From 628b32b79b3111ca7e4290e77127b07cea29096d Mon Sep 17 00:00:00 2001
From: Christian Boltz <gitlab2@cboltz.de>
Date: Sun, 17 Feb 2019 21:04:27 +0000
Subject: [PATCH] Merge branch 'dovecot-fixes-no-doveadm' into 'master'

misc dovecot fixes (take #2)

See merge request apparmor/apparmor!336

Acked-by: Christian Boltz <apparmor@cboltz.de> for master..2.10

(cherry picked from commit e68beb988adf63c85b2091880c64a5e6ca3c20ca)

a57f01d8 dovecot: allow FD passing between dovecot and dovecot's anvil
d0aa863f dovecot: allow chroot'ing the auth processes
9afeb225 dovecot: let dovecot/anvil rw the auth-penalty socket
17db8f38 dovecot: auth processes need to read from postfix auth socket
6a7c49b1 dovecot: add abstractions/ssl_certs to lmtp
---
 profiles/apparmor.d/usr.lib.dovecot.anvil | 3 +++
 profiles/apparmor.d/usr.lib.dovecot.auth  | 5 ++++-
 profiles/apparmor.d/usr.lib.dovecot.lmtp  | 1 +
 profiles/apparmor.d/usr.sbin.dovecot      | 2 ++
 4 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/profiles/apparmor.d/usr.lib.dovecot.anvil b/profiles/apparmor.d/usr.lib.dovecot.anvil
index aba8854e9..5b0fba6b2 100644
--- a/profiles/apparmor.d/usr.lib.dovecot.anvil
+++ b/profiles/apparmor.d/usr.lib.dovecot.anvil
@@ -18,7 +18,10 @@
   capability setuid,
   capability sys_chroot,
 
+  unix (receive, send) type=stream peer=(label=dovecot),
+
   /run/dovecot/anvil rw,
+  /run/dovecot/anvil-auth-penalty rw,
   /usr/lib/dovecot/anvil mr,
 
   # Site-specific additions and overrides. See local/README for details.
diff --git a/profiles/apparmor.d/usr.lib.dovecot.auth b/profiles/apparmor.d/usr.lib.dovecot.auth
index b44441e26..2545ede7f 100644
--- a/profiles/apparmor.d/usr.lib.dovecot.auth
+++ b/profiles/apparmor.d/usr.lib.dovecot.auth
@@ -25,6 +25,7 @@
   capability dac_override,
   capability dac_read_search,
   capability setuid,
+  capability sys_chroot,
 
   /etc/my.cnf r,
   /etc/my.cnf.d/ r,
@@ -32,6 +33,7 @@
 
   /etc/dovecot/* r,
   /usr/lib/dovecot/auth mr,
+  /var/lib/dovecot/auth-chroot/* r,
 
   # kerberos replay cache
   /var/tmp/imap_* rw,
@@ -40,6 +42,7 @@
   /var/tmp/smtp_* rw,
 
   /run/dovecot/auth-master rw,
+  /run/dovecot/auth-userdb rw,
   /run/dovecot/auth-worker rw,
   /run/dovecot/login/login rw,
   /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
@@ -47,7 +50,7 @@
   /{var/,}run/dovecot/stats-user rw,
   /{var/,}run/dovecot/anvil-auth-penalty rw,
 
-  /var/spool/postfix/private/auth w,
+  /var/spool/postfix/private/auth rw,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.lib.dovecot.auth>
diff --git a/profiles/apparmor.d/usr.lib.dovecot.lmtp b/profiles/apparmor.d/usr.lib.dovecot.lmtp
index d30a4cb09..f2b60b8b0 100644
--- a/profiles/apparmor.d/usr.lib.dovecot.lmtp
+++ b/profiles/apparmor.d/usr.lib.dovecot.lmtp
@@ -17,6 +17,7 @@
   #include <abstractions/nameservice>
   #include <abstractions/dovecot-common>
   #include <abstractions/openssl>
+  #include <abstractions/ssl_certs>
   #include <abstractions/ssl_keys>
 
   capability dac_override,
diff --git a/profiles/apparmor.d/usr.sbin.dovecot b/profiles/apparmor.d/usr.sbin.dovecot
index 8f130fe31..309c713df 100644
--- a/profiles/apparmor.d/usr.sbin.dovecot
+++ b/profiles/apparmor.d/usr.sbin.dovecot
@@ -33,6 +33,8 @@
 
   signal send set=(int,quit) peer=/usr/lib/dovecot/*,
 
+  unix (receive, send) type=stream peer=(label=/usr/lib/dovecot/anvil),
+
   /etc/dovecot/** r,
   /etc/mtab r,
   /etc/lsb-release r,