07a11c242d
- add apparmor-profiles-samba-create-dirs.diff to allow samba to mkdir /var/run/samba and /var/cache/samba (bnc#856651) - add abstractions/samba to usr.sbin.winbindd profile - add capabilities ipc_lock and setuid to usr.sbin.winbindd profile (bnc#851131) - update dovecot profiles to support dovecot 2.x, and add profiles for the parts of dovecot that were not covered yet (bnc#851984) NOTE: Please adjust /etc/apparmor.d/tunables/dovecot to your needs. - %restart_on_update (in parser %postun) is "translated" to stop/start by the systemd wrapper, which removes AppArmor protection from running processes. Fixed by using a custom script instead (bnc#853019) NOTE: The %postun from the previously installed apparmor-parser package will remove AppArmor protection from running processes a last time. Run aa-status to get a list of processes you need to restart, or reboot your computer. - reload profiles in %post of the apparmor-profiles package OBS-URL: https://build.opensuse.org/request/show/212635 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=69
295 lines
10 KiB
Diff
295 lines
10 KiB
Diff
diff -u -p profiles/apparmor.d/usr.lib.dovecot.deliver ./usr.lib.dovecot.deliver
|
|
--- profiles/apparmor.d/usr.lib.dovecot.deliver 2013-12-30 22:43:37.000000000 +0100
|
|
+++ profiles/apparmor.d/usr.lib.dovecot.deliver 2014-01-01 19:22:33.468445136 +0100
|
|
@@ -1,6 +1,19 @@
|
|
-# Author: Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
|
|
+# ------------------------------------------------------------------
|
|
+#
|
|
+# Copyright (C) 2009 Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
|
|
+# Copyright (C) 2009-2012 Canonical Ltd.
|
|
+# Copyright (C) 2011-2013 Christian Boltz
|
|
+#
|
|
+# This program is free software; you can redistribute it and/or
|
|
+# modify it under the terms of version 2 of the GNU General Public
|
|
+# License published by the Free Software Foundation.
|
|
+#
|
|
+# ------------------------------------------------------------------
|
|
+# vim: ft=apparmor
|
|
|
|
#include <tunables/global>
|
|
+#include <tunables/dovecot>
|
|
+
|
|
/usr/lib/dovecot/deliver {
|
|
#include <abstractions/base>
|
|
#include <abstractions/nameservice>
|
|
@@ -8,20 +21,16 @@
|
|
capability setgid,
|
|
capability setuid,
|
|
|
|
+ @{DOVECOT_MAILSTORE}/ rw,
|
|
+ @{DOVECOT_MAILSTORE}/** rwkl,
|
|
+
|
|
# http://www.postfix.org/SASL_README.html#server_dovecot
|
|
/etc/dovecot/dovecot.conf r,
|
|
/etc/dovecot/{auth,conf}.d/*.conf r,
|
|
- /etc/dovecot/dovecot-postfix.conf r,
|
|
+ /etc/dovecot/dovecot-postfix.conf r, # ???
|
|
|
|
- @{HOME} r,
|
|
- @{HOME}/Maildir/ rw,
|
|
- @{HOME}/Maildir/** klrw,
|
|
- @{HOME}/mail/ rw,
|
|
- @{HOME}/mail/* klrw,
|
|
- @{HOME}/mail/.imap/** klrw,
|
|
+ @{HOME} r, # ???
|
|
/usr/lib/dovecot/deliver mr,
|
|
- /var/mail/* klrw,
|
|
- /var/spool/mail/* klrw,
|
|
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
#include <local/usr.lib.dovecot.deliver>
|
|
diff -u -p profiles/apparmor.d/usr.lib.dovecot.dovecot-auth ./usr.lib.dovecot.dovecot-auth
|
|
--- profiles/apparmor.d/usr.lib.dovecot.dovecot-auth 2013-12-30 22:43:37.000000000 +0100
|
|
+++ profiles/apparmor.d/usr.lib.dovecot.dovecot-auth 2014-01-01 19:18:33.183586607 +0100
|
|
@@ -1,6 +1,17 @@
|
|
-# Author: Kees Cook <kees@ubuntu.com>
|
|
+# ------------------------------------------------------------------
|
|
+#
|
|
+# Copyright (C) 2009-2013 Canonical Ltd.
