pool/apparmor
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 212803 from security:apparmor

Browse Source 
- add apparmor-profiles-samba-create-dirs.diff to allow samba to
  mkdir /var/run/samba and /var/cache/samba (bnc#856651)
- add abstractions/samba to usr.sbin.winbindd profile
- add capabilities ipc_lock and setuid to usr.sbin.winbindd profile (bnc#851131)

- update dovecot profiles to support dovecot 2.x, and add profiles for
  the parts of dovecot that were not covered yet (bnc#851984)
  NOTE: Please adjust /etc/apparmor.d/tunables/dovecot to your needs.
  (apparmor-profiles-dovecot-bnc851984.diff, usr.lib.dovecot.*)

- %restart_on_update (in parser %postun) is "translated" to stop/start by
  the systemd wrapper, which removes AppArmor protection from running
  processes. Fixed by using a custom script instead (bnc#853019)
  NOTE: The %postun from the previously installed apparmor-parser package
  will remove AppArmor protection from running processes a last time. 
  Run aa-status to get a list of processes you need to restart, or reboot 
  your computer.
- reload profiles in %post of the apparmor-profiles package

OBS-URL: https://build.opensuse.org/request/show/212803
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=61
This commit is contained in:
Stephan Kulow 2014-01-05 10:31:04 +00:00 committed by Git OBS Bridge
commit cbc989077f
15 changed files with 671 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

