diff --git a/apparmor-profiles-dovecot-bnc851984.diff b/apparmor-profiles-dovecot-bnc851984.diff new file mode 100644 index 0000000..3d6e301 --- /dev/null +++ b/apparmor-profiles-dovecot-bnc851984.diff @@ -0,0 +1,294 @@ +diff -u -p profiles/apparmor.d/usr.lib.dovecot.deliver ./usr.lib.dovecot.deliver +--- profiles/apparmor.d/usr.lib.dovecot.deliver 2013-12-30 22:43:37.000000000 +0100 ++++ profiles/apparmor.d/usr.lib.dovecot.deliver 2014-01-01 19:22:33.468445136 +0100 +@@ -1,6 +1,19 @@ +-# Author: Dulmandakh Sukhbaatar ++# ------------------------------------------------------------------ ++# ++# Copyright (C) 2009 Dulmandakh Sukhbaatar ++# Copyright (C) 2009-2012 Canonical Ltd. ++# Copyright (C) 2011-2013 Christian Boltz ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of version 2 of the GNU General Public ++# License published by the Free Software Foundation. ++# ++# ------------------------------------------------------------------ ++# vim: ft=apparmor + + #include ++#include ++ + /usr/lib/dovecot/deliver { + #include + #include +@@ -8,20 +21,16 @@ + capability setgid, + capability setuid, + ++ @{DOVECOT_MAILSTORE}/ rw, ++ @{DOVECOT_MAILSTORE}/** rwkl, ++ + # http://www.postfix.org/SASL_README.html#server_dovecot + /etc/dovecot/dovecot.conf r, + /etc/dovecot/{auth,conf}.d/*.conf r, +- /etc/dovecot/dovecot-postfix.conf r, ++ /etc/dovecot/dovecot-postfix.conf r, # ??? + +- @{HOME} r, +- @{HOME}/Maildir/ rw, +- @{HOME}/Maildir/** klrw, +- @{HOME}/mail/ rw, +- @{HOME}/mail/* klrw, +- @{HOME}/mail/.imap/** klrw, ++ @{HOME} r, # ??? + /usr/lib/dovecot/deliver mr, +- /var/mail/* klrw, +- /var/spool/mail/* klrw, + + # Site-specific additions and overrides. See local/README for details. + #include +diff -u -p profiles/apparmor.d/usr.lib.dovecot.dovecot-auth ./usr.lib.dovecot.dovecot-auth +--- profiles/apparmor.d/usr.lib.dovecot.dovecot-auth 2013-12-30 22:43:37.000000000 +0100 ++++ profiles/apparmor.d/usr.lib.dovecot.dovecot-auth 2014-01-01 19:18:33.183586607 +0100 +@@ -1,6 +1,17 @@ +-# Author: Kees Cook ++# ------------------------------------------------------------------ ++# ++# Copyright (C) 2009-2013 Canonical Ltd. ++# Copyright (C) 2013 Christian Boltz ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of version 2 of the GNU General Public ++# License published by the Free Software Foundation. ++# ++# ------------------------------------------------------------------ ++# vim: ft=apparmor + + #include ++ + /usr/lib/dovecot/dovecot-auth { + #include + #include +diff -u -p profiles/apparmor.d/usr.lib.dovecot.imap ./usr.lib.dovecot.imap +--- profiles/apparmor.d/usr.lib.dovecot.imap 2013-12-30 22:43:37.000000000 +0100 ++++ profiles/apparmor.d/usr.lib.dovecot.imap 2013-12-30 21:59:34.990459644 +0100 +@@ -1,6 +1,18 @@ +-# Author: Kees Cook ++# ------------------------------------------------------------------ ++# ++# Copyright (C) 2009-2010 Canonical Ltd. ++# Copyright (C) 2011-2013 Christian Boltz ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of version 2 of the GNU General Public ++# License published by the Free Software Foundation. ++# ++# ------------------------------------------------------------------ ++# vim: ft=apparmor + + #include ++#include ++ + /usr/lib/dovecot/imap { + #include + #include +@@ -8,18 +20,11 @@ + capability setgid, + capability setuid, + +- @{HOME} r, +- @{HOME}/Maildir/ rw, +- @{HOME}/Maildir/** klrw, +- @{HOME}/Mail/ rw, +- @{HOME}/Mail/* klrw, +- @{HOME}/Mail/.imap/** klrw, +- @{HOME}/mail/ rw, +- @{HOME}/mail/* klrw, +- @{HOME}/mail/.imap/** klrw, ++ @{DOVECOT_MAILSTORE}/ rw, ++ @{DOVECOT_MAILSTORE}/** rwkl, ++ ++ @{HOME} r, # ??? + /usr/lib/dovecot/imap mr, +- /var/mail/* klrw, +- /var/spool/mail/* klrw, + + # Site-specific additions and overrides. See local/README for details. + #include +diff -u -p profiles/apparmor.d/usr.lib.dovecot.imap-login ./usr.lib.dovecot.imap-login +--- profiles/apparmor.d/usr.lib.dovecot.imap-login 2013-12-30 22:43:37.000000000 +0100 ++++ profiles/apparmor.d/usr.lib.dovecot.imap-login 2014-01-01 19:21:43.299398259 +0100 +@@ -1,4 +1,14 @@ +-# Author: Kees Cook ++# ------------------------------------------------------------------ ++# ++# Copyright (C) 2009-2011 Canonical Ltd. ++# Copyright (C) 2013 Christian Boltz ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of version 2 of the GNU General Public ++# License published by the Free Software Foundation. ++# ++# ------------------------------------------------------------------ ++# vim: ft=apparmor + + #include + /usr/lib/dovecot/imap-login { +diff -u -p profiles/apparmor.d/usr.lib.dovecot.managesieve-login ./usr.lib.dovecot.managesieve-login +--- profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2013-12-30 22:43:37.000000000 +0100 ++++ profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2014-01-01 19:21:23.986535007 +0100 +@@ -1,4 +1,15 @@ +-# Author: Dulmandakh Sukhbaatar ++# ------------------------------------------------------------------ ++# ++# Copyright (c) 2009 Dulmandakh Sukhbaatar ++# Copyright (C) 2009-2011 Canonical Ltd. ++# Copyright (C) 2013 Christian Boltz ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of version 2 of the GNU General Public ++# License published by the Free Software Foundation. ++# ++# ------------------------------------------------------------------ ++# vim: ft=apparmor + + #include + /usr/lib/dovecot/managesieve-login { +diff -u -p profiles/apparmor.d/usr.lib.dovecot.pop3 ./usr.lib.dovecot.pop3 +--- profiles/apparmor.d/usr.lib.dovecot.pop3 2013-12-30 22:43:37.000000000 +0100 ++++ profiles/apparmor.d/usr.lib.dovecot.pop3 2013-12-30 22:00:13.820132421 +0100 +@@ -1,6 +1,18 @@ +-# Author: Kees Cook ++# ------------------------------------------------------------------ ++# ++# Copyright (C) 2009-2010 Canonical Ltd. ++# Copyright (C) 2011-2013 Christian Boltz ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of version 2 of the GNU General Public ++# License published by the Free Software Foundation. ++# ++# ------------------------------------------------------------------ ++# vim: ft=apparmor + + #include ++#include ++ + /usr/lib/dovecot/pop3 { + #include + #include +@@ -8,13 +20,10 @@ + capability setgid, + capability setuid, + +- /var/mail/* klrw, +- /var/spool/mail/* klrw, +- @{HOME} r, +- @{HOME}/mail/* klrw, +- @{HOME}/mail/.imap/** klrw, +- @{HOME}/Maildir/ rw, +- @{HOME}/Maildir/** klrw, ++ @{DOVECOT_MAILSTORE}/ rw, ++ @{DOVECOT_MAILSTORE}/** rwkl, ++ ++ @{HOME} r, # ??? + /usr/lib/dovecot/pop3 mr, + + # Site-specific additions and overrides. See local/README for details. +diff -u -p profiles/apparmor.d/usr.lib.dovecot.pop3-login ./usr.lib.dovecot.pop3-login +--- profiles/apparmor.d/usr.lib.dovecot.pop3-login 2013-12-30 22:43:37.000000000 +0100 ++++ profiles/apparmor.d/usr.lib.dovecot.pop3-login 2014-01-01 19:26:54.614068901 +0100 +@@ -1,6 +1,17 @@ +-# Author: Kees Cook ++# ------------------------------------------------------------------ ++# ++# Copyright (C) 2009-2011 Canonical Ltd. ++# Copyright (C) 2013 Christian Boltz ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of version 2 of the GNU General Public ++# License