[apparmor] [patch] Dovecot profile update

Christian Boltz apparmor at cboltz.de
Thu Jan 26 20:13:31 UTC 2017 

Hello,

this patch adds several permissions to the dovecot profiles that are needed on ubuntu
(surprisingly not on openSUSE, maybe it depends on the dovecot config?)

As discussed some weeks ago, the added permissions use only /run/
instead of /{var/,}run/ (which is hopefully superfluous nowadays).


References: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1512131


I propose this patch for trunk, 2.10 and 2.9.


[ dovecot-lp1512131.diff ]

=== modified file 'profiles/apparmor.d/usr.lib.dovecot.anvil'
--- profiles/apparmor.d/usr.lib.dovecot.anvil   2014-06-27 19:14:53 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.anvil   2017-01-26 19:58:29 +0000
@@ -18,6 +18,7 @@
   capability setuid,
   capability sys_chroot,
 
+  /run/dovecot/anvil rw,
   /usr/lib/dovecot/anvil mr,
 
   # Site-specific additions and overrides. See local/README for details.

=== modified file 'profiles/apparmor.d/usr.lib.dovecot.auth'
--- profiles/apparmor.d/usr.lib.dovecot.auth    2016-12-27 16:46:07 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.auth    2017-01-26 19:59:49 +0000
@@ -37,6 +37,9 @@
   /var/tmp/sieve_* rw,
   /var/tmp/smtp_* rw,
 
+  /run/dovecot/auth-master rw,
+  /run/dovecot/auth-worker rw,
+  /run/dovecot/login/login rw,
   /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
   /{var/,}run/dovecot/stats-user rw,
   /{var/,}run/dovecot/anvil-auth-penalty rw,

=== modified file 'profiles/apparmor.d/usr.lib.dovecot.imap'
--- profiles/apparmor.d/usr.lib.dovecot.imap    2016-10-05 18:46:03 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.imap    2017-01-26 20:00:36 +0000
@@ -21,6 +21,8 @@
   capability setuid,
   deny capability block_suspend,
 
+  network unix stream,
+
   @{DOVECOT_MAILSTORE}/ rw,
   @{DOVECOT_MAILSTORE}/** rwkl,
 
@@ -33,6 +35,7 @@
   /usr/bin/doveconf rix,
   /usr/lib/dovecot/imap mrix,
   /usr/share/dovecot/** r,
+  /run/dovecot/login/imap rw,
   /{,var/}run/dovecot/auth-master rw,
   /{,var/}run/dovecot/mounts r,
 

=== modified file 'profiles/apparmor.d/usr.lib.dovecot.imap-login'
--- profiles/apparmor.d/usr.lib.dovecot.imap-login      2014-12-22 16:41:59 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.imap-login      2017-01-26 20:01:00 +0000
@@ -22,6 +22,7 @@
 
   network inet stream,
   network inet6 stream,
+  network unix stream,
 
   /usr/lib/dovecot/imap-login mr,
   /{,var/}run/dovecot/anvil rw,

=== modified file 'profiles/apparmor.d/usr.lib.dovecot.ssl-params'
--- profiles/apparmor.d/usr.lib.dovecot.ssl-params      2014-06-27 19:14:53 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.ssl-params      2017-01-26 20:01:28 +0000
@@ -15,6 +15,7 @@
   #include <abstractions/base>
   #include <abstractions/dovecot-common>
 
+  /run/dovecot/login/ssl-params rw,
   /usr/lib/dovecot/ssl-params mr,
   /var/lib/dovecot/ssl-parameters.dat rw,
   /var/lib/dovecot/ssl-parameters.dat.tmp rwk,




Regards,

Christian Boltz
-- 
Es gibt in Mailformaten keinen Individualismus. Es gibt sehr detailliert
REGELN (nämlich die RFCs), die solche Sachen auf Punkt und Komma
vorschreiben, und wer das witzigerweise anders macht, fährt auf der
falschen Straßenseite und kommt unter die Räder. [Ratti in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170126/73a29135/attachment.pgp>

More information about the AppArmor mailing list