From ddc41a170f9078c711085b48f9e0fe5a856a97fdf1d016c1b8d36da16415db9e Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Sun, 26 Jan 2014 15:18:37 +0000 Subject: [PATCH] - update apparmor-2.8.2-nm-dnsmasq-config.patch - allow access to pid file and supplemental config directory (by develop7) - update apparmor-profiles-dovecot-bnc851984.diff: - do not add access to @{DOVECOT_MAILSTORE} - not required by the main binary - add abstractions/mysql - allow execution of some more /usr/lib/dovecot/* binaries - better restrict access to /var/spool/postfix/private/ - update usr.lib.dovecot.auth to allow to read mysql config files - update usr.lib.dovecot.dict and usr.lib.dovecot.lmtp: add abstractions/nameservice instead of allowing more and more files OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=75 --- apparmor-profiles-dovecot-bnc851984.diff | 75 +++++++++++++----------- apparmor.changes | 14 +++++ usr.lib.dovecot.auth | 4 ++ usr.lib.dovecot.dict | 3 +- usr.lib.dovecot.lmtp | 2 +- 5 files changed, 61 insertions(+), 37 deletions(-) diff --git a/apparmor-profiles-dovecot-bnc851984.diff b/apparmor-profiles-dovecot-bnc851984.diff index 3d6e301..b0e34f6 100644 --- a/apparmor-profiles-dovecot-bnc851984.diff +++ b/apparmor-profiles-dovecot-bnc851984.diff @@ -1,6 +1,7 @@ -diff -u -p profiles/apparmor.d/usr.lib.dovecot.deliver ./usr.lib.dovecot.deliver ---- profiles/apparmor.d/usr.lib.dovecot.deliver 2013-12-30 22:43:37.000000000 +0100 -+++ profiles/apparmor.d/usr.lib.dovecot.deliver 2014-01-01 19:22:33.468445136 +0100 +Index: profiles/apparmor.d/usr.lib.dovecot.deliver +=================================================================== +--- profiles/apparmor.d/usr.lib.dovecot.deliver.orig 2012-01-06 17:34:44.000000000 +0100 ++++ profiles/apparmor.d/usr.lib.dovecot.deliver 2014-01-26 15:48:52.227261272 +0100 @@ -1,6 +1,19 @@ -# Author: Dulmandakh Sukhbaatar +# ------------------------------------------------------------------ @@ -48,9 +49,10 @@ diff -u -p profiles/apparmor.d/usr.lib.dovecot.deliver ./usr.lib.dovecot.deliver # Site-specific additions and overrides. See local/README for details. #include -diff -u -p profiles/apparmor.d/usr.lib.dovecot.dovecot-auth ./usr.lib.dovecot.dovecot-auth ---- profiles/apparmor.d/usr.lib.dovecot.dovecot-auth 2013-12-30 22:43:37.000000000 +0100 -+++ profiles/apparmor.d/usr.lib.dovecot.dovecot-auth 2014-01-01 19:18:33.183586607 +0100 +Index: profiles/apparmor.d/usr.lib.dovecot.dovecot-auth +=================================================================== +--- profiles/apparmor.d/usr.lib.dovecot.dovecot-auth.orig 2011-08-27 03:51:03.000000000 +0200 ++++ profiles/apparmor.d/usr.lib.dovecot.dovecot-auth 2014-01-26 15:48:52.227261272 +0100 @@ -1,6 +1,17 @@ -# Author: Kees Cook +# ------------------------------------------------------------------ @@ -70,9 +72,10 @@ diff -u -p profiles/apparmor.d/usr.lib.dovecot.dovecot-auth ./usr.lib.dovecot.do /usr/lib/dovecot/dovecot-auth { #include #include -diff -u -p profiles/apparmor.d/usr.lib.dovecot.imap ./usr.lib.dovecot.imap ---- profiles/apparmor.d/usr.lib.dovecot.imap 2013-12-30 22:43:37.000000000 +0100 -+++ profiles/apparmor.d/usr.lib.dovecot.imap 2013-12-30 21:59:34.990459644 +0100 +Index: profiles/apparmor.d/usr.lib.dovecot.imap +=================================================================== +--- profiles/apparmor.d/usr.lib.dovecot.imap.orig 2011-08-27 01:12:10.000000000 +0200 ++++ profiles/apparmor.d/usr.lib.dovecot.imap 2014-01-26 15:48:52.227261272 +0100 @@ -1,6 +1,18 @@ -# Author: Kees Cook +# ------------------------------------------------------------------ @@ -116,9 +119,10 @@ diff -u -p profiles/apparmor.d/usr.lib.dovecot.imap ./usr.lib.dovecot.imap # Site-specific additions and overrides. See local/README