published by the Free Software Foundation. ++# ++# ------------------------------------------------------------------ ++# vim: ft=apparmor + + #include ++ + /usr/lib/dovecot/pop3-login { + #include + #include +diff -u -p profiles/apparmor.d/usr.sbin.dovecot ./usr.sbin.dovecot +--- profiles/apparmor.d/usr.sbin.dovecot 2013-12-30 22:43:37.000000000 +0100 ++++ profiles/apparmor.d/usr.sbin.dovecot 2013-12-30 22:01:14.209513153 +0100 +@@ -1,6 +1,18 @@ +-# Author: Kees Cook ++# ------------------------------------------------------------------ ++# ++# Copyright (C) 2009-2013 Canonical Ltd. ++# Copyright (C) 2011-2013 Christian Boltz ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of version 2 of the GNU General Public ++# License published by the Free Software Foundation. ++# ++# ------------------------------------------------------------------ ++# vim: ft=apparmor + + #include ++#include ++ + /usr/sbin/dovecot { + #include + #include +@@ -9,29 +21,42 @@ + #include + + capability chown, ++ capability dac_override, ++ capability fsetid, ++ capability kill, + capability net_bind_service, + capability setgid, + capability setuid, + capability sys_chroot, +- capability fsetid, ++ ++ ++ ++ @{DOVECOT_MAILSTORE}/ rw, ++ @{DOVECOT_MAILSTORE}/** rwkl, + + /etc/dovecot/** r, + /etc/mtab r, + /etc/lsb-release r, + /etc/SuSE-release r, + @{PROC}/[0-9]*/mounts r, ++ /usr/bin/doveconf rix, ++ /usr/lib/dovecot/anvil Px, ++ /usr/lib/dovecot/auth Px, ++ /usr/lib/dovecot/config Px, + /usr/lib/dovecot/dovecot-auth Pxmr, + /usr/lib/dovecot/imap Pxmr, + /usr/lib/dovecot/imap-login Pxmr, ++ /usr/lib/dovecot/log Px, ++ /usr/lib/dovecot/managesieve Px, ++ /usr/lib/dovecot/managesieve-login Pxmr, + /usr/lib/dovecot/pop3 Px, + /usr/lib/dovecot/pop3-login Pxmr, +- # temporarily commented out while testing +- #/usr/lib/dovecot/managesieve Px, +- /usr/lib/dovecot/managesieve-login Pxmr, +- /usr/lib/dovecot/ssl-build-param ixr, +- /usr/sbin/dovecot mr, ++ /usr/lib/dovecot/ssl-build-param rix, ++ /usr/lib/dovecot/ssl-params Px, ++ /usr/sbin/dovecot mrix, + /var/lib/dovecot/ w, +- /var/lib/dovecot/* krw, ++ /var/lib/dovecot/* rwkl, ++ /var/spool/postfix/private/* w, + /{,var/}run/dovecot/ rw, + /{,var/}run/dovecot/** rw, + link /{,var/}run/dovecot/** -> /var/lib/dovecot/**, + diff --git a/apparmor-profiles-samba-create-dirs.diff b/apparmor-profiles-samba-create-dirs.diff new file mode 100644 index 0000000..e3b1adc --- /dev/null +++ b/apparmor-profiles-samba-create-dirs.diff @@ -0,0 +1,16 @@ +=== modified file 'profiles/apparmor.d/abstractions/samba' +--- profiles/apparmor.d/abstractions/samba 2013-11-20 00:11:01 +0000 ++++ profiles/apparmor.d/abstractions/samba 2013-12-23 12:28:06 +0000 +@@ -12,9 +12,11 @@ + /etc/samba/* r, + /usr/share/samba/*.dat r, + /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r, ++ /var/cache/samba/ w, + /var/lib/samba/**.tdb rwk, + /var/log/samba/cores/ rw, + /var/log/samba/cores/** rw, + /var/log/samba/log.* w, ++ /{,var/}run/samba/ w, + /{,var/}run/samba/*.tdb rw, + + diff --git a/apparmor.changes b/apparmor.changes index ce6e582..94426ce 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,25 @@ +------------------------------------------------------------------- +Sat Jan 4 12:04:25 UTC 2014 - opensuse@cboltz.de + +- add apparmor-profiles-samba-create-dirs.diff to allow samba to + mkdir /var/run/samba and /var/cache/samba (bnc#856651) +- add abstractions/samba to usr.sbin.winbindd profile +- add capabilities ipc_lock and setuid to usr.sbin.winbindd profile (bnc#851131) + +- update dovecot profiles to support dovecot 2.x, and add profiles for + the parts of dovecot that were not covered yet (bnc#851984) + NOTE: Please adjust /etc/apparmor.d/tunables/dovecot to your needs. + (apparmor-profiles-dovecot-bnc851984.diff, usr.lib.dovecot.