Merge add Dovecot and other mail related profiles

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/644
Acked-by: John Johansen <john.johansen@canonical.com>

profiles/apparmor.d/usr.lib.dovecot.director

@@ -0,0 +1,27 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2020 SUSE LLC
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+include <tunables/global>
+
+profile dovecot-director /usr/lib/dovecot/director flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/dovecot-common>
+  include <abstractions/nameservice>
+
+  capability setuid,
+  capability sys_chroot,
+
+  /run/dovecot/login/proxy-notify rw,
+  /usr/lib/dovecot/director mr,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.lib.dovecot.director>
+}

profiles/apparmor.d/usr.lib.dovecot.doveadm-server

@@ -0,0 +1,22 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2020 SUSE LLC
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+include <tunables/global>
+
+profile dovecot-doveadm-server /usr/lib/dovecot/doveadm-server flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/dovecot-common>
+
+  /usr/lib/dovecot/doveadm-server mr,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.lib.dovecot.doveadm-server>
+}

profiles/apparmor.d/usr.lib.dovecot.imap

@@ -21,7 +21,6 @@ profile dovecot-imap /usr/lib/dovecot/imap {
   include <abstractions/dovecot-common>
 
   capability setuid,
-  deny capability block_suspend,
 
   network unix stream,
 

profiles/apparmor.d/usr.lib.dovecot.replicator

@@ -0,0 +1,36 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2020 SUSE LLC
+#    Copyright (C) 2009-2010 Canonical Ltd.
+#    Copyright (C) 2011-2013 Christian Boltz
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+# for https://wiki.dovecot.org/Replication
+
+include <tunables/dovecot>
+include <tunables/global>
+
+profile dovecot-replicator /usr/lib/dovecot/replicator {
+  include <abstractions/base>
+  include <abstractions/dovecot-common>
+  include <abstractions/nameservice>
+
+  network unix stream,
+
+  /etc/dovecot/conf.d/ r,
+  /etc/dovecot/conf.d/** r,
+  /etc/dovecot/dovecot.conf r,
+  /usr/lib/dovecot/replicator mr,
+  /usr/share/dovecot/** r,
+  /{,var/}run/dovecot/auth-master rw,
+  @{DOVECOT_MAILSTORE}/ rw,
+  @{DOVECOT_MAILSTORE}/** rwlk,
+  /var/lib/dovecot/replicator.db rw,
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.lib.dovecot.replicator>
+}

profiles/apparmor.d/usr.sbin.dovecot

@@ -50,6 +50,8 @@ profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
   /usr/lib/dovecot/auth mrPx,
   /usr/lib/dovecot/config mrPx,
   /usr/lib/dovecot/dict mrPx,
+  /usr/lib/dovecot/director mrPx,
+  /usr/lib/dovecot/doveadm-server mrPx,
   /usr/lib/dovecot/dovecot-auth Pxmr,
   /usr/lib/dovecot/imap Pxmr,
   /usr/lib/dovecot/imap-login Pxmr,
@@ -59,6 +61,7 @@ profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
   /usr/lib/dovecot/managesieve-login Pxmr,
   /usr/lib/dovecot/pop3 mrPx,
   /usr/lib/dovecot/pop3-login Pxmr,
+  /usr/lib/dovecot/replicator mrPx,
   /usr/lib/dovecot/script-login Px,
   /usr/lib/dovecot/ssl-build-param rix,
   /usr/lib/dovecot/ssl-params mrPx,

profiles/apparmor/profiles/extras/usr.bin.freshclam

@@ -17,6 +17,7 @@ include <tunables/global>
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/nameservice>
+  include <abstractions/openssl>
 
   capability setgid,
   capability setuid,
@@ -27,4 +28,5 @@ include <tunables/global>
   /var/lib/clamav/** rw,
   owner /run/clamav/freshclam.pid w,
 
+  include if exists <local/usr.bin.freshclam>
 }

profiles/apparmor/profiles/extras/usr.bin.pyzorsocket

@@ -0,0 +1,21 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2020 SUSE LLC
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+include <tunables/global>
+
+profile pyzorsocket /usr/bin/pyzorsocket {
+  include <abstractions/base>
+  include <abstractions/python>
+
+  /usr/bin/ r,
+  /usr/bin/python[2-9]* ix,
+  /usr/bin/pyzorsocket r,
+  include if exists <local/usr.bin.pyzorsocket>
+}

profiles/apparmor/profiles/extras/usr.bin.razorsocket

@@ -0,0 +1,20 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2020 SUSE LLC
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+include <tunables/global>
+
+profile razorsocket /usr/bin/razorsocket {
+  include <abstractions/base>
+  include <abstractions/perl>
+
+  /usr/bin/razorsocket r,
+
+  include if exists <local/usr.bin.razorsocket>
+}

profiles/apparmor/profiles/extras/usr.sbin.clamd

@@ -0,0 +1,30 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2020 SUSE LLC
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+include <tunables/global>
+
+profile clamd /usr/sbin/clamd {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+
+  capability setgid,
+  capability setuid,
+
+  /etc/clamd.conf r,
+  /usr/sbin/clamd mr,
+  /var/lib/clamav/ r,
+  /var/lib/clamav/** r,
+  owner /run/clamav/clamd.pid w,
+  owner /run/clamav/clamd-socket rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.sbin.clamd>
+}

profiles/apparmor/profiles/extras/usr.sbin.haproxy

@@ -0,0 +1,45 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2020 SUSE LLC
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+include <tunables/global>
+
+profile haproxy /usr/sbin/haproxy {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+  capability net_admin,
+  capability net_bind_service,
+  capability setgid,
+  capability setuid,
+  capability kill,
+  capability sys_resource,
+  capability sys_chroot,
+
+  # those are needed for the stats socket creation
+  capability chown,
+  capability fowner,
+  capability fsetid,
+
+  network inet  tcp,
+  network inet6 tcp,
+
+  /etc/haproxy/* r,
+
+  /usr/sbin/haproxy rmix,
+
+  /var/lib/haproxy/stats rwl,
+  /var/lib/haproxy/stats.*.bak rwl,
+  /var/lib/haproxy/stats.*.tmp rwl,
+  /{,var/}run/haproxy.pid rw,
+  /{,var/}run/haproxy-master.sock* rwlk,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.sbin.haproxy>
+}