294
apparmor-profiles-dovecot-bnc851984.diff Normal file
View File

@ -0,0 +1,294 @@
diff -u -p profiles/apparmor.d/usr.lib.dovecot.deliver ./usr.lib.dovecot.deliver
--- profiles/apparmor.d/usr.lib.dovecot.deliver 2013-12-30 22:43:37.000000000 +0100
+++ profiles/apparmor.d/usr.lib.dovecot.deliver 2014-01-01 19:22:33.468445136 +0100
@@ -1,6 +1,19 @@
-# Author: Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009 Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
+# Copyright (C) 2009-2012 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+#include <tunables/dovecot>
+
/usr/lib/dovecot/deliver {
#include <abstractions/base>
#include <abstractions/nameservice>
@@ -8,20 +21,16 @@
capability setgid,
capability setuid,
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
# http://www.postfix.org/SASL_README.html#server_dovecot
/etc/dovecot/dovecot.conf r,
/etc/dovecot/{auth,conf}.d/*.conf r,
- /etc/dovecot/dovecot-postfix.conf r,
+ /etc/dovecot/dovecot-postfix.conf r, # ???
- @{HOME} r,
- @{HOME}/Maildir/ rw,
- @{HOME}/Maildir/** klrw,
- @{HOME}/mail/ rw,
- @{HOME}/mail/* klrw,
- @{HOME}/mail/.imap/** klrw,
+ @{HOME} r, # ???
/usr/lib/dovecot/deliver mr,
- /var/mail/* klrw,
- /var/spool/mail/* klrw,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.deliver>
diff -u -p profiles/apparmor.d/usr.lib.dovecot.dovecot-auth ./usr.lib.dovecot.dovecot-auth
--- profiles/apparmor.d/usr.lib.dovecot.dovecot-auth 2013-12-30 22:43:37.000000000 +0100
+++ profiles/apparmor.d/usr.lib.dovecot.dovecot-auth 2014-01-01 19:18:33.183586607 +0100
@@ -1,6 +1,17 @@
-# Author: Kees Cook <kees@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2013 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+
/usr/lib/dovecot/dovecot-auth {
#include <abstractions/authentication>
#include <abstractions/base>
diff -u -p profiles/apparmor.d/usr.lib.dovecot.imap ./usr.lib.dovecot.imap
--- profiles/apparmor.d/usr.lib.dovecot.imap 2013-12-30 22:43:37.000000000 +0100
+++ profiles/apparmor.d/usr.lib.dovecot.imap 2013-12-30 21:59:34.990459644 +0100
@@ -1,6 +1,18 @@
-# Author: Kees Cook <kees@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2010 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+#include <tunables/dovecot>
+
/usr/lib/dovecot/imap {
#include <abstractions/base>
#include <abstractions/nameservice>
@@ -8,18 +20,11 @@
capability setgid,
capability setuid,
- @{HOME} r,
- @{HOME}/Maildir/ rw,
- @{HOME}/Maildir/** klrw,
- @{HOME}/Mail/ rw,
- @{HOME}/Mail/* klrw,
- @{HOME}/Mail/.imap/** klrw,
- @{HOME}/mail/ rw,
- @{HOME}/mail/* klrw,
- @{HOME}/mail/.imap/** klrw,
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ @{HOME} r, # ???
/usr/lib/dovecot/imap mr,
- /var/mail/* klrw,
- /var/spool/mail/* klrw,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.imap>
diff -u -p profiles/apparmor.d/usr.lib.dovecot.imap-login ./usr.lib.dovecot.imap-login
--- profiles/apparmor.d/usr.lib.dovecot.imap-login 2013-12-30 22:43:37.000000000 +0100
+++ profiles/apparmor.d/usr.lib.dovecot.imap-login 2014-01-01 19:21:43.299398259 +0100
@@ -1,4 +1,14 @@
-# Author: Kees Cook <kees@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2011 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/imap-login {
diff -u -p profiles/apparmor.d/usr.lib.dovecot.managesieve-login ./usr.lib.dovecot.managesieve-login
--- profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2013-12-30 22:43:37.000000000 +0100
+++ profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2014-01-01 19:21:23.986535007 +0100
@@ -1,4 +1,15 @@
-# Author: Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
+# ------------------------------------------------------------------
+#
+# Copyright (c) 2009 Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
+# Copyright (C) 2009-2011 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/managesieve-login {
diff -u -p profiles/apparmor.d/usr.lib.dovecot.pop3 ./usr.lib.dovecot.pop3
--- profiles/apparmor.d/usr.lib.dovecot.pop3 2013-12-30 22:43:37.000000000 +0100
+++ profiles/apparmor.d/usr.lib.dovecot.pop3 2013-12-30 22:00:13.820132421 +0100
@@ -1,6 +1,18 @@
-# Author: Kees Cook <kees@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2010 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+#include <tunables/dovecot>
+
/usr/lib/dovecot/pop3 {
#include <abstractions/base>
#include <abstractions/nameservice>
@@ -8,13 +20,10 @@
capability setgid,
capability setuid,
- /var/mail/* klrw,
- /var/spool/mail/* klrw,
- @{HOME} r,
- @{HOME}/mail/* klrw,
- @{HOME}/mail/.imap/** klrw,
- @{HOME}/Maildir/ rw,
- @{HOME}/Maildir/** klrw,
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ @{HOME} r, # ???
/usr/lib/dovecot/pop3 mr,
# Site-specific additions and overrides. See local/README for details.
diff -u -p profiles/apparmor.d/usr.lib.dovecot.pop3-login ./usr.lib.dovecot.pop3-login
--- profiles/apparmor.d/usr.lib.dovecot.pop3-login 2013-12-30 22:43:37.000000000 +0100
+++ profiles/apparmor.d/usr.lib.dovecot.pop3-login 2014-01-01 19:26:54.614068901 +0100
@@ -1,6 +1,17 @@
-# Author: Kees Cook <kees@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2011 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+
/usr/lib/dovecot/pop3-login {
#include <abstractions/base>
#include <abstractions/nameservice>
diff -u -p profiles/apparmor.d/usr.sbin.dovecot ./usr.sbin.dovecot
--- profiles/apparmor.d/usr.sbin.dovecot 2013-12-30 22:43:37.000000000 +0100
+++ profiles/apparmor.d/usr.sbin.dovecot 2013-12-30 22:01:14.209513153 +0100
@@ -1,6 +1,18 @@
-# Author: Kees Cook <kees@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2013 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+#include <tunables/dovecot>
+
/usr/sbin/dovecot {
#include <abstractions/authentication>
#include <abstractions/base>
@@ -9,29 +21,42 @@
#include <abstractions/ssl_keys>
capability chown,
+ capability dac_override,
+ capability fsetid,
+ capability kill,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
- capability fsetid,
+
+
+
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
/etc/dovecot/** r,
/etc/mtab r,
/etc/lsb-release r,
/etc/SuSE-release r,
@{PROC}/[0-9]*/mounts r,
+ /usr/bin/doveconf rix,
+ /usr/lib/dovecot/anvil Px,
+ /usr/lib/dovecot/auth Px,
+ /usr/lib/dovecot/config Px,
/usr/lib/dovecot/dovecot-auth Pxmr,
/usr/lib/dovecot/imap Pxmr,
/usr/lib/dovecot/imap-login Pxmr,
+ /usr/lib/dovecot/log Px,
+ /usr/lib/dovecot/managesieve Px,
+ /usr/lib/dovecot/managesieve-login Pxmr,
/usr/lib/dovecot/pop3 Px,
/usr/lib/dovecot/pop3-login Pxmr,
- # temporarily commented out while testing
- #/usr/lib/dovecot/managesieve Px,
- /usr/lib/dovecot/managesieve-login Pxmr,
- /usr/lib/dovecot/ssl-build-param ixr,
- /usr/sbin/dovecot mr,
+ /usr/lib/dovecot/ssl-build-param rix,
+ /usr/lib/dovecot/ssl-params Px,
+ /usr/sbin/dovecot mrix,
/var/lib/dovecot/ w,
- /var/lib/dovecot/* krw,
+ /var/lib/dovecot/* rwkl,
+ /var/spool/postfix/private/* w,
/{,var/}run/dovecot/ rw,
/{,var/}run/dovecot/** rw,
link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,