*) + +- %restart_on_update (in parser %postun) is "translated" to stop/start by + the systemd wrapper, which removes AppArmor protection from running + processes. Fixed by using a custom script instead (bnc#853019) + NOTE: The %postun from the previously installed apparmor-parser package + will remove AppArmor protection from running processes a last time. + Run aa-status to get a list of processes you need to restart, or reboot + your computer. +- reload profiles in %post of the apparmor-profiles package + ------------------------------------------------------------------- Mon Nov 25 23:44:40 UTC 2013 - opensuse@cboltz.de diff --git a/apparmor.spec b/apparmor.spec index c1ac736..3bcba7a 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -1,7 +1,7 @@ # # spec file for package apparmor # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -79,6 +79,18 @@ Source7: rpmlintrc # profile for winbindd (bnc#748499, submitted upstream 2012-11-06, trunk r2078) Source10: usr.sbin.winbindd +# profiles for dovecot 2.x (bnc#851984) +Source20: usr.lib.dovecot.anvil +Source21: usr.lib.dovecot.auth +Source22: usr.lib.dovecot.config +Source23: usr.lib.dovecot.dict +Source24: usr.lib.dovecot.dovecot-lda +Source25: usr.lib.dovecot.lmtp +Source26: usr.lib.dovecot.log +Source27: usr.lib.dovecot.managesieve +Source28: usr.lib.dovecot.ssl-params +Source29: tunables-dovecot + # enable caching of profiles (= massive performance speedup when loading profiles) Patch1: apparmor-enable-profile-cache.diff @@ -98,7 +110,7 @@ Patch5: apparmor-utils-string-split Patch6: apparmor-init.py-gsoc.diff # fix some (mis)translations in utils/po/de.po (upstream trunk r2186, 2.8 r2091) -Patch7: apparmor-utils-po-de-r2091.diff +Patch7: apparmor-utils-po-de-r2091.diff # fix ntpd after configuration change (commited upstream trunk r2188, 2.8 r2092) Patch8: apparmor-2.8.2-fix-ntpd-profile.diff @@ -124,6 +136,12 @@ Patch14: apparmor-profiles-ntpd-r2103.diff # abstractions/ssl_certs - add /var/lib/ca-certificates/ - bnc#852018 - commited upstream trunk r2255, 2.8 branch r2105 Patch15: apparmor-abstractions-ssl_certs.diff +# abstractions/samba - allow mkdir /var/run/samba and /var/cache/samba - bnc#856651 - commited upstream trunk r2293, 2.8 branch r2106 +Patch16: apparmor-profiles-samba-create-dirs.diff + +# update dovecot profiles for dovecot 2.x (bnc#851984, not upstreamed yet) +Patch17: apparmor-profiles-dovecot-bnc851984.diff + # create Immunix::SubDomain perl module - only included for openSUSE <= 12.1 - bnc#720617 #c7 Patch21: apparmor-utils-subdomain-compat @@ -500,6 +518,8 @@ SubDomain. %patch13 %patch14 %patch15 +%patch16 +%patch17 # only create Immunix::SubDomain perl module for openSUSE <= 12.1 %if 0%{?suse_version} @@ -517,6 +537,11 @@ SubDomain. test ! -e profiles/apparmor.d/usr.sbin.winbindd cp %{SOURCE10} profiles/apparmor.d/ +# profiles for dovecot 2.x (bnc#851984) +test ! -e profiles/apparmor.d/tunables/dovecot +cp %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} %{SOURCE27} %{SOURCE28} profiles/apparmor.d/ +cp %{SOURCE29} profiles/apparmor.d/tunables/dovecot + %build echo _libdir: %{_libdir} ruby: %{rb_sitearch} python: %{python3_sitearch} # test if _libdir breaks it or if it's broken by default on <= 12.1 @@ -925,10 +950,31 @@ fi %postun parser %if %{distro} == "suse" - %restart_on_update