|
|
+# Copyright (C) 2013 Christian Boltz
|
|
+#
|
|
+# This program is free software; you can redistribute it and/or
|
|
+# modify it under the terms of version 2 of the GNU General Public
|
|
+# License published by the Free Software Foundation.
|
|
+#
|
|
+# ------------------------------------------------------------------
|
|
+# vim: ft=apparmor
|
|
|
|
#include <tunables/global>
|
|
+
|
|
/usr/lib/dovecot/dovecot-auth {
|
|
#include <abstractions/authentication>
|
|
#include <abstractions/base>
|
|
diff -u -p profiles/apparmor.d/usr.lib.dovecot.imap ./usr.lib.dovecot.imap
|
|
--- profiles/apparmor.d/usr.lib.dovecot.imap 2013-12-30 22:43:37.000000000 +0100
|
|
+++ profiles/apparmor.d/usr.lib.dovecot.imap 2013-12-30 21:59:34.990459644 +0100
|
|
@@ -1,6 +1,18 @@
|
|
-# Author: Kees Cook <kees@ubuntu.com>
|
|
+# ------------------------------------------------------------------
|
|
+#
|
|
+# Copyright (C) 2009-2010 Canonical Ltd.
|
|
+# Copyright (C) 2011-2013 Christian Boltz
|
|
+#
|
|
+# This program is free software; you can redistribute it and/or
|
|
+# modify it under the terms of version 2 of the GNU General Public
|
|
+# License published by the Free Software Foundation.
|
|
+#
|
|
+# ------------------------------------------------------------------
|
|
+# vim: ft=apparmor
|
|
|
|
#include <tunables/global>
|
|
+#include <tunables/dovecot>
|
|
+
|
|
/usr/lib/dovecot/imap {
|
|
#include <abstractions/base>
|
|
#include <abstractions/nameservice>
|
|
@@ -8,18 +20,11 @@
|
|
capability setgid,
|
|
capability setuid,
|
|
|
|
- @{HOME} r,
|
|
- @{HOME}/Maildir/ rw,
|
|
- @{HOME}/Maildir/** klrw,
|
|
- @{HOME}/Mail/ rw,
|
|
- @{HOME}/Mail/* klrw,
|
|
- @{HOME}/Mail/.imap/** klrw,
|
|
- @{HOME}/mail/ rw,
|
|
- @{HOME}/mail/* klrw,
|
|
- @{HOME}/mail/.imap/** klrw,
|
|
+ @{DOVECOT_MAILSTORE}/ rw,
|
|
+ @{DOVECOT_MAILSTORE}/** rwkl,
|
|
+
|
|
+ @{HOME} r, # ???
|
|
/usr/lib/dovecot/imap mr,
|
|
- /var/mail/* klrw,
|
|
- /var/spool/mail/* klrw,
|
|
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
#include <local/usr.lib.dovecot.imap>
|
|
diff -u -p profiles/apparmor.d/usr.lib.dovecot.imap-login ./usr.lib.dovecot.imap-login
|
|
--- profiles/apparmor.d/usr.lib.dovecot.imap-login 2013-12-30 22:43:37.000000000 +0100
|
|
+++ profiles/apparmor.d/usr.lib.dovecot.imap-login 2014-01-01 19:21:43.299398259 +0100
|
|
@@ -1,4 +1,14 @@
|
|
-# Author: Kees Cook <kees@ubuntu.com>
|
|
+# ------------------------------------------------------------------
|
|
+#
|
|
+# Copyright (C) 2009-2011 Canonical Ltd.
|
|
+# Copyright (C) 2013 Christian Boltz
|
|
+#
|
|
+# This program is free software; you can redistribute it and/or
|
|
+# modify it under the terms of version 2 of the GNU General Public
|
|
+# License published by the Free Software Foundation.
