File profile-updates-2.10r3381..3384.diff of Package apparmor

------------------------------------------------------------
revno: 3384
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Mon 2017-01-30 20:44:40 +0100
message:
  Dovecot profile: change Px to mrPx for /usr/lib/dovecot/*
  
  Some of the /usr/lib/dovecot/* rules already have mrPx permissions,
  while others don't.
  
  With a more recent kernel, I noticed that at least auth, config, dict,
  lmtp, pop3 and ssl-params need mrPx instead of just Px (confirmed by the
  audit.log and actual breakage caused by the missing mr permissions).
  
  The mr additions for anvil, log and managesieve are just a wild guess,
  but I would be very surprised if they don't need mr.
  
  
  Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
------------------------------------------------------------
revno: 3383
fixes bug: https://launchpad.net/bugs/1512131
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Thu 2017-01-26 21:42:52 +0100
message:
  Dovecot profile update
  
  Add several permissions to the dovecot profiles that are needed on ubuntu
  (surprisingly not on openSUSE, maybe it depends on the dovecot config?)
  
  As discussed some weeks ago, the added permissions use only /run/
  instead of /{var/,}run/ (which is hopefully superfluous nowadays).
  
  
  References: https://bugs.launchpad.net/apparmor/+bug/1512131
  
  
  Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
------------------------------------------------------------
revno: 3382
fixes bug: https://launchpad.net/bugs/1658239
author: Kees Cook
committer: Seth Arnold <seth.arnold@canonical.com>
branch nick: 2.10
timestamp: Fri 2017-01-20 17:22:10 -0800
message:
  glibc uses /proc/*/auxv and /proc/*/status files, too
  
  Acked-by: Seth Arnold <seth.arnold@canonical.com>
------------------------------------------------------------
revno: 3381
fixes bug: https://launchpad.net/bugs/1658238
author: Kees Cook
committer: Seth Arnold <seth.arnold@canonical.com>
branch nick: 2.10
timestamp: Fri 2017-01-20 17:19:56 -0800
message:
  Apache2 profile updates for proper signal handling, optional saslauth,
  and OCSP stapling
  
  Acked-by: Seth Arnold <seth.arnold@canonical.com>


=== modified file 'profiles/apparmor.d/abstractions/apache2-common'
--- profiles/apparmor.d/abstractions/apache2-common	2014-06-24 18:06:06 +0000
+++ profiles/apparmor.d/abstractions/apache2-common	2017-01-21 01:19:56 +0000
@@ -8,6 +8,8 @@
   signal (receive) peer=unconfined,
   # Allow apache to send us signals by default
   signal (receive) peer=/usr/sbin/apache2,
+  # Allow other hats to signal by default
+  signal peer=/usr/sbin/apache2//*,
   # Allow us to signal ourselves
   signal peer=@{profile_name},
 
@@ -25,3 +27,8 @@
 
   /dev/urandom            r,
 
+  # sasl-auth
+  /run/saslauthd/mux rw,
+
+  # OCSP stapling
+  /var/log/apache2/stapling-cache rw,

=== modified file 'profiles/apparmor.d/abstractions/base'
--- profiles/apparmor.d/abstractions/base	2016-07-29 18:46:16 +0000
+++ profiles/apparmor.d/abstractions/base	2017-01-21 01:22:10 +0000
@@ -92,7 +92,7 @@
   /sys/devices/system/cpu/online r,
 
   # glibc's *printf protections read the maps file
-  @{PROC}/@{pid}/maps            r,
+  @{PROC}/@{pid}/{maps,auxv,status} r,
 
   # libgcrypt reads some flags from /proc
   @{PROC}/sys/crypto/*           r,

=== modified file 'profiles/apparmor.d/usr.lib.dovecot.anvil'
--- profiles/apparmor.d/usr.lib.dovecot.anvil	2014-06-27 19:14:53 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.anvil	2017-01-26 20:42:52 +0000
@@ -18,6 +18,7 @@
   capability setuid,
   capability sys_chroot,
 
+  /run/dovecot/anvil rw,
   /usr/lib/dovecot/anvil mr,
 
   # Site-specific additions and overrides. See local/README for details.

=== modified file 'profiles/apparmor.d/usr.lib.dovecot.auth'
--- profiles/apparmor.d/usr.lib.dovecot.auth	2016-12-27 16:47:24 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.auth	2017-01-26 20:42:52 +0000
@@ -37,6 +37,9 @@
   /var/tmp/sieve_* rw,
   /var/tmp/smtp_* rw,
 
