[apparmor] [patch] Add missing permissions to dovecot profiles

Mon Oct 3 20:07:17 UTC 2016

Hello,

$subject.

- dovecot/auth: allow to read stats-user
- dovecot/config: allow to read /usr/share/dovecot/**
- dovecot/imap: allow to ix doveconf, read /etc/dovecot/ and
  /usr/share/dovecot/**

These things were reported by Félix Sipma in Debian Bug#835826
(with some help from sarnold on IRC)

References: https://bugs.debian.org/835826


Note: The bugreport says that the dovecot/lmtp profile also needs
  @{HOME}/.dovecot.svbin r,
added, bug http://wiki2.dovecot.org/Pigeonhole/Sieve/Usage says that
sieve uses the .svbin extension for all sieve scripts. I'm unsure if
allowing one specific file makes sense, so let's get the easy things
in now, and do a follow-up patch once this is clarified.


I propose this patch for trunk, 2.10 and 2.9.



[ dovecot-profiles-deb835826.diff ]

=== modified file 'profiles/apparmor.d/usr.lib.dovecot.auth'

--- profiles/apparmor.d/usr.lib.dovecot.auth    2016-04-06 22:53:06 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.auth    2016-10-03 19:35:41 +0000
@@ -38,7 +38,7 @@
   /var/tmp/smtp_* rw,
 
   /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
-  /{var/,}run/dovecot/stats-user w,
+  /{var/,}run/dovecot/stats-user rw,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.lib.dovecot.auth>

=== modified file 'profiles/apparmor.d/usr.lib.dovecot.config'
--- profiles/apparmor.d/usr.lib.dovecot.config  2014-06-27 19:14:53 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.config  2016-10-03 19:36:06 +0000
@@ -23,6 +23,7 @@
   /usr/bin/doveconf rix,
   /usr/lib/dovecot/config mr,
   /usr/lib/dovecot/managesieve Px,
+  /usr/share/dovecot/** r,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.lib.dovecot.config>

=== modified file 'profiles/apparmor.d/usr.lib.dovecot.imap'
--- profiles/apparmor.d/usr.lib.dovecot.imap    2015-09-03 16:27:00 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.imap    2016-10-03 19:39:38 +0000
@@ -25,7 +25,14 @@
   @{DOVECOT_MAILSTORE}/** rwkl,
 
   @{HOME} r, # ???
-  /usr/lib/dovecot/imap mr,
+
+  /etc/dovecot/dovecot.conf r,
+  /etc/dovecot/conf.d/ r,
+  /etc/dovecot/conf.d/** r,
+
+  /usr/bin/doveconf rix,
+  /usr/lib/dovecot/imap mrix,
+  /usr/share/dovecot/** r,
   /{,var/}run/dovecot/auth-master rw,
   /{,var/}run/dovecot/mounts r,
 


Regards,

Christian Boltz
-- 
Um es auf dein Beispiel zu übertragen: [...] - oder -
Wir stehen sowieso mit runtergelassener Unterhose mitten auf der
Autobahn 7 und es ist relativ egal, ob wir jetzt noch eine Gummi-Hupe
und eine Taschenlampe in der Hand halten, während ein Tanklaster auf
uns zuhält. [Ratti in fontlinge-devel]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161003/ff33bdf3/attachment.pgp>