|
|
+#
|
|
+# ------------------------------------------------------------------
|
|
+# vim: ft=apparmor
|
|
|
|
#include <tunables/global>
|
|
/usr/lib/dovecot/imap-login {
|
|
diff -u -p profiles/apparmor.d/usr.lib.dovecot.managesieve-login ./usr.lib.dovecot.managesieve-login
|
|
--- profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2013-12-30 22:43:37.000000000 +0100
|
|
+++ profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2014-01-01 19:21:23.986535007 +0100
|
|
@@ -1,4 +1,15 @@
|
|
-# Author: Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
|
|
+# ------------------------------------------------------------------
|
|
+#
|
|
+# Copyright (c) 2009 Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
|
|
+# Copyright (C) 2009-2011 Canonical Ltd.
|
|
+# Copyright (C) 2013 Christian Boltz
|
|
+#
|
|
+# This program is free software; you can redistribute it and/or
|
|
+# modify it under the terms of version 2 of the GNU General Public
|
|
+# License published by the Free Software Foundation.
|
|
+#
|
|
+# ------------------------------------------------------------------
|
|
+# vim: ft=apparmor
|
|
|
|
#include <tunables/global>
|
|
/usr/lib/dovecot/managesieve-login {
|
|
diff -u -p profiles/apparmor.d/usr.lib.dovecot.pop3 ./usr.lib.dovecot.pop3
|
|
--- profiles/apparmor.d/usr.lib.dovecot.pop3 2013-12-30 22:43:37.000000000 +0100
|
|
+++ profiles/apparmor.d/usr.lib.dovecot.pop3 2013-12-30 22:00:13.820132421 +0100
|
|
@@ -1,6 +1,18 @@
|
|
-# Author: Kees Cook <kees@ubuntu.com>
|
|
+# ------------------------------------------------------------------
|
|
+#
|
|
+# Copyright (C) 2009-2010 Canonical Ltd.
|
|
+# Copyright (C) 2011-2013 Christian Boltz
|
|
+#
|
|
+# This program is free software; you can redistribute it and/or
|
|
+# modify it under the terms of version 2 of the GNU General Public
|
|
+# License published by the Free Software Foundation.
|
|
+#
|
|
+# ------------------------------------------------------------------
|
|
+# vim: ft=apparmor
|
|
|
|
#include <tunables/global>
|
|
+#include <tunables/dovecot>
|
|
+
|
|
/usr/lib/dovecot/pop3 {
|
|
#include <abstractions/base>
|
|
#include <abstractions/nameservice>
|
|
@@ -8,13 +20,10 @@
|
|
capability setgid,
|
|
capability setuid,
|
|
|
|
- /var/mail/* klrw,
|
|
- /var/spool/mail/* klrw,
|
|
- @{HOME} r,
|
|
- @{HOME}/mail/* klrw,
|
|
- @{HOME}/mail/.imap/** klrw,
|
|
- @{HOME}/Maildir/ rw,
|
|
- @{HOME}/Maildir/** klrw,
|
|
+ @{DOVECOT_MAILSTORE}/ rw,
|
|
+ @{DOVECOT_MAILSTORE}/** rwkl,
|
|
+
|
|
+ @{HOME} r, # ???
|
|
/usr/lib/dovecot/pop3 mr,
|
|
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
diff -u -p profiles/apparmor.d/usr.lib.dovecot.pop3-login ./usr.lib.dovecot.pop3-login
|
|
--- profiles/apparmor.d/usr.lib.dovecot.pop3-login 2013-12-30 22:43:37.000000000 +0100
|
|
+++ profiles/apparmor.d/usr.lib.dovecot.pop3-login 2014-01-01 19:26:54.614068901 +0100
|
|
@@ -1,6 +1,17 @@
|
|
-# Author: Kees Cook <kees@ubuntu.com>
|
|
+# ------------------------------------------------------------------
|
|
+#
|
|
+# Copyright (C) 2009-2011 Canonical Ltd.
|
|
+# Copyright (C) 2013 Christian Boltz
|
|
+#
|
|
+# This program is free software; you can redistribute it and/or
|
|
+# modify it under the terms of version 2 of the GNU General Public
|
|
+# License published by the Free Software Foundation.
