On 01/19/2014 08:58 AM, Christian Boltz wrote: > Hello, > > dovecot 2.x comes with several new binaries in /usr/lib/dovecot. > This patch adds profiles for > > /usr/lib/dovecot/anvil > /usr/lib/dovecot/auth > /usr/lib/dovecot/config > /usr/lib/dovecot/dict > /usr/lib/dovecot/dovecot-lda > /usr/lib/dovecot/lmtp > /usr/lib/dovecot/log > /usr/lib/dovecot/managesieve > /usr/lib/dovecot/ssl-params > > References: https://bugzilla.novell.com/show_bug.cgi?id=851984
ugh thats quite the list. It all looks good to me Acked-by: John Johansen <[email protected]> > > > === added file 'profiles/apparmor.d/usr.lib.dovecot.anvil' > --- profiles/apparmor.d/usr.lib.dovecot.anvil 1970-01-01 00:00:00 +0000 > +++ profiles/apparmor.d/usr.lib.dovecot.anvil 2014-01-19 16:08:30 +0000 > @@ -0,0 +1,25 @@ > +# ------------------------------------------------------------------ > +# > +# Copyright (C) 2013 Christian Boltz > +# > +# This program is free software; you can redistribute it and/or > +# modify it under the terms of version 2 of the GNU General Public > +# License published by the Free Software Foundation. > +# > +# ------------------------------------------------------------------ > +# vim: ft=apparmor > + > +#include <tunables/global> > + > +/usr/lib/dovecot/anvil { > + #include <abstractions/base> > + > + capability setgid, > + capability setuid, > + capability sys_chroot, > + > + /usr/lib/dovecot/anvil mr, > + > + # Site-specific additions and overrides. See local/README for details. > + #include <local/usr.lib.dovecot.anvil> > +} > > === added file 'profiles/apparmor.d/usr.lib.dovecot.auth' > --- profiles/apparmor.d/usr.lib.dovecot.auth 1970-01-01 00:00:00 +0000 > +++ profiles/apparmor.d/usr.lib.dovecot.auth 2014-01-19 16:08:30 +0000 > @@ -0,0 +1,38 @@ > +# ------------------------------------------------------------------ > +# > +# Copyright (C) 2013 Christian Boltz > +# > +# This program is free software; you can redistribute it and/or > +# modify it under the terms of version 2 of the GNU General Public > +# License published by the Free Software Foundation. > +# > +# ------------------------------------------------------------------ > +# vim: ft=apparmor > + > +#include <tunables/global> > + > +/usr/lib/dovecot/auth { > + #include <abstractions/authentication> > + #include <abstractions/base> > + #include <abstractions/mysql> > + #include <abstractions/nameservice> > + > + deny capability block_suspend, > + > + capability audit_write, > + capability setgid, > + capability setuid, > + > + /etc/dovecot/dovecot-database.conf.ext r, > + /etc/dovecot/dovecot-sql.conf.ext r, > + /usr/lib/dovecot/auth mr, > + > + # kerberos replay cache > + /var/tmp/imap_* rw, > + /var/tmp/pop_* rw, > + /var/tmp/sieve_* rw, > + /var/tmp/smtp_* rw, > + > + # Site-specific additions and overrides. See local/README for details. > + #include <local/usr.lib.dovecot.auth> > +} > > === added file 'profiles/apparmor.d/usr.lib.dovecot.config' > --- profiles/apparmor.d/usr.lib.dovecot.config 1970-01-01 00:00:00 > +0000 > +++ profiles/apparmor.d/usr.lib.dovecot.config 2014-01-19 16:08:30 > +0000 > @@ -0,0 +1,32 @@ > +# ------------------------------------------------------------------ > +# > +# Copyright (C) 2013 Christian Boltz > +# > +# This program is free software; you can redistribute it and/or > +# modify it under the terms of version 2 of the GNU General Public > +# License published by the Free Software Foundation. > +# > +# ------------------------------------------------------------------ > +# vim: ft=apparmor > + > +#include <tunables/global> > + > +/usr/lib/dovecot/config { > + #include <abstractions/base> > + #include <abstractions/nameservice> > + #include <abstractions/ssl_keys> > + > + deny capability block_suspend, > + > + capability dac_override, > + capability setgid, > + > + > + /etc/dovecot/** r, > + /usr/bin/doveconf rix, > + /usr/lib/dovecot/config mr, > + /usr/lib/dovecot/managesieve Px, > + > + # Site-specific additions and overrides. See local/README for details. > + #include <local/usr.lib.dovecot.config> > +} > > === added file 'profiles/apparmor.d/usr.lib.dovecot.dict' > --- profiles/apparmor.d/usr.lib.dovecot.dict 1970-01-01 00:00:00 +0000 > +++ profiles/apparmor.d/usr.lib.dovecot.dict 2014-01-19 16:08:30 +0000 > @@ -0,0 +1,31 @@ > +# ------------------------------------------------------------------ > +# > +# Copyright (C) 2013 Christian Boltz > +# > +# This program is free software; you can redistribute it and/or > +# modify it under the terms of version 2 of the GNU General Public > +# License published by the Free Software Foundation. > +# > +# ------------------------------------------------------------------ > +# vim: ft=apparmor > + > +#include <tunables/global> > + > +/usr/lib/dovecot/dict { > + #include <abstractions/base> > + #include <abstractions/mysql> > + > + capability setgid, > + capability setuid, > + > + network inet stream, > + > + /etc/dovecot/dovecot-database.conf.ext r, > + /etc/dovecot/dovecot-dict-sql.conf.ext r, > + /etc/nsswitch.conf r, > + /etc/services r, > + /usr/lib/dovecot/dict mr, > + > + # Site-specific additions and overrides. See local/README for details. > + #include <local/usr.lib.dovecot.dict> > +} > > === added file 'profiles/apparmor.d/usr.lib.dovecot.dovecot-lda' > --- profiles/apparmor.d/usr.lib.dovecot.dovecot-lda 1970-01-01 00:00:00 > +0000 > +++ profiles/apparmor.d/usr.lib.dovecot.dovecot-lda 2014-01-19 16:08:30 > +0000 > @@ -0,0 +1,33 @@ > +# ------------------------------------------------------------------ > +# > +# Copyright (C) 2013 Christian Boltz > +# > +# This program is free software; you can redistribute it and/or > +# modify it under the terms of version 2 of the GNU General Public > +# License published by the Free Software Foundation. > +# > +# ------------------------------------------------------------------ > +# vim: ft=apparmor > + > +#include <tunables/global> > +#include <tunables/dovecot> > + > +/usr/lib/dovecot/dovecot-lda { > + #include <abstractions/base> > + #include <abstractions/nameservice> > + > + capability setgid, > + capability setuid, > + > + @{DOVECOT_MAILSTORE}/ rw, > + @{DOVECOT_MAILSTORE}/** rwkl, > + > + /etc/dovecot/** r, > + /proc/*/mounts r, > + /{var/,}run/dovecot/mounts r, > + /usr/bin/doveconf mrix, > + /usr/lib/dovecot/dovecot-lda mrix, > + > + # Site-specific additions and overrides. See local/README for details. > + #include <local/usr.lib.dovecot.dovecot-lda> > +} > > === added file 'profiles/apparmor.d/usr.lib.dovecot.lmtp' > --- profiles/apparmor.d/usr.lib.dovecot.lmtp 1970-01-01 00:00:00 +0000 > +++ profiles/apparmor.d/usr.lib.dovecot.lmtp 2014-01-19 16:08:30 +0000 > @@ -0,0 +1,35 @@ > +# ------------------------------------------------------------------ > +# > +# Copyright (C) 2013 Christian Boltz > +# > +# This program is free software; you can redistribute it and/or > +# modify it under the terms of version 2 of the GNU General Public > +# License published by the Free Software Foundation. > +# > +# ------------------------------------------------------------------ > +# vim: ft=apparmor > + > +#include <tunables/global> > +#include <tunables/dovecot> > + > +/usr/lib/dovecot/lmtp { > + #include <abstractions/base> > + > + deny capability block_suspend, > + > + capability dac_override, > + capability setgid, > + capability setuid, > + > + @{DOVECOT_MAILSTORE}/ rw, > + @{DOVECOT_MAILSTORE}/** rwkl, > + > + /etc/resolv.conf r, > + /proc/*/mounts r, > + /tmp/dovecot.lmtp.