16
apparmor-profiles-samba-create-dirs.diff Normal file
View File

@ -0,0 +1,16 @@
=== modified file 'profiles/apparmor.d/abstractions/samba'
--- profiles/apparmor.d/abstractions/samba 2013-11-20 00:11:01 +0000
+++ profiles/apparmor.d/abstractions/samba 2013-12-23 12:28:06 +0000
@@ -12,9 +12,11 @@
/etc/samba/* r,
/usr/share/samba/*.dat r,
/usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
+ /var/cache/samba/ w,
/var/lib/samba/**.tdb rwk,
/var/log/samba/cores/ rw,
/var/log/samba/cores/** rw,
/var/log/samba/log.* w,
+ /{,var/}run/samba/ w,
/{,var/}run/samba/*.tdb rw,

22
apparmor.changes
View File

@ -1,3 +1,25 @@
-------------------------------------------------------------------
Sat Jan 4 12:04:25 UTC 2014 - opensuse@cboltz.de
- add apparmor-profiles-samba-create-dirs.diff to allow samba to
mkdir /var/run/samba and /var/cache/samba (bnc#856651)
- add abstractions/samba to usr.sbin.winbindd profile
- add capabilities ipc_lock and setuid to usr.sbin.winbindd profile (bnc#851131)
- update dovecot profiles to support dovecot 2.x, and add profiles for
the parts of dovecot that were not covered yet (bnc#851984)
NOTE: Please adjust /etc/apparmor.d/tunables/dovecot to your needs.
(apparmor-profiles-dovecot-bnc851984.diff, usr.lib.dovecot.*)
- %restart_on_update (in parser %postun) is "translated" to stop/start by
the systemd wrapper, which removes AppArmor protection from running
processes. Fixed by using a custom script instead (bnc#853019)
NOTE: The %postun from the previously installed apparmor-parser package
will remove AppArmor protection from running processes a last time.
Run aa-status to get a list of processes you need to restart, or reboot
your computer.
- reload profiles in %post of the apparmor-profiles package
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Nov 25 23:44:40 UTC 2013 - opensuse@cboltz.de Mon Nov 25 23:44:40 UTC 2013 - opensuse@cboltz.de

