- update apparmor-2.8.2-nm-dnsmasq-config.patch - allow access to pid file

and supplemental config directory (by develop7) - update apparmor-profiles-dovecot-bnc851984.diff: - do not add access to @{DOVECOT_MAILSTORE} - not required by the main binary - add abstractions/mysql - allow execution of some more /usr/lib/dovecot/* binaries - better restrict access to /var/spool/postfix/private/ - update usr.lib.dovecot.auth to allow to read mysql config files - update usr.lib.dovecot.dict and usr.lib.dovecot.lmtp: add abstractions/nameservice instead of allowing more and more files OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=75
2014-01-26 15:18:37 +00:00 · 2014-01-26 15:18:37 +00:00 · ddc41a170f
commit ddc41a170f
parent 25eca62b0a
5 changed files with 61 additions and 37 deletions
--- a/apparmor-profiles-dovecot-bnc851984.diff
+++ b/apparmor-profiles-dovecot-bnc851984.diff
@ -1,6 +1,7 @@
-diff -u -p profiles/apparmor.d/usr.lib.dovecot.deliver ./usr.lib.dovecot.deliver
--- profiles/apparmor.d/usr.lib.dovecot.deliver	2013-12-30 22:43:37.000000000 +0100
-+++ profiles/apparmor.d/usr.lib.dovecot.deliver	2014-01-01 19:22:33.468445136 +0100
+Index: profiles/apparmor.d/usr.lib.dovecot.deliver
+===================================================================
+--- profiles/apparmor.d/usr.lib.dovecot.deliver.orig	2012-01-06 17:34:44.000000000 +0100
+++ profiles/apparmor.d/usr.lib.dovecot.deliver	2014-01-26 15:48:52.227261272 +0100
@@ -1,6 +1,19 @@
 -# Author: Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
 +# ------------------------------------------------------------------
@ -48,9 +49,10 @@ diff -u -p profiles/apparmor.d/usr.lib.dovecot.deliver ./usr.lib.dovecot.deliver
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.lib.dovecot.deliver>
-diff -u -p profiles/apparmor.d/usr.lib.dovecot.dovecot-auth ./usr.lib.dovecot.dovecot-auth
--- profiles/apparmor.d/usr.lib.dovecot.dovecot-auth	2013-12-30 22:43:37.000000000 +0100
-+++ profiles/apparmor.d/usr.lib.dovecot.dovecot-auth	2014-01-01 19:18:33.183586607 +0100
+Index: profiles/apparmor.d/usr.lib.dovecot.dovecot-auth
+===================================================================
+--- profiles/apparmor.d/usr.lib.dovecot.dovecot-auth.orig	2011-08-27 03:51:03.000000000 +0200
+++ profiles/apparmor.d/usr.lib.dovecot.dovecot-auth	2014-01-26 15:48:52.227261272 +0100
@@ -1,6 +1,17 @@
 -# Author: Kees Cook <kees@ubuntu.com>
 +# ------------------------------------------------------------------
@ -70,9 +72,10 @@ diff -u -p profiles/apparmor.d/usr.lib.dovecot.dovecot-auth ./usr.lib.dovecot.do
 /usr/lib/dovecot/dovecot-auth {
   #include <abstractions/authentication>
   #include <abstractions/base>
-diff -u -p profiles/apparmor.d/usr.lib.dovecot.imap ./usr.lib.dovecot.imap
--- profiles/apparmor.d/usr.lib.dovecot.imap	2013-12-30 22:43:37.000000000 +0100
-+++ profiles/apparmor.d/usr.lib.dovecot.imap	2013-12-30 21:59:34.990459644 +0100
+Index: profiles/apparmor.d/usr.lib.dovecot.imap
+===================================================================
+--- profiles/apparmor.d/usr.lib.dovecot.imap.orig	2011-08-27 01:12:10.000000000 +0200
+++ profiles/apparmor.d/usr.lib.dovecot.imap	2014-01-26 15:48:52.227261272 +0100
@@ -1,6 +1,18 @@
 -# Author: Kees Cook <kees@ubuntu.com>
 +# ------------------------------------------------------------------
@ -116,9 +119,10 @@ diff -u -p profiles/apparmor.d/usr.lib.dovecot.imap ./usr.lib.dovecot.imap
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.lib.dovecot.imap>
-diff -u -p profiles/apparmor.d/usr.lib.dovecot.imap-login ./usr.lib.dovecot.imap-login
--- profiles/apparmor.d/usr.lib.dovecot.imap-login	2013-12-30 22:43:37.000000000 +0100
-+++ profiles/apparmor.d/usr.lib.dovecot.imap-login	2014-01-01 19:21:43.299398259 +0100
+Index: profiles/apparmor.d/usr.lib.dovecot.imap-login
+===================================================================
+--- profiles/apparmor.d/usr.lib.dovecot.imap-login.orig	2012-04-05 23:51:17.000000000 +0200
+++ profiles/apparmor.d/usr.lib.dovecot.imap-login	2014-01-26 15:48:52.228261212 +0100
@@ -1,4 +1,14 @@
 -# Author: Kees Cook <kees@ubuntu.com>
 +# ------------------------------------------------------------------
@ -135,9 +139,10 @@ diff -u -p profiles/apparmor.d/usr.lib.dovecot.imap-login ./usr.lib.dovecot.imap
 
