File apparmor-profiles-dovecot-bnc851984.diff of Package apparmor.9786
diff -u -p profiles/apparmor.d/usr.lib.dovecot.deliver ./usr.lib.dovecot.deliver
--- profiles/apparmor.d/usr.lib.dovecot.deliver 2013-12-30 22:43:37.000000000 +0100
+++ profiles/apparmor.d/usr.lib.dovecot.deliver 2014-01-01 19:22:33.468445136 +0100
@@ -1,6 +1,19 @@
-# Author: Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009 Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
+# Copyright (C) 2009-2012 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+#include <tunables/dovecot>
+
/usr/lib/dovecot/deliver {
#include <abstractions/base>
#include <abstractions/nameservice>
@@ -8,20 +21,16 @@
capability setgid,
capability setuid,
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
# http://www.postfix.org/SASL_README.html#server_dovecot
/etc/dovecot/dovecot.conf r,
/etc/dovecot/{auth,conf}.d/*.conf r,
- /etc/dovecot/dovecot-postfix.conf r,
+ /etc/dovecot/dovecot-postfix.conf r, # ???
- @{HOME} r,
- @{HOME}/Maildir/ rw,
- @{HOME}/Maildir/** klrw,
- @{HOME}/mail/ rw,
- @{HOME}/mail/* klrw,
- @{HOME}/mail/.imap/** klrw,
+ @{HOME} r, # ???
/usr/lib/dovecot/deliver mr,
- /var/mail/* klrw,
- /var/spool/mail/* klrw,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.deliver>
diff -u -p profiles/apparmor.d/usr.lib.dovecot.dovecot-auth ./usr.lib.dovecot.dovecot-auth
--- profiles/apparmor.d/usr.lib.dovecot.dovecot-auth 2013-12-30 22:43:37.000000000 +0100
+++ profiles/apparmor.d/usr.lib.dovecot.dovecot-auth 2014-01-01 19:18:33.183586607 +0100
@@ -1,6 +1,17 @@
-# Author: Kees Cook <kees@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2013 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+
/usr/lib/dovecot/dovecot-auth {
#include <abstractions/authentication>
#include <abstractions/base>
diff -u -p profiles/apparmor.d/usr.lib.dovecot.imap ./usr.lib.dovecot.imap
--- profiles/apparmor.d/usr.lib.dovecot.imap 2013-12-30 22:43:37.000000000 +0100
+++ profiles/apparmor.d/usr.lib.dovecot.imap 2013-12-30 21:59:34.990459644 +0100
@@ -1,6 +1,18 @@
-# Author: Kees Cook <kees@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2010 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+#include <tunables/dovecot>
+
/usr/lib/dovecot/imap {
#include <abstractions/base>
#include <abstractions/nameservice>
@@ -8,18 +20,11 @@
capability setgid,
capability setuid,
- @{HOME} r,
- @{HOME}/Maildir/ rw,
- @{HOME}/Maildir/** klrw,
- @{HOME}/Mail/ rw,
- @{HOME}/Mail/* klrw,
- @{HOME}/Mail/.imap/** klrw,
- @{HOME}/mail/ rw,
- @{HOME}/mail/* klrw,
- @{HOME}/mail/.imap/** klrw,
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ @{HOME} r, # ???