boot.apparmor + #restart_on_update boot.apparmor - but non-broken (bnc#853019) + test -n "$FIRST_ARG" || FIRST_ARG=$1 + if test "$FIRST_ARG" -ge 1 ; then + if test "$YAST_IS_RUNNING" != "instsys" -a "$DISABLE_RESTART_ON_UPDATE" != yes ; then + test -x /bin/systemctl && /bin/systemctl daemon-reload >/dev/null 2>&1 || : + /etc/init.d/boot.apparmor status >/dev/null && /etc/init.d/boot.apparmor reload || : + fi + fi + %{insserv_cleanup} || true %endif +%post profiles +%if %{distro} == "suse" + #restart_on_update boot.apparmor - but non-broken (bnc#853019) + # (copy&paste from parser postun script) + test -n "$FIRST_ARG" || FIRST_ARG=$1 + if test "$FIRST_ARG" -ge 1 ; then + if test "$YAST_IS_RUNNING" != "instsys" -a "$DISABLE_RESTART_ON_UPDATE" != yes ; then + test -x /bin/systemctl && /bin/systemctl daemon-reload >/dev/null 2>&1 || : + /etc/init.d/boot.apparmor status >/dev/null && /etc/init.d/boot.apparmor reload || : + fi + fi +%endif + %post -n libapparmor1 -p /sbin/ldconfig %postun -n libapparmor1 -p /sbin/ldconfig diff --git a/tunables-dovecot b/tunables-dovecot new file mode 100644 index 0000000..05feee8 --- /dev/null +++ b/tunables-dovecot @@ -0,0 +1,20 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim:ft=apparmor + +# @{DOVECOT_MAILSTORE} is a space-separated list of all directories +# where dovecot is allowed to store and read mails +# +# The default value is quite broad to avoid breaking existing setups. +# Please change @{DOVECOT_MAILSTORE} to (only) contain the directory +# you use, and remove everything else. + +@{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ @{HOME}/mail/ @{HOME}/Mail/ /var/vmail/ /var/mail/ /var/spool/mail/ + diff --git a/usr.lib.dovecot.anvil b/usr.lib.dovecot.anvil new file mode 100644 index 0000000..8cfaf69 --- /dev/null +++ b/usr.lib.dovecot.anvil @@ -0,0 +1,25 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include + +/usr/lib/dovecot/anvil { + #include + + capability setgid, + capability setuid, + capability sys_chroot, + + /usr/lib/dovecot/anvil mr, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/usr.lib.dovecot.auth b/usr.lib.dovecot.auth new file mode 100644 index 0000000..7c66179 --- /dev/null +++ b/usr.lib.dovecot.auth @@ -0,0 +1,38 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include + +/usr/lib/dovecot/auth { + #include + #include + #include + #include + + deny capability block_suspend, + + capability audit_write, + capability setgid, + capability setuid, + + /etc/dovecot/dovecot-database.conf.ext r, + /etc/dovecot/dovecot-sql.conf.ext r, + /usr/lib/dovecot/auth mr, + + # kerberos replay cache + /var/tmp/imap_* rw, + /var/tmp/pop_* rw, + /var/tmp/sieve_* rw, + /var/tmp/smtp_* rw, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/usr.lib.dovecot.config b/usr.lib.dovecot.config new file mode 100644 index 0000000..f868e30 --- /dev/null +++ b/usr.lib.dovecot.config @@ -0,0 +1,32 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include + +/usr/lib/dovecot/config { + #include + #include + #include + + deny capability block_suspend, + + capability dac_override, + capability setgid, + + + /etc/dovecot/** r, + /usr/bin/doveconf rix, + /usr/lib/dovecot/config mr, + /usr/lib/dovecot/managesieve Px, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/usr.lib.dovecot.dict b/usr.lib.dovecot.dict new file mode 100644 index 0000000..d97f582 --- /dev/null +++ b/usr.lib.dovecot.dict @@ -0,0 +1,31 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include + +/usr/lib/dovecot/dict { + #include + #include + + capability setgid, + capability