 #include <tunables/global>
 /usr/lib/dovecot/imap-login {
-diff -u -p profiles/apparmor.d/usr.lib.dovecot.managesieve-login ./usr.lib.dovecot.managesieve-login
--- profiles/apparmor.d/usr.lib.dovecot.managesieve-login	2013-12-30 22:43:37.000000000 +0100
-+++ profiles/apparmor.d/usr.lib.dovecot.managesieve-login	2014-01-01 19:21:23.986535007 +0100
+Index: profiles/apparmor.d/usr.lib.dovecot.managesieve-login
+===================================================================
+--- profiles/apparmor.d/usr.lib.dovecot.managesieve-login.orig	2011-07-14 14:57:57.000000000 +0200
+++ profiles/apparmor.d/usr.lib.dovecot.managesieve-login	2014-01-26 15:48:52.228261212 +0100
@@ -1,4 +1,15 @@
 -# Author: Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
 +# ------------------------------------------------------------------
@ -155,9 +160,10 @@ diff -u -p profiles/apparmor.d/usr.lib.dovecot.managesieve-login ./usr.lib.dovec
 
 #include <tunables/global>
 /usr/lib/dovecot/managesieve-login {
-diff -u -p profiles/apparmor.d/usr.lib.dovecot.pop3 ./usr.lib.dovecot.pop3
--- profiles/apparmor.d/usr.lib.dovecot.pop3	2013-12-30 22:43:37.000000000 +0100
-+++ profiles/apparmor.d/usr.lib.dovecot.pop3	2013-12-30 22:00:13.820132421 +0100
+Index: profiles/apparmor.d/usr.lib.dovecot.pop3
+===================================================================
+--- profiles/apparmor.d/usr.lib.dovecot.pop3.orig	2011-08-27 01:12:10.000000000 +0200
+++ profiles/apparmor.d/usr.lib.dovecot.pop3	2014-01-26 15:48:52.228261212 +0100
@@ -1,6 +1,18 @@
 -# Author: Kees Cook <kees@ubuntu.com>
 +# ------------------------------------------------------------------
@ -196,9 +202,10 @@ diff -u -p profiles/apparmor.d/usr.lib.dovecot.pop3 ./usr.lib.dovecot.pop3
   /usr/lib/dovecot/pop3 mr,
 
   # Site-specific additions and overrides. See local/README for details.
-diff -u -p profiles/apparmor.d/usr.lib.dovecot.pop3-login ./usr.lib.dovecot.pop3-login
--- profiles/apparmor.d/usr.lib.dovecot.pop3-login	2013-12-30 22:43:37.000000000 +0100
-+++ profiles/apparmor.d/usr.lib.dovecot.pop3-login	2014-01-01 19:26:54.614068901 +0100
+Index: profiles/apparmor.d/usr.lib.dovecot.pop3-login
+===================================================================
+--- profiles/apparmor.d/usr.lib.dovecot.pop3-login.orig	2011-07-14 14:57:57.000000000 +0200
+++ profiles/apparmor.d/usr.lib.dovecot.pop3-login	2014-01-26 15:48:52.228261212 +0100
@@ -1,6 +1,17 @@
 -# Author: Kees Cook <kees@ubuntu.com>
 +# ------------------------------------------------------------------
@ -218,10 +225,11 @@ diff -u -p profiles/apparmor.d/usr.lib.dovecot.pop3-login ./usr.lib.dovecot.pop3
 /usr/lib/dovecot/pop3-login {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-diff -u -p profiles/apparmor.d/usr.sbin.dovecot ./usr.sbin.dovecot
--- profiles/apparmor.d/usr.sbin.dovecot	2013-12-30 22:43:37.000000000 +0100
-+++ profiles/apparmor.d/usr.sbin.dovecot	2013-12-30 22:01:14.209513153 +0100
-@@ -1,6 +1,18 @@
+Index: profiles/apparmor.d/usr.sbin.dovecot
+===================================================================
+--- profiles/apparmor.d/usr.sbin.dovecot.orig	2011-10-12 13:05:00.000000000 +0200
+++ profiles/apparmor.d/usr.sbin.dovecot	2014-01-26 16:09:40.262068251 +0100
+@@ -1,37 +1,61 @@
 -# Author: Kees Cook <kees@ubuntu.com>
 +# ------------------------------------------------------------------
 +#
@ -236,12 +244,13 @@ diff -u -p profiles/apparmor.d/usr.sbin.dovecot ./usr.sbin.dovecot
 +# vim: ft=apparmor
 