/usr/lib/dovecot/imap mr,
- /var/mail/* klrw,
- /var/spool/mail/* klrw,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.imap>
diff -u -p profiles/apparmor.d/usr.lib.dovecot.imap-login ./usr.lib.dovecot.imap-login
--- profiles/apparmor.d/usr.lib.dovecot.imap-login 2013-12-30 22:43:37.000000000 +0100
+++ profiles/apparmor.d/usr.lib.dovecot.imap-login 2014-01-01 19:21:43.299398259 +0100
@@ -1,4 +1,14 @@
-# Author: Kees Cook <kees@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2011 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/imap-login {
diff -u -p profiles/apparmor.d/usr.lib.dovecot.managesieve-login ./usr.lib.dovecot.managesieve-login
--- profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2013-12-30 22:43:37.000000000 +0100
+++ profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2014-01-01 19:21:23.986535007 +0100
@@ -1,4 +1,15 @@
-# Author: Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
+# ------------------------------------------------------------------
+#
+# Copyright (c) 2009 Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
+# Copyright (C) 2009-2011 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/managesieve-login {
diff -u -p profiles/apparmor.d/usr.lib.dovecot.pop3 ./usr.lib.dovecot.pop3
--- profiles/apparmor.d/usr.lib.dovecot.pop3 2013-12-30 22:43:37.000000000 +0100
+++ profiles/apparmor.d/usr.lib.dovecot.pop3 2013-12-30 22:00:13.820132421 +0100
@@ -1,6 +1,18 @@
-# Author: Kees Cook <kees@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2010 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+#include <tunables/dovecot>
+
/usr/lib/dovecot/pop3 {
#include <abstractions/base>
#include <abstractions/nameservice>
@@ -8,13 +20,10 @@
capability setgid,
capability setuid,
- /var/mail/* klrw,
- /var/spool/mail/* klrw,
- @{HOME} r,
- @{HOME}/mail/* klrw,
- @{HOME}/mail/.imap/** klrw,
- @{HOME}/Maildir/ rw,
- @{HOME}/Maildir/** klrw,
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ @{HOME} r, # ???
/usr/lib/dovecot/pop3 mr,
# Site-specific additions and overrides. See local/README for details.
diff -u -p profiles/apparmor.d/usr.lib.dovecot.pop3-login ./usr.lib.dovecot.pop3-login
--- profiles/apparmor.d/usr.lib.dovecot.pop3-login 2013-12-30 22:43:37.000000000 +0100
+++ profiles/apparmor.d/usr.lib.dovecot.pop3-login 2014-01-01 19:26:54.614068901 +0100
@@ -1,6 +1,17 @@
-# Author: Kees Cook <kees@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2011 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+
/usr/lib/dovecot/pop3-login {
#include <abstractions/base>
#include <abstractions/nameservice>
diff -u -p profiles/apparmor.d/usr.sbin.dovecot ./usr.sbin.dovecot
--- profiles/apparmor.d/usr.sbin.dovecot 2013-12-30 22:43:37.000000000 +0100
+++ profiles/apparmor.d/usr.sbin.dovecot 2013-12-30 22:01:14.209513153 +0100
@@ -1,6 +1,18 @@
-# Author: Kees Cook <kees@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2013 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+#include <tunables/dovecot>
+
/usr/sbin/dovecot {
#include <abstractions/authentication>
#include <abstractions/base>
@@ -9,29 +21,42 @@
#include <abstractions/ssl_keys>
capability chown,
+ capability dac_override,
+ capability fsetid,
+ capability kill,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
- capability fsetid,
+
+
+
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
/etc/dovecot/** r,
/etc/mtab r,
/etc/lsb-release r,
/etc/SuSE-release r,
@{PROC}/[0-9]*/mounts r,
+ /usr/bin/doveconf rix,
+ /usr/lib/dovecot/anvil Px,
+ /usr/lib/dovecot/auth Px,
+ /usr/lib/dovecot/config Px,
/usr/lib/dovecot/dovecot-auth Pxmr,
/usr/lib/dovecot/imap Pxmr,
/usr/lib/dovecot/imap-login Pxmr,
+ /usr/lib/dovecot/log Px,
+ /usr/lib/dovecot/managesieve Px,
+ /usr/lib/dovecot/managesieve-login Pxmr,
/usr/lib/dovecot/pop3 Px,
/usr/lib/dovecot/pop3-login Pxmr,
- # temporarily commented out while testing
- #/usr/lib/dovecot/managesieve Px,
- /usr/lib/dovecot/managesieve-login Pxmr,
- /usr/lib/dovecot/ssl-build-param ixr,
- /usr/sbin/dovecot mr,
+ /usr/lib/dovecot/ssl-build-param rix,
+ /usr/lib/dovecot/ssl-params Px,
+ /usr/sbin/dovecot mrix,
/var/lib/dovecot/ w,
- /var/lib/dovecot/* krw,
+ /var/lib/dovecot/* rwkl,
+ /var/spool/postfix/private/* w,
/{,var/}run/dovecot/ rw,
/{,var/}run/dovecot/** rw,
link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,