for details. #include -diff -u -p profiles/apparmor.d/usr.lib.dovecot.imap-login ./usr.lib.dovecot.imap-login ---- profiles/apparmor.d/usr.lib.dovecot.imap-login 2013-12-30 22:43:37.000000000 +0100 -+++ profiles/apparmor.d/usr.lib.dovecot.imap-login 2014-01-01 19:21:43.299398259 +0100 +Index: profiles/apparmor.d/usr.lib.dovecot.imap-login +=================================================================== +--- profiles/apparmor.d/usr.lib.dovecot.imap-login.orig 2012-04-05 23:51:17.000000000 +0200 ++++ profiles/apparmor.d/usr.lib.dovecot.imap-login 2014-01-26 15:48:52.228261212 +0100 @@ -1,4 +1,14 @@ -# Author: Kees Cook +# ------------------------------------------------------------------ @@ -135,9 +139,10 @@ diff -u -p profiles/apparmor.d/usr.lib.dovecot.imap-login ./usr.lib.dovecot.imap #include /usr/lib/dovecot/imap-login { -diff -u -p profiles/apparmor.d/usr.lib.dovecot.managesieve-login ./usr.lib.dovecot.managesieve-login ---- profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2013-12-30 22:43:37.000000000 +0100 -+++ profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2014-01-01 19:21:23.986535007 +0100 +Index: profiles/apparmor.d/usr.lib.dovecot.managesieve-login +=================================================================== +--- profiles/apparmor.d/usr.lib.dovecot.managesieve-login.orig 2011-07-14 14:57:57.000000000 +0200 ++++ profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2014-01-26 15:48:52.228261212 +0100 @@ -1,4 +1,15 @@ -# Author: Dulmandakh Sukhbaatar +# ------------------------------------------------------------------ @@ -155,9 +160,10 @@ diff -u -p profiles/apparmor.d/usr.lib.dovecot.managesieve-login ./usr.lib.dovec #include /usr/lib/dovecot/managesieve-login { -diff -u -p profiles/apparmor.d/usr.lib.dovecot.pop3 ./usr.lib.dovecot.pop3 ---- profiles/apparmor.d/usr.lib.dovecot.pop3 2013-12-30 22:43:37.000000000 +0100 -+++ profiles/apparmor.d/usr.lib.dovecot.pop3 2013-12-30 22:00:13.820132421 +0100 +Index: profiles/apparmor.d/usr.lib.dovecot.pop3 +=================================================================== +--- profiles/apparmor.d/usr.lib.dovecot.pop3.orig 2011-08-27 01:12:10.000000000 +0200 ++++ profiles/apparmor.d/usr.lib.dovecot.pop3 2014-01-26 15:48:52.228261212 +0100 @@ -1,6 +1,18 @@ -# Author: Kees Cook +# ------------------------------------------------------------------ @@ -196,9 +202,10 @@ diff -u -p profiles/apparmor.d/usr.lib.dovecot.pop3 ./usr.lib.dovecot.pop3 /usr/lib/dovecot/pop3 mr, # Site-specific additions and overrides. See local/README for details. -diff -u -p profiles/apparmor.d/usr.lib.dovecot.pop3-login ./usr.lib.dovecot.pop3-login ---- profiles/apparmor.d/usr.lib.dovecot.pop3-login 2013-12-30 22:43:37.000000000 +0100 -+++ profiles/apparmor.d/usr.lib.dovecot.pop3-login 2014-01-01 19:26:54.614068901 +0100 +Index: profiles/apparmor.d/usr.lib.dovecot.pop3-login +=================================================================== +--- profiles/apparmor.d/usr.lib.dovecot.pop3-login.orig 2011-07-14 14:57:57.000000000 +0200 ++++ profiles/apparmor.d/usr.lib.dovecot.pop3-login 2014-01-26 15:48:52.228261212 +0100 @@ -1,6 +1,17 @@ -# Author: Kees Cook +# ------------------------------------------------------------------ @@ -218,10 +225,11 @@ diff -u -p profiles/apparmor.d/usr.lib.dovecot.pop3-login ./usr.lib.dovecot.pop3 /usr/lib/dovecot/pop3-login { #include #include -diff -u -p profiles/apparmor.d/usr.sbin.dovecot ./usr.sbin.dovecot ---- profiles/apparmor.d/usr.sbin.dovecot 2013-12-30 22:43:37.000000000 +0100 -+++ profiles/apparmor.d/usr.sbin.dovecot 2013-12-30 22:01:14.209513153 +0100 -@@ -1,6 +1,18 @@ +Index: profiles/apparmor.d/usr.sbin.dovecot +=================================================================== +--- profiles/apparmor.d/usr.sbin.dovecot.orig 