #include <abstractions/dovecot-common>
- capability setgid,
capability chown,
capability dac_override,
Index: b/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda
===================================================================
--- a/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda
+++ b/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda
@@ -15,8 +15,8 @@
/usr/lib/dovecot/dovecot-lda {
#include <abstractions/base>
#include <abstractions/nameservice>
+ #include <abstractions/dovecot-common>
- capability setgid,
capability setuid,
@{DOVECOT_MAILSTORE}/ rw,
Index: b/profiles/apparmor.d/usr.lib.dovecot.imap
===================================================================
--- a/profiles/apparmor.d/usr.lib.dovecot.imap
+++ b/profiles/apparmor.d/usr.lib.dovecot.imap
@@ -16,8 +16,8 @@
/usr/lib/dovecot/imap {
#include <abstractions/base>
#include <abstractions/nameservice>
+ #include <abstractions/dovecot-common>
- capability setgid,
capability setuid,
@{DOVECOT_MAILSTORE}/ rw,
Index: b/profiles/apparmor.d/usr.lib.dovecot.imap-login
===================================================================
--- a/profiles/apparmor.d/usr.lib.dovecot.imap-login
+++ b/profiles/apparmor.d/usr.lib.dovecot.imap-login
@@ -15,8 +15,8 @@
#include <abstractions/base>
#include <abstractions/ssl_certs>
#include <abstractions/ssl_keys>
+ #include <abstractions/dovecot-common>
- capability setgid,
capability setuid,
capability sys_chroot,
Index: b/profiles/apparmor.d/usr.lib.dovecot.lmtp
===================================================================
--- a/profiles/apparmor.d/usr.lib.dovecot.lmtp
+++ b/profiles/apparmor.d/usr.lib.dovecot.lmtp
@@ -15,11 +15,9 @@
/usr/lib/dovecot/lmtp {
#include <abstractions/base>
#include <abstractions/nameservice>
-
- deny capability block_suspend,
+ #include <abstractions/dovecot-common>
capability dac_override,
- capability setgid,
capability setuid,
@{DOVECOT_MAILSTORE}/ rw,
Index: b/profiles/apparmor.d/usr.lib.dovecot.log
===================================================================
--- a/profiles/apparmor.d/usr.lib.dovecot.log
+++ b/profiles/apparmor.d/usr.lib.dovecot.log
@@ -13,10 +13,7 @@
/usr/lib/dovecot/log {
#include <abstractions/base>
-
- deny capability block_suspend,
-
- capability setgid,
+ #include <abstractions/dovecot-common>
/usr/lib/dovecot/log mr,
Index: b/profiles/apparmor.d/usr.lib.dovecot.managesieve
===================================================================
--- a/profiles/apparmor.d/usr.lib.dovecot.managesieve
+++ b/profiles/apparmor.d/usr.lib.dovecot.managesieve
@@ -13,6 +13,7 @@
/usr/lib/dovecot/managesieve {
#include <abstractions/base>
+ #include <abstractions/dovecot-common>
/etc/dovecot/** r,
/usr/bin/doveconf rix,
Index: b/profiles/apparmor.d/usr.lib.dovecot.managesieve-login
===================================================================
--- a/profiles/apparmor.d/usr.lib.dovecot.managesieve-login
+++ b/profiles/apparmor.d/usr.lib.dovecot.managesieve-login
@@ -12,12 +12,13 @@
# vim: ft=apparmor
#include <tunables/global>
+
/usr/lib/dovecot/managesieve-login {
#include <abstractions/base>
#include <abstractions/ssl_certs>
#include <abstractions/ssl_keys>
+ #include <abstractions/dovecot-common>
- capability setgid,
capability setuid,
capability sys_chroot,
Index: b/profiles/apparmor.d/usr.lib.dovecot.pop3
===================================================================
--- a/profiles/apparmor.d/usr.lib.dovecot.pop3
+++ b/profiles/apparmor.d/usr.lib.dovecot.pop3
@@ -16,8 +16,8 @@
/usr/lib/dovecot/pop3 {
#include <abstractions/base>
#include <abstractions/nameservice>
+ #include <abstractions/dovecot-common>
- capability setgid,
capability setuid,
@{DOVECOT_MAILSTORE}/ rw,
Index: b/profiles/apparmor.d/usr.lib.dovecot.pop3-login
===================================================================
--- a/profiles/apparmor.d/usr.lib.dovecot.pop3-login
+++ b/profiles/apparmor.d/usr.lib.dovecot.pop3-login
@@ -17,8 +17,8 @@
#include <abstractions/nameservice>
#include <abstractions/ssl_certs>
#include <abstractions/ssl_keys>
+ #include <abstractions/dovecot-common>
- capability setgid,
capability setuid,
capability sys_chroot,
Index: b/profiles/apparmor.d/usr.lib.dovecot.ssl-params
===================================================================
--- a/profiles/apparmor.d/usr.lib.dovecot.ssl-params
+++ b/profiles/apparmor.d/usr.lib.dovecot.ssl-params
@@ -13,10 +13,7 @@
/usr/lib/dovecot/ssl-params {
#include <abstractions/base>
-
- deny capability block_suspend,
-
- capability setgid,
+ #include <abstractions/dovecot-common>
/usr/lib/dovecot/ssl-params mr,
/var/lib/dovecot/ssl-parameters.dat rw,
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140627/e176accf/attachment.pgp>
More information about the AppArmor
mailing list