+  /run/dovecot/auth-master rw,
+  /run/dovecot/auth-worker rw,
+  /run/dovecot/login/login rw,
   /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
   /{var/,}run/dovecot/stats-user rw,
   /{var/,}run/dovecot/anvil-auth-penalty rw,

=== modified file 'profiles/apparmor.d/usr.lib.dovecot.imap'
--- profiles/apparmor.d/usr.lib.dovecot.imap	2016-10-05 18:53:37 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.imap	2017-01-26 20:42:52 +0000
@@ -21,6 +21,8 @@
   capability setuid,
   deny capability block_suspend,
 
+  network unix stream,
+
   @{DOVECOT_MAILSTORE}/ rw,
   @{DOVECOT_MAILSTORE}/** rwkl,
 
@@ -33,6 +35,7 @@
   /usr/bin/doveconf rix,
   /usr/lib/dovecot/imap mrix,
   /usr/share/dovecot/** r,
+  /run/dovecot/login/imap rw,
   /{,var/}run/dovecot/auth-master rw,
   /{,var/}run/dovecot/mounts r,
 

=== modified file 'profiles/apparmor.d/usr.lib.dovecot.imap-login'
--- profiles/apparmor.d/usr.lib.dovecot.imap-login	2014-12-22 16:41:59 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.imap-login	2017-01-26 20:42:52 +0000
@@ -22,6 +22,7 @@
 
   network inet stream,
   network inet6 stream,
+  network unix stream,
 
   /usr/lib/dovecot/imap-login mr,
   /{,var/}run/dovecot/anvil rw,

=== modified file 'profiles/apparmor.d/usr.lib.dovecot.ssl-params'
--- profiles/apparmor.d/usr.lib.dovecot.ssl-params	2014-06-27 19:14:53 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.ssl-params	2017-01-26 20:42:52 +0000
@@ -15,6 +15,7 @@
   #include <abstractions/base>
   #include <abstractions/dovecot-common>
 
+  /run/dovecot/login/ssl-params rw,
   /usr/lib/dovecot/ssl-params mr,
   /var/lib/dovecot/ssl-parameters.dat rw,
   /var/lib/dovecot/ssl-parameters.dat.tmp rwk,

=== modified file 'profiles/apparmor.d/usr.sbin.dovecot'
--- profiles/apparmor.d/usr.sbin.dovecot	2016-11-29 20:36:19 +0000
+++ profiles/apparmor.d/usr.sbin.dovecot	2017-01-30 19:44:40 +0000
@@ -36,21 +36,21 @@
   /etc/SuSE-release r,
   @{PROC}/@{pid}/mounts r,
   /usr/bin/doveconf rix,
-  /usr/lib/dovecot/anvil Px,
-  /usr/lib/dovecot/auth Px,
-  /usr/lib/dovecot/config Px,
-  /usr/lib/dovecot/dict Px,
+  /usr/lib/dovecot/anvil mrPx,
+  /usr/lib/dovecot/auth mrPx,
+  /usr/lib/dovecot/config mrPx,
+  /usr/lib/dovecot/dict mrPx,
   /usr/lib/dovecot/dovecot-auth Pxmr,
   /usr/lib/dovecot/imap Pxmr,
   /usr/lib/dovecot/imap-login Pxmr,
-  /usr/lib/dovecot/lmtp Px,
-  /usr/lib/dovecot/log Px,
-  /usr/lib/dovecot/managesieve Px,
+  /usr/lib/dovecot/lmtp mrPx,
+  /usr/lib/dovecot/log mrPx,
+  /usr/lib/dovecot/managesieve mrPx,
   /usr/lib/dovecot/managesieve-login Pxmr,
-  /usr/lib/dovecot/pop3 Px,
+  /usr/lib/dovecot/pop3 mrPx,
   /usr/lib/dovecot/pop3-login Pxmr,
   /usr/lib/dovecot/ssl-build-param rix,
-  /usr/lib/dovecot/ssl-params Px,
+  /usr/lib/dovecot/ssl-params mrPx,
   /usr/sbin/dovecot mrix,
   /usr/share/dovecot/protocols.d/   r,
   /usr/share/dovecot/protocols.d/** r,


vim:ft=diff