pool/apparmor
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
apparmor/apparmor-profiles-dovecot-bnc851984.diff
Christian Boltz ddc41a170f - update apparmor-2.8.2-nm-dnsmasq-config.patch - allow access to pid file 
and supplemental config directory (by develop7)
- update apparmor-profiles-dovecot-bnc851984.diff:
  - do not add access to @{DOVECOT_MAILSTORE} - not required by the main binary
  - add abstractions/mysql 
  - allow execution of some more /usr/lib/dovecot/* binaries
  - better restrict access to /var/spool/postfix/private/
- update usr.lib.dovecot.auth to allow to read mysql config files
- update usr.lib.dovecot.dict and usr.lib.dovecot.lmtp:
  add abstractions/nameservice instead of allowing more and more files

OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=75
2014-01-26 15:18:37 +00:00

302 lines
11 KiB
Diff
Raw Blame History

Index: profiles/apparmor.d/usr.lib.dovecot.deliver
===================================================================
--- profiles/apparmor.d/usr.lib.dovecot.deliver.orig 2012-01-06 17:34:44.000000000 +0100
+++ profiles/apparmor.d/usr.lib.dovecot.deliver 2014-01-26 15:48:52.227261272 +0100
@@ -1,6 +1,19 @@
-# Author: Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009 Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
+# Copyright (C) 2009-2012 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+#include <tunables/dovecot>
+
/usr/lib/dovecot/deliver {
#include <abstractions/base>
#include <abstractions/nameservice>
@@ -8,20 +21,16 @@
capability setgid,
capability setuid,
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
# http://www.postfix.org/SASL_README.html#server_dovecot
/etc/dovecot/dovecot.conf r,
/etc/dovecot/{auth,conf}.d/*.conf r,
- /etc/dovecot/dovecot-postfix.conf r,
+ /etc/dovecot/dovecot-postfix.conf r, # ???
- @{HOME} r,
- @{HOME}/Maildir/ rw,
- @{HOME}/Maildir/** klrw,
- @{HOME}/mail/ rw,
- @{HOME}/mail/* klrw,
- @{HOME}/mail/.imap/** klrw,
+ @{HOME} r, # ???
/usr/lib/dovecot/deliver mr,
- /var/mail/* klrw,
- /var/spool/mail/* klrw,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.deliver>
Index: profiles/apparmor.d/usr.lib.dovecot.dovecot-auth
===================================================================
--- profiles/apparmor.d/usr.lib.dovecot.dovecot-auth.orig 2011-08-27 03:51:03.000000000 +0200
+++ profiles/apparmor.d/usr.lib.dovecot.dovecot-auth 2014-01-26 15:48:52.227261272 +0100
@@ -1,6 +1,17 @@
-# Author: Kees Cook <kees@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2013 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+
/usr/lib/dovecot/dovecot-auth {
#include <abstractions/authentication>
#include <abstractions/base>
Index: profiles/apparmor.d/usr.lib.dovecot.imap
===================================================================
--- profiles/apparmor.d/usr.lib.dovecot.imap.orig 2011-08-27 01:12:10.000000000 +0200
+++ profiles/apparmor.d/usr.lib.dovecot.imap 2014-01-26 15:48:52.227261272 +0100
@@ -1,6 +1,18 @@
-# Author: Kees Cook <kees@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2010 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+#include <tunables/dovecot>
+
/usr/lib/dovecot/imap {
#include <abstractions/base>
#include <abstractions/nameservice>
@@ -8,18 +20,11 @@
capability setgid,
capability setuid,
- @{HOME} r,
- @{HOME}/Maildir/ rw,
- @{HOME}/Maildir/** klrw,
- @{HOME}/Mail/ rw,
- @{HOME}/Mail/* klrw,
- @{HOME}/Mail/.imap/** klrw,
- @{HOME}/mail/ rw,
- @{HOME}/mail/* klrw,
- @{HOME}/mail/.imap/** klrw,
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ @{HOME} r, # ???
/usr/lib/dovecot/imap mr,
- /var/mail/* klrw,
- /var/spool/mail/* klrw,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.imap>
Index: profiles/apparmor.d/usr.lib.dovecot.imap-login
===================================================================
--- profiles/apparmor.d/usr.lib.dovecot.imap-login.orig 2012-04-05 23:51:17.000000000 +0200
+++ profiles/apparmor.d/usr.lib.dovecot.imap-login 2014-01-26 15:48:52.228261212 +0100
@@ -1,4 +1,14 @@
-# Author: Kees Cook <kees@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2011 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/imap-login {