52
apparmor.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package apparmor # spec file for package apparmor
# #
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -79,6 +79,18 @@ Source7: rpmlintrc
# profile for winbindd (bnc#748499, submitted upstream 2012-11-06, trunk r2078) # profile for winbindd (bnc#748499, submitted upstream 2012-11-06, trunk r2078)
Source10: usr.sbin.winbindd Source10: usr.sbin.winbindd
# profiles for dovecot 2.x (bnc#851984)
Source20: usr.lib.dovecot.anvil
Source21: usr.lib.dovecot.auth
Source22: usr.lib.dovecot.config
Source23: usr.lib.dovecot.dict
Source24: usr.lib.dovecot.dovecot-lda
Source25: usr.lib.dovecot.lmtp
Source26: usr.lib.dovecot.log
Source27: usr.lib.dovecot.managesieve
Source28: usr.lib.dovecot.ssl-params
Source29: tunables-dovecot
# enable caching of profiles (= massive performance speedup when loading profiles) # enable caching of profiles (= massive performance speedup when loading profiles)
Patch1: apparmor-enable-profile-cache.diff Patch1: apparmor-enable-profile-cache.diff
@ -98,7 +110,7 @@ Patch5: apparmor-utils-string-split
Patch6: apparmor-init.py-gsoc.diff Patch6: apparmor-init.py-gsoc.diff
# fix some (mis)translations in utils/po/de.po (upstream trunk r2186, 2.8 r2091) # fix some (mis)translations in utils/po/de.po (upstream trunk r2186, 2.8 r2091)
Patch7: apparmor-utils-po-de-r2091.diff Patch7: apparmor-utils-po-de-r2091.diff
# fix ntpd after configuration change (commited upstream trunk r2188, 2.8 r2092) # fix ntpd after configuration change (commited upstream trunk r2188, 2.8 r2092)
Patch8: apparmor-2.8.2-fix-ntpd-profile.diff Patch8: apparmor-2.8.2-fix-ntpd-profile.diff
@ -124,6 +136,12 @@ Patch14: apparmor-profiles-ntpd-r2103.diff
# abstractions/ssl_certs - add /var/lib/ca-certificates/ - bnc#852018 - commited upstream trunk r2255, 2.8 branch r2105 # abstractions/ssl_certs - add /var/lib/ca-certificates/ - bnc#852018 - commited upstream trunk r2255, 2.8 branch r2105
Patch15: apparmor-abstractions-ssl_certs.diff Patch15: apparmor-abstractions-ssl_certs.diff
# abstractions/samba - allow mkdir /var/run/samba and /var/cache/samba - bnc#856651 - commited upstream trunk r2293, 2.8 branch r2106
Patch16: apparmor-profiles-samba-create-dirs.diff
# update dovecot profiles for dovecot 2.x (bnc#851984, not upstreamed yet)
Patch17: apparmor-profiles-dovecot-bnc851984.diff
# create Immunix::SubDomain perl module - only included for openSUSE <= 12.1 - bnc#720617 #c7 # create Immunix::SubDomain perl module - only included for openSUSE <= 12.1 - bnc#720617 #c7
Patch21: apparmor-utils-subdomain-compat Patch21: apparmor-utils-subdomain-compat
@ -500,6 +518,8 @@ SubDomain.
%patch13 %patch13
%patch14 %patch14
%patch15 %patch15
%patch16
%patch17
# only create Immunix::SubDomain perl module for openSUSE <= 12.1 # only create Immunix::SubDomain perl module for openSUSE <= 12.1
%if 0%{?suse_version} %if 0%{?suse_version}
@ -517,6 +537,11 @@ SubDomain.
test ! -e profiles/apparmor.d/usr.sbin.winbindd test ! -e profiles/apparmor.d/usr.sbin.winbindd
cp %{SOURCE10} profiles/apparmor.d/ cp %{SOURCE10} profiles/apparmor.d/
# profiles for dovecot 2.x (bnc#851984)
test ! -e profiles/apparmor.d/tunables/dovecot
cp %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} %{SOURCE27} %{SOURCE28} profiles/apparmor.d/
cp %{SOURCE29} profiles/apparmor.d/tunables/dovecot
%build %build
echo _libdir: %{_libdir} ruby: %{rb_sitearch} python: %{python3_sitearch} # test if _libdir breaks it or if it's broken by default on <= 12.1 echo _libdir: %{_libdir} ruby: %{rb_sitearch} python: %{python3_sitearch} # test if _libdir breaks it or if it's broken by default on <= 12.1
@ -925,10 +950,31 @@ fi
%postun parser %postun parser
%if %{distro} == "suse" %if %{distro} == "suse"
%restart_on_update boot.apparmor #restart_on_update boot.apparmor - but non-broken (bnc#853019)
test -n "$FIRST_ARG" || FIRST_ARG=$1
if test "$FIRST_ARG" -ge 1 ; then
if test "$YAST_IS_RUNNING" != "instsys" -a "$DISABLE_RESTART_ON_UPDATE" != yes ; then
test -x /bin/systemctl && /bin/systemctl daemon-reload >/dev/null 2>&1 || :
/etc/init.d/boot.apparmor status >/dev/null && /etc/init.d/boot.apparmor reload || :
fi
fi
%{insserv_cleanup} || true %{insserv_cleanup} || true
%endif %endif
%post profiles
%if %{distro} == "suse"
#restart_on_update boot.apparmor - but non-broken (bnc#853019)
# (copy&paste from parser postun script)
test -n "$FIRST_ARG" || FIRST_ARG=$1
if test "$FIRST_ARG" -ge 1 ; then
if test "$YAST_IS_RUNNING" != "instsys" -a "$DISABLE_RESTART_ON_UPDATE" != yes ; then
test -x /bin/systemctl && /bin/systemctl daemon-reload >/dev/null 2>&1 || :
/etc/init.d/boot.apparmor status >/dev/null && /etc/init.d/boot.apparmor reload || :
fi
fi
%endif
%post -n libapparmor1 -p /sbin/ldconfig %post -n libapparmor1 -p /sbin/ldconfig
%postun -n libapparmor1 -p /sbin/ldconfig %postun -n libapparmor1 -p /sbin/ldconfig

