From e3fd962e36202f0046d6868d9eaeabe019dbc137 Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon@sdeziel.info>
Date: Mon, 18 Feb 2019 09:53:39 -0500
Subject: [PATCH] dovecot: restrict access by owner to the dovecot/config
 socket

Being able to read the config means accessing ssl_key data so
should only be restricted to root https://wiki.dovecot.org/Services#config

Signed-off-by: Simon Deziel <simon@sdeziel.info>
---
 profiles/apparmor.d/abstractions/dovecot-common | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/profiles/apparmor.d/abstractions/dovecot-common b/profiles/apparmor.d/abstractions/dovecot-common
index b8be97314..724e44465 100644
--- a/profiles/apparmor.d/abstractions/dovecot-common
+++ b/profiles/apparmor.d/abstractions/dovecot-common
@@ -16,7 +16,7 @@
   # dovecot's master can send us signals
   signal receive peer=dovecot,
 
-  /{var/,}run/dovecot/config rw,
+  owner /{var/,}run/dovecot/config rw,
 
   # Include additions to the abstraction
   #include if exists <abstractions/dovecot-common.d>