[apparmor] [patch] update postfix-common abstraction

Steve Beattie steve at nxnw.org
Wed Apr 15 04:49:25 UTC 2015 

Update the postfix-common abstraction to cope with signal and unix
socket mediation, update the access to the sasl library locations
in a multiarch compliant way, and allow access to limited bits
of the filesystem paths under which postfix chroots itself to
(/var/spool/postfix/ on Ubuntu).

Nominated for trunk and 2.9.

Signed-off-by: Steve Beattie <steve at nxnw.org>
---
 profiles/apparmor.d/abstractions/postfix-common |   19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

Index: b/profiles/apparmor.d/abstractions/postfix-common
===================================================================
--- a/profiles/apparmor.d/abstractions/postfix-common
+++ b/profiles/apparmor.d/abstractions/postfix-common
@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2005 Novell/SUSE
+#    Copyright (C) 2015 Canonical, Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -14,11 +15,21 @@
   capability            setgid,
   capability            sys_chroot,
 
+  # postfix's master can send us signals
+  signal receive peer=/usr/lib/postfix/master,
+
+  unix (send, receive) peer=(label=/usr/lib/postfix/master),
+
+  /etc/mailname         r,
   /etc/postfix/*.cf     r,
   /etc/postfix/*.db     r,
   @{PROC}/net/if_inet6  r,
   /usr/lib/postfix/*.so mr,
-  /usr/lib64/sasl2/*    mr,
-  /usr/lib64/sasl2/     r,
-  /usr/lib/sasl2/*      mr,
-  /usr/lib/sasl2/       r,
+  /usr/lib{,32,64}/sasl2/*    mr,
+  /usr/lib{,32,64}/sasl2/     r,
+  /usr/lib/@{multiarch}/sasl2/*      mr,
+  /usr/lib/@{multiarch}/sasl2/       r,
+
+  /var/spool/postfix/etc/*        r,
+  /var/spool/postfix/lib/lib*.so* mr,
+  /var/spool/postfix/lib/@{multiarch}/lib*.so* mr,

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150414/bd0b45ca/attachment-0001.pgp>

More information about the AppArmor mailing list