20
tunables-dovecot Normal file
View File

@ -0,0 +1,20 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim:ft=apparmor
# @{DOVECOT_MAILSTORE} is a space-separated list of all directories
# where dovecot is allowed to store and read mails
#
# The default value is quite broad to avoid breaking existing setups.
# Please change @{DOVECOT_MAILSTORE} to (only) contain the directory
# you use, and remove everything else.
@{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ @{HOME}/mail/ @{HOME}/Mail/ /var/vmail/ /var/mail/ /var/spool/mail/

25
usr.lib.dovecot.anvil Normal file
View File

@ -0,0 +1,25 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/anvil {
#include <abstractions/base>
capability setgid,
capability setuid,
capability sys_chroot,
/usr/lib/dovecot/anvil mr,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.anvil>
}

38
usr.lib.dovecot.auth Normal file
View File

@ -0,0 +1,38 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/auth {
#include <abstractions/authentication>
#include <abstractions/base>
#include <abstractions/mysql>
#include <abstractions/nameservice>
deny capability block_suspend,
capability audit_write,
capability setgid,
capability setuid,
/etc/dovecot/dovecot-database.conf.ext r,
/etc/dovecot/dovecot-sql.conf.ext r,
/usr/lib/dovecot/auth mr,
# kerberos replay cache
/var/tmp/imap_* rw,
/var/tmp/pop_* rw,
/var/tmp/sieve_* rw,
/var/tmp/smtp_* rw,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.auth>
}

32
usr.lib.dovecot.config Normal file
View File

@ -0,0 +1,32 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/config {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/ssl_keys>
deny capability block_suspend,
capability dac_override,
capability setgid,
/etc/dovecot/** r,
/usr/bin/doveconf rix,
/usr/lib/dovecot/config mr,
/usr/lib/dovecot/managesieve Px,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.config>
}

31
usr.lib.dovecot.dict Normal file
View File

@ -0,0 +1,31 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/dict {
#include <abstractions/base>
#include <abstractions/mysql>
capability setgid,
capability setuid,
network inet stream,
/etc/dovecot/dovecot-database.conf.ext r,
/etc/dovecot/dovecot-dict-sql.conf.ext r,
/etc/nsswitch.conf r,
/etc/services r,
/usr/lib/dovecot/dict mr,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.dict>
}