2011-10-12 13:05:00.000000000 +0200 ++++ profiles/apparmor.d/usr.sbin.dovecot 2014-01-26 16:09:40.262068251 +0100 +@@ -1,37 +1,61 @@ -# Author: Kees Cook +# ------------------------------------------------------------------ +# @@ -236,12 +244,13 @@ diff -u -p profiles/apparmor.d/usr.sbin.dovecot ./usr.sbin.dovecot +# vim: ft=apparmor #include -+#include + /usr/sbin/dovecot { #include #include -@@ -9,29 +21,42 @@ ++ #include + #include + #include #include capability chown, @@ -253,24 +262,22 @@ diff -u -p profiles/apparmor.d/usr.sbin.dovecot ./usr.sbin.dovecot capability setuid, capability sys_chroot, - capability fsetid, -+ -+ -+ -+ @{DOVECOT_MAILSTORE}/ rw, -+ @{DOVECOT_MAILSTORE}/** rwkl, /etc/dovecot/** r, /etc/mtab r, /etc/lsb-release r, /etc/SuSE-release r, @{PROC}/[0-9]*/mounts r, ++ @{PROC}/filesystems r, + /usr/bin/doveconf rix, + /usr/lib/dovecot/anvil Px, + /usr/lib/dovecot/auth Px, + /usr/lib/dovecot/config Px, ++ /usr/lib/dovecot/dict Px, /usr/lib/dovecot/dovecot-auth Pxmr, /usr/lib/dovecot/imap Pxmr, /usr/lib/dovecot/imap-login Pxmr, ++ /usr/lib/dovecot/lmtp Px, + /usr/lib/dovecot/log Px, + /usr/lib/dovecot/managesieve Px, + /usr/lib/dovecot/managesieve-login Pxmr, @@ -287,8 +294,8 @@ diff -u -p profiles/apparmor.d/usr.sbin.dovecot ./usr.sbin.dovecot /var/lib/dovecot/ w, - /var/lib/dovecot/* krw, + /var/lib/dovecot/* rwkl, -+ /var/spool/postfix/private/* w, ++ /var/spool/postfix/private/auth w, ++ /var/spool/postfix/private/dovecot-lmtp w, /{,var/}run/dovecot/ rw, /{,var/}run/dovecot/** rw, link /{,var/}run/dovecot/** -> /var/lib/dovecot/**, - diff --git a/apparmor.changes b/apparmor.changes index 85b9af0..e4b3b81 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Sun Jan 26 14:46:43 UTC 2014 - opensuse@cboltz.de + +- update apparmor-2.8.2-nm-dnsmasq-config.patch - allow access to pid file + and supplemental config directory (by develop7) +- update apparmor-profiles-dovecot-bnc851984.diff: + - do not add access to @{DOVECOT_MAILSTORE} - not required by the main binary + - add abstractions/mysql + - allow execution of some more /usr/lib/dovecot/* binaries + - better restrict access to /var/spool/postfix/private/ +- update usr.lib.dovecot.auth to allow to read mysql config files +- update usr.lib.dovecot.dict and usr.lib.dovecot.lmtp: + add abstractions/nameservice instead of allowing more and more files + ------------------------------------------------------------------- Sun Jan 19 14:51:33 UTC 2014 - opensuse@cboltz.de diff --git a/usr.lib.dovecot.auth b/usr.lib.dovecot.auth index 7c66179..71ffaf5 100644 --- a/usr.lib.dovecot.auth +++ b/usr.lib.dovecot.auth @@ -23,6 +23,10 @@ capability setgid, capability setuid, + /etc/my.cnf r, + /etc/my.cnf.d/ r, + /etc/my.cnf.d/*.cnf r, + /etc/dovecot/dovecot-database.conf.ext r, /etc/dovecot/dovecot-sql.conf.ext r, /usr/lib/dovecot/auth mr, diff --git a/usr.lib.dovecot.dict b/usr.lib.dovecot.dict index d97f582..bb3b3fe 100644 --- a/usr.lib.dovecot.dict +++ b/usr.lib.dovecot.dict @@ -14,6 +14,7 @@ /usr/lib/dovecot/dict { #include #include + #include capability setgid, capability setuid, @@ -22,8 +23,6 @@ /etc/dovecot/dovecot-database.conf.ext r, /etc/dovecot/dovecot-dict-sql.conf.ext r, - /etc/nsswitch.conf r, - /etc/services r, /usr/lib/dovecot/dict mr, # Site-specific additions and overrides. See local/README for details. diff --git a/usr.lib.dovecot.lmtp b/usr.lib.dovecot.lmtp index b5d3df1..7e15040 100644 --- a/usr.lib.dovecot.lmtp +++ b/usr.lib.dovecot.lmtp @@ -14,6 +14,7 @@ /usr/lib/dovecot/lmtp { #include + #include deny capability block_suspend, @@ -24,7 +25,6 @@ @{DOVECOT_MAILSTORE}/ rw, @{DOVECOT_MAILSTORE}/** rwkl, - /etc/resolv.conf r, /proc/*/mounts r, /tmp/dovecot.lmtp.* rw, /usr/lib/dovecot/lmtp mr,