|
|
+#
|
|
+# ------------------------------------------------------------------
|
|
+# vim: ft=apparmor
|
|
|
|
#include <tunables/global>
|
|
+
|
|
/usr/lib/dovecot/pop3-login {
|
|
#include <abstractions/base>
|
|
#include <abstractions/nameservice>
|
|
diff -u -p profiles/apparmor.d/usr.sbin.dovecot ./usr.sbin.dovecot
|
|
--- profiles/apparmor.d/usr.sbin.dovecot 2013-12-30 22:43:37.000000000 +0100
|
|
+++ profiles/apparmor.d/usr.sbin.dovecot 2013-12-30 22:01:14.209513153 +0100
|
|
@@ -1,6 +1,18 @@
|
|
-# Author: Kees Cook <kees@ubuntu.com>
|
|
+# ------------------------------------------------------------------
|
|
+#
|
|
+# Copyright (C) 2009-2013 Canonical Ltd.
|
|
+# Copyright (C) 2011-2013 Christian Boltz
|
|
+#
|
|
+# This program is free software; you can redistribute it and/or
|
|
+# modify it under the terms of version 2 of the GNU General Public
|
|
+# License published by the Free Software Foundation.
|
|
+#
|
|
+# ------------------------------------------------------------------
|
|
+# vim: ft=apparmor
|
|
|
|
#include <tunables/global>
|
|
+#include <tunables/dovecot>
|
|
+
|
|
/usr/sbin/dovecot {
|
|
#include <abstractions/authentication>
|
|
#include <abstractions/base>
|
|
@@ -9,29 +21,42 @@
|
|
#include <abstractions/ssl_keys>
|
|
|
|
capability chown,
|
|
+ capability dac_override,
|
|
+ capability fsetid,
|
|
+ capability kill,
|
|
capability net_bind_service,
|
|
capability setgid,
|
|
capability setuid,
|
|
capability sys_chroot,
|
|
- capability fsetid,
|
|
+
|
|
+
|
|
+
|
|
+ @{DOVECOT_MAILSTORE}/ rw,
|
|
+ @{DOVECOT_MAILSTORE}/** rwkl,
|
|
|
|
/etc/dovecot/** r,
|
|
/etc/mtab r,
|
|
/etc/lsb-release r,
|
|
/etc/SuSE-release r,
|
|
@{PROC}/[0-9]*/mounts r,
|
|
+ /usr/bin/doveconf rix,
|
|
+ /usr/lib/dovecot/anvil Px,
|
|
+ /usr/lib/dovecot/auth Px,
|
|
+ /usr/lib/dovecot/config Px,
|
|
/usr/lib/dovecot/dovecot-auth Pxmr,
|
|
/usr/lib/dovecot/imap Pxmr,
|
|
/usr/lib/dovecot/imap-login Pxmr,
|
|
+ /usr/lib/dovecot/log Px,
|
|
+ /usr/lib/dovecot/managesieve Px,
|
|
+ /usr/lib/dovecot/managesieve-login Pxmr,
|
|
/usr/lib/dovecot/pop3 Px,
|
|
/usr/lib/dovecot/pop3-login Pxmr,
|
|
- # temporarily commented out while testing
|
|
- #/usr/lib/dovecot/managesieve Px,
|
|
- /usr/lib/dovecot/managesieve-login Pxmr,
|
|
- /usr/lib/dovecot/ssl-build-param ixr,
|
|
- /usr/sbin/dovecot mr,
|
|
+ /usr/lib/dovecot/ssl-build-param rix,
|
|
+ /usr/lib/dovecot/ssl-params Px,
|
|
+ /usr/sbin/dovecot mrix,
|
|
/var/lib/dovecot/ w,
|
|
- /var/lib/dovecot/* krw,
|
|
+ /var/lib/dovecot/* rwkl,
|
|
+ /var/spool/postfix/private/* w,
|
|
/{,var/}run/dovecot/ rw,
|
|
/{,var/}run/dovecot/** rw,
|
|
link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,
|
|
|