33
usr.lib.dovecot.dovecot-lda Normal file
View File

@ -0,0 +1,33 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor
#include <tunables/global>
#include <tunables/dovecot>
/usr/lib/dovecot/dovecot-lda {
#include <abstractions/base>
#include <abstractions/nameservice>
capability setgid,
capability setuid,
@{DOVECOT_MAILSTORE}/ rw,
@{DOVECOT_MAILSTORE}/** rwkl,
/etc/dovecot/** r,
/proc/*/mounts r,
/{var/,}run/dovecot/mounts r,
/usr/bin/doveconf mrix,
/usr/lib/dovecot/dovecot-lda mrix,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.dovecot-lda>
}

30
usr.lib.dovecot.lmtp Normal file
View File

@ -0,0 +1,30 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor
#include <tunables/global>
#include <tunables/dovecot>
/usr/lib/dovecot/lmtp {
#include <abstractions/base>
capability dac_override,
capability setgid,
capability setuid,
@{DOVECOT_MAILSTORE}/ rw,
@{DOVECOT_MAILSTORE}/** rwkl,
/etc/resolv.conf r,
/usr/lib/dovecot/lmtp mr,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.lmtp>
}

25
usr.lib.dovecot.log Normal file
View File

@ -0,0 +1,25 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/log {
#include <abstractions/base>
deny capability block_suspend,
capability setgid,
/usr/lib/dovecot/log mr,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.log>
}

23
usr.lib.dovecot.managesieve Normal file
View File

@ -0,0 +1,23 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/managesieve {
#include <abstractions/base>
/etc/dovecot/** r,
/usr/bin/doveconf rix,
/usr/lib/dovecot/managesieve mrix,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.managesieve>
}

27
usr.lib.dovecot.ssl-params Normal file
View File

@ -0,0 +1,27 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/ssl-params {
#include <abstractions/base>
deny capability block_suspend,
capability setgid,
/usr/lib/dovecot/ssl-params mr,
/var/lib/dovecot/ssl-parameters.dat rw,
/var/lib/dovecot/ssl-parameters.dat.tmp rwk,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.ssl-params>
}

8
usr.sbin.winbindd
View File

@ -3,9 +3,13 @@
/usr/sbin/winbindd { /usr/sbin/winbindd {
#include <abstractions/base> #include <abstractions/base>
#include <abstractions/nameservice> #include <abstractions/nameservice>
#include <abstractions/samba>
deny capability block_suspend, deny capability block_suspend,
capability ipc_lock,
capability setuid,
/etc/samba/dhcp.conf r, /etc/samba/dhcp.conf r,
/etc/samba/passdb.tdb rwk, /etc/samba/passdb.tdb rwk,
/etc/samba/secrets.tdb rwk, /etc/samba/secrets.tdb rwk,
@ -20,10 +24,9 @@
/var/cache/samba/*.tdb rwk, /var/cache/samba/*.tdb rwk,
/var/cache/samba/netsamlogon_cache.tdb rw, /var/cache/samba/netsamlogon_cache.tdb rw,
/var/lib/samba/smb_krb5/krb5.conf.* w, /var/lib/samba/smb_krb5/krb5.conf.* rw,
/var/lib/samba/smb_tmp_krb5.* rw, /var/lib/samba/smb_tmp_krb5.* rw,
/var/lib/samba/**.tdb rwk, /var/lib/samba/**.tdb rwk,
/var/log/samba/log.winbindd-dc-connect a,
/var/lib/samba/winbindd_cache.tdb* rwk, /var/lib/samba/winbindd_cache.tdb* rwk,
/var/lib/samba/winbindd_privileged/pipe w, /var/lib/samba/winbindd_privileged/pipe w,
@ -33,6 +36,7 @@
/var/log/samba/log.wb-* w, /var/log/samba/log.wb-* w,
/var/log/samba/log.winbindd rw, /var/log/samba/log.winbindd rw,
/var/log/samba/log.winbindd-idmap w, /var/log/samba/log.winbindd-idmap w,
/var/log/samba/log.winbindd-dc-connect a,
/{var/,}run/samba/winbindd.pid rwk, /{var/,}run/samba/winbindd.pid rwk,
/{var/,}run/samba/winbindd/ rw, /{var/,}run/samba/winbindd/ rw,
/{var/,}run/samba/winbindd/pipe w, /{var/,}run/samba/winbindd/pipe w,