Index: profiles/apparmor.d/usr.lib.dovecot.managesieve-login
===================================================================
--- profiles/apparmor.d/usr.lib.dovecot.managesieve-login.orig 2011-07-14 14:57:57.000000000 +0200
+++ profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2014-01-26 15:48:52.228261212 +0100
@@ -1,4 +1,15 @@
-# Author: Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
+# ------------------------------------------------------------------
+#
+# Copyright (c) 2009 Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
+# Copyright (C) 2009-2011 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/managesieve-login {
Index: profiles/apparmor.d/usr.lib.dovecot.pop3
===================================================================
--- profiles/apparmor.d/usr.lib.dovecot.pop3.orig 2011-08-27 01:12:10.000000000 +0200
+++ profiles/apparmor.d/usr.lib.dovecot.pop3 2014-01-26 15:48:52.228261212 +0100
@@ -1,6 +1,18 @@
-# Author: Kees Cook <kees@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2010 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+#include <tunables/dovecot>
+
/usr/lib/dovecot/pop3 {
#include <abstractions/base>
#include <abstractions/nameservice>
@@ -8,13 +20,10 @@
capability setgid,
capability setuid,
- /var/mail/* klrw,
- /var/spool/mail/* klrw,
- @{HOME} r,
- @{HOME}/mail/* klrw,
- @{HOME}/mail/.imap/** klrw,
- @{HOME}/Maildir/ rw,
- @{HOME}/Maildir/** klrw,
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ @{HOME} r, # ???
/usr/lib/dovecot/pop3 mr,
# Site-specific additions and overrides. See local/README for details.
Index: profiles/apparmor.d/usr.lib.dovecot.pop3-login
===================================================================
--- profiles/apparmor.d/usr.lib.dovecot.pop3-login.orig 2011-07-14 14:57:57.000000000 +0200
+++ profiles/apparmor.d/usr.lib.dovecot.pop3-login 2014-01-26 15:48:52.228261212 +0100
@@ -1,6 +1,17 @@
-# Author: Kees Cook <kees@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2011 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+
/usr/lib/dovecot/pop3-login {
#include <abstractions/base>
#include <abstractions/nameservice>
Index: profiles/apparmor.d/usr.sbin.dovecot
===================================================================
--- profiles/apparmor.d/usr.sbin.dovecot.orig 2011-10-12 13:05:00.000000000 +0200
+++ profiles/apparmor.d/usr.sbin.dovecot 2014-01-26 16:09:40.262068251 +0100
@@ -1,37 +1,61 @@
-# Author: Kees Cook <kees@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2013 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+
/usr/sbin/dovecot {
#include <abstractions/authentication>
#include <abstractions/base>
+ #include <abstractions/mysql>
#include <abstractions/nameservice>
#include <abstractions/ssl_certs>
#include <abstractions/ssl_keys>
capability chown,
+ capability dac_override,
+ capability fsetid,
+ capability kill,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
- capability fsetid,
/etc/dovecot/** r,
/etc/mtab r,
/etc/lsb-release r,
/etc/SuSE-release r,
@{PROC}/[0-9]*/mounts r,
+ @{PROC}/filesystems r,
+ /usr/bin/doveconf rix,
+ /usr/lib/dovecot/anvil Px,
+ /usr/lib/dovecot/auth Px,
+ /usr/lib/dovecot/config Px,
+ /usr/lib/dovecot/dict Px,
/usr/lib/dovecot/dovecot-auth Pxmr,
/usr/lib/dovecot/imap Pxmr,
/usr/lib/dovecot/imap-login Pxmr,
+ /usr/lib/dovecot/lmtp Px,
+ /usr/lib/dovecot/log Px,
+ /usr/lib/dovecot/managesieve Px,
+ /usr/lib/dovecot/managesieve-login Pxmr,
/usr/lib/dovecot/pop3 Px,
/usr/lib/dovecot/pop3-login Pxmr,
- # temporarily commented out while testing
- #/usr/lib/dovecot/managesieve Px,
- /usr/lib/dovecot/managesieve-login Pxmr,
- /usr/lib/dovecot/ssl-build-param ixr,
- /usr/sbin/dovecot mr,
+ /usr/lib/dovecot/ssl-build-param rix,
+ /usr/lib/dovecot/ssl-params Px,
+ /usr/sbin/dovecot mrix,
/var/lib/dovecot/ w,
- /var/lib/dovecot/* krw,
+ /var/lib/dovecot/* rwkl,
+ /var/spool/postfix/private/auth w,
+ /var/spool/postfix/private/dovecot-lmtp w,
/{,var/}run/dovecot/ rw,
/{,var/}run/dovecot/** rw,
link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,
Reference in New Issue View Git Blame Copy Permalink