* rw, > + /usr/lib/dovecot/lmtp mr, > + /{var/,}run/dovecot/mounts r, > + > + # Site-specific additions and overrides. See local/README for details. > + #include <local/usr.lib.dovecot.lmtp> > +} > > === added file 'profiles/apparmor.d/usr.lib.dovecot.log' > --- profiles/apparmor.d/usr.lib.dovecot.log 1970-01-01 00:00:00 +0000 > +++ profiles/apparmor.d/usr.lib.dovecot.log 2014-01-19 16:08:30 +0000 > @@ -0,0 +1,25 @@ > +# ------------------------------------------------------------------ > +# > +# Copyright (C) 2013 Christian Boltz > +# > +# This program is free software; you can redistribute it and/or > +# modify it under the terms of version 2 of the GNU General Public > +# License published by the Free Software Foundation. > +# > +# ------------------------------------------------------------------ > +# vim: ft=apparmor > + > +#include <tunables/global> > + > +/usr/lib/dovecot/log { > + #include <abstractions/base> > + > + deny capability block_suspend, > + > + capability setgid, > + > + /usr/lib/dovecot/log mr, > + > + # Site-specific additions and overrides. See local/README for details. > + #include <local/usr.lib.dovecot.log> > +} > > === added file 'profiles/apparmor.d/usr.lib.dovecot.managesieve' > --- profiles/apparmor.d/usr.lib.dovecot.managesieve 1970-01-01 00:00:00 > +0000 > +++ profiles/apparmor.d/usr.lib.dovecot.managesieve 2014-01-19 16:08:30 > +0000 > @@ -0,0 +1,23 @@ > +# ------------------------------------------------------------------ > +# > +# Copyright (C) 2013 Christian Boltz > +# > +# This program is free software; you can redistribute it and/or > +# modify it under the terms of version 2 of the GNU General Public > +# License published by the Free Software Foundation. > +# > +# ------------------------------------------------------------------ > +# vim: ft=apparmor > + > +#include <tunables/global> > + > +/usr/lib/dovecot/managesieve { > + #include <abstractions/base> > + > + /etc/dovecot/** r, > + /usr/bin/doveconf rix, > + /usr/lib/dovecot/managesieve mrix, > + > + # Site-specific additions and overrides. See local/README for details. > + #include <local/usr.lib.dovecot.managesieve> > +} > > === added file 'profiles/apparmor.d/usr.lib.dovecot.ssl-params' > --- profiles/apparmor.d/usr.lib.dovecot.ssl-params 1970-01-01 00:00:00 > +0000 > +++ profiles/apparmor.d/usr.lib.dovecot.ssl-params 2014-01-19 16:08:30 > +0000 > @@ -0,0 +1,27 @@ > +# ------------------------------------------------------------------ > +# > +# Copyright (C) 2013 Christian Boltz > +# > +# This program is free software; you can redistribute it and/or > +# modify it under the terms of version 2 of the GNU General Public > +# License published by the Free Software Foundation. > +# > +# ------------------------------------------------------------------ > +# vim: ft=apparmor > + > +#include <tunables/global> > + > +/usr/lib/dovecot/ssl-params { > + #include <abstractions/base> > + > + deny capability block_suspend, > + > + capability setgid, > + > + /usr/lib/dovecot/ssl-params mr, > + /var/lib/dovecot/ssl-parameters.dat rw, > + /var/lib/dovecot/ssl-parameters.dat.tmp rwk, > + > + # Site-specific additions and overrides. See local/README for details. > + #include <local/usr.lib.dovecot.ssl-params> > +} > > > Regards, > > Christian Boltz > -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