setuid, + + network inet stream, + + /etc/dovecot/dovecot-database.conf.ext r, + /etc/dovecot/dovecot-dict-sql.conf.ext r, + /etc/nsswitch.conf r, + /etc/services r, + /usr/lib/dovecot/dict mr, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/usr.lib.dovecot.dovecot-lda b/usr.lib.dovecot.dovecot-lda new file mode 100644 index 0000000..ac8ade3 --- /dev/null +++ b/usr.lib.dovecot.dovecot-lda @@ -0,0 +1,33 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include +#include + +/usr/lib/dovecot/dovecot-lda { + #include + #include + + capability setgid, + capability setuid, + + @{DOVECOT_MAILSTORE}/ rw, + @{DOVECOT_MAILSTORE}/** rwkl, + + /etc/dovecot/** r, + /proc/*/mounts r, + /{var/,}run/dovecot/mounts r, + /usr/bin/doveconf mrix, + /usr/lib/dovecot/dovecot-lda mrix, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/usr.lib.dovecot.lmtp b/usr.lib.dovecot.lmtp new file mode 100644 index 0000000..e5a6ea4 --- /dev/null +++ b/usr.lib.dovecot.lmtp @@ -0,0 +1,30 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include +#include + +/usr/lib/dovecot/lmtp { + #include + + capability dac_override, + capability setgid, + capability setuid, + + @{DOVECOT_MAILSTORE}/ rw, + @{DOVECOT_MAILSTORE}/** rwkl, + + /etc/resolv.conf r, + /usr/lib/dovecot/lmtp mr, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/usr.lib.dovecot.log b/usr.lib.dovecot.log new file mode 100644 index 0000000..c60b7e9 --- /dev/null +++ b/usr.lib.dovecot.log @@ -0,0 +1,25 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include + +/usr/lib/dovecot/log { + #include + + deny capability block_suspend, + + capability setgid, + + /usr/lib/dovecot/log mr, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/usr.lib.dovecot.managesieve b/usr.lib.dovecot.managesieve new file mode 100644 index 0000000..a0e6142 --- /dev/null +++ b/usr.lib.dovecot.managesieve @@ -0,0 +1,23 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include + +/usr/lib/dovecot/managesieve { + #include + + /etc/dovecot/** r, + /usr/bin/doveconf rix, + /usr/lib/dovecot/managesieve mrix, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/usr.lib.dovecot.ssl-params b/usr.lib.dovecot.ssl-params new file mode 100644 index 0000000..62d9d85 --- /dev/null +++ b/usr.lib.dovecot.ssl-params @@ -0,0 +1,27 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +#include + +/usr/lib/dovecot/ssl-params { + #include + + deny capability block_suspend, + + capability setgid, + + /usr/lib/dovecot/ssl-params mr, + /var/lib/dovecot/ssl-parameters.dat rw, + /var/lib/dovecot/ssl-parameters.dat.tmp rwk, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/usr.sbin.winbindd b/usr.sbin.winbindd index fb48514..903da3c 100644 --- a/usr.sbin.winbindd +++ b/usr.sbin.winbindd @@ -3,9 +3,13 @@ /usr/sbin/winbindd { #include #include + #include deny capability block_suspend, + capability ipc_lock, + capability setuid, + /etc/samba/dhcp.conf r, /etc/samba/passdb.tdb rwk, /etc/samba/secrets.tdb rwk, @@ -20,10 +24,9 @@ /var/cache/samba/*.tdb rwk, /var/cache/samba/netsamlogon_cache.tdb rw, - /var/lib/samba/smb_krb5/krb5.conf.* w, + /var/lib/samba/smb_krb5/krb5.conf.* rw, /var/lib/samba/smb_tmp_krb5.* rw, /var/lib/samba/**.tdb rwk, - /var/log/samba/log.winbindd-dc-connect a, /var/lib/samba/winbindd_cache.tdb* rwk, /var/lib/samba/winbindd_privileged/pipe w, @@ -33,6 +36,7 @@ /var/log/samba/log.wb-* w, /var/log/samba/log.winbindd rw, /var/log/samba/log.winbindd-idmap w, + /var/log/samba/log.winbindd-dc-connect a, /{var/,}run/samba/winbindd.pid rwk, /{var/,}run/samba/winbindd/ rw, /{var/,}run/samba/winbindd/pipe w,