 #include <tunables/global>
-+#include <tunables/dovecot>
 +
 /usr/sbin/dovecot {
   #include <abstractions/authentication>
   #include <abstractions/base>
-@@ -9,29 +21,42 @@
+  #include <abstractions/mysql>
+   #include <abstractions/nameservice>
+   #include <abstractions/ssl_certs>
   #include <abstractions/ssl_keys>
 
   capability chown,
@ -253,24 +262,22 @@ diff -u -p profiles/apparmor.d/usr.sbin.dovecot ./usr.sbin.dovecot
   capability setuid,
   capability sys_chroot,
 -  capability fsetid,
-+
-+
-+
-+  @{DOVECOT_MAILSTORE}/ rw,
-+  @{DOVECOT_MAILSTORE}/** rwkl,
 
   /etc/dovecot/** r,
   /etc/mtab r,
   /etc/lsb-release r,
   /etc/SuSE-release r,
   @{PROC}/[0-9]*/mounts r,
+  @{PROC}/filesystems r,
 +  /usr/bin/doveconf rix,
 +  /usr/lib/dovecot/anvil Px,
 +  /usr/lib/dovecot/auth Px,
 +  /usr/lib/dovecot/config Px,
+  /usr/lib/dovecot/dict Px,
   /usr/lib/dovecot/dovecot-auth Pxmr,
   /usr/lib/dovecot/imap Pxmr,
   /usr/lib/dovecot/imap-login Pxmr,
+  /usr/lib/dovecot/lmtp Px,
 +  /usr/lib/dovecot/log Px,
 +  /usr/lib/dovecot/managesieve Px,
 +  /usr/lib/dovecot/managesieve-login Pxmr,
@ -287,8 +294,8 @@ diff -u -p profiles/apparmor.d/usr.sbin.dovecot ./usr.sbin.dovecot
   /var/lib/dovecot/ w,
 -  /var/lib/dovecot/* krw,
 +  /var/lib/dovecot/* rwkl,
-+  /var/spool/postfix/private/* w,
+  /var/spool/postfix/private/auth w,
+  /var/spool/postfix/private/dovecot-lmtp w,
   /{,var/}run/dovecot/ rw,
   /{,var/}run/dovecot/** rw,
   link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,
-
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Sun Jan 26 14:46:43 UTC 2014 - opensuse@cboltz.de
+
+- update apparmor-2.8.2-nm-dnsmasq-config.patch - allow access to pid file
+  and supplemental config directory (by develop7)
+- update apparmor-profiles-dovecot-bnc851984.diff:
+  - do not add access to @{DOVECOT_MAILSTORE} - not required by the main binary
+  - add abstractions/mysql 
+  - allow execution of some more /usr/lib/dovecot/* binaries
+  - better restrict access to /var/spool/postfix/private/
+- update usr.lib.dovecot.auth to allow to read mysql config files
+- update usr.lib.dovecot.dict and usr.lib.dovecot.lmtp:
+  add abstractions/nameservice instead of allowing more and more files
+
 -------------------------------------------------------------------
 Sun Jan 19 14:51:33 UTC 2014 - opensuse@cboltz.de

--- a/usr.lib.dovecot.auth
+++ b/usr.lib.dovecot.auth
@ -23,6 +23,10 @@
  capability setgid,
  capability setuid,

+  /etc/my.cnf r,
+  /etc/my.cnf.d/ r,
+  /etc/my.cnf.d/*.cnf r,
+
  /etc/dovecot/dovecot-database.conf.ext r,
  /etc/dovecot/dovecot-sql.conf.ext r,
  /usr/lib/dovecot/auth mr,
--- a/usr.lib.dovecot.dict
+++ b/usr.lib.dovecot.dict
@ -14,6 +14,7 @@
 /usr/lib/dovecot/dict {
  #include <abstractions/base>
  #include <abstractions/mysql>
+  #include <abstractions/nameservice>

  capability setgid,
  capability setuid,
@ -22,8 +23,6 @@

  /etc/dovecot/dovecot-database.conf.ext r,
  /etc/dovecot/dovecot-dict-sql.conf.ext r,
-  /etc/nsswitch.conf r,
-  /etc/services r,
  /usr/lib/dovecot/dict mr,

  # Site-specific additions and overrides. See local/README for details.
--- a/usr.lib.dovecot.lmtp
+++ b/usr.lib.dovecot.lmtp
@ -14,6 +14,7 @@

 /usr/lib/dovecot/lmtp {
  #include <abstractions/base>
+  #include <abstractions/nameservice>

  deny capability block_suspend,

@ -24,7 +25,6 @@
  @{DOVECOT_MAILSTORE}/ rw,
  @{DOVECOT_MAILSTORE}/** rwkl,

-  /etc/resolv.conf r,
  /proc/*/mounts r,
  /tmp/dovecot.lmtp.* rw,
  /usr/lib/dovecot/lmtp mr,