# ------------------------------------------------------------------
#
#    Copyright (C) 2013-2020 Christian Boltz
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor

abi <abi/3.0>,

include <tunables/global>
include <tunables/dovecot>

profile dovecot-dovecot-lda /usr/lib/dovecot/dovecot-lda flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice>
  include <abstractions/dovecot-common>

  capability setuid,

  @{DOVECOT_MAILSTORE}/ rw,
  @{DOVECOT_MAILSTORE}/** rwkl,

  /etc/dovecot/** r,
  @{PROC}/*/mounts r,
  owner /tmp/dovecot.lda.* rw,
  @{run}/dovecot/mounts r,
  @{run}/dovecot/auth-userdb rw,
  /usr/bin/doveconf mrix,
  /usr/lib/dovecot/dovecot-lda mrix,
  /usr/{bin,sbin}/sendmail Cx -> sendmail,
  /usr/share/dovecot/protocols.d/ r,
  /usr/share/dovecot/protocols.d/** r,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/usr.lib.dovecot.dovecot-lda>


  profile sendmail /usr/{bin,sbin}/sendmail flags=(attach_disconnected) {
    # this profile is based on the usr.sbin.sendmail profile in extras
    # and should support both postfix' and sendmail's sendmail binary

    include <abstractions/base>
    include <abstractions/consoles>
    include <abstractions/nameservice>
    include <abstractions/user-tmp>
    include <abstractions/postfix-common>
    include <abstractions/hosts_access>

    capability sys_ptrace,

    /etc/aliases rw,     # newaliases is a symlink to sendmail, so it's
    /etc/aliases.db rw,  # actually the same binary
    /etc/fstab r,
    /etc/mail/* r,
    /etc/mail/statistics rw,
    /etc/mtab r,
    /etc/postfix/aliases r,
    /etc/postfix/aliases.db rw,  # newaliases again
    /etc/sendmail.cf r,
    /etc/sendmail.cw r,
    /etc/shells r,
    @{PROC}/loadavg r,
    @{PROC}/net/if_inet6 r,
    /root/.forward r,
    /root/dead.letter w,
    /usr/bin/procmail Px,
    /usr/lib/postfix/{bin/,sbin/,}master Px,
    /usr/lib/postfix/{bin/,sbin/,}showq Px,
    /usr/lib/postfix/{bin/,sbin/,}smtpd Px,
    /usr/{bin,sbin}/postalias Px,
    /usr/{bin,sbin}/postdrop Px,
    /usr/{bin,sbin}/postfix Px,
    /usr/{bin,sbin}/postqueue Px,
    /usr/{bin,sbin}/sendmail mrix,
    /usr/{bin,sbin}/sendmail.postfix mrix,
    /usr/{bin,sbin}/sendmail.sendmail mrix,
    @{run}/sendmail.pid rwl,
    @{run}/sm-client.pid rwl,
    @{run}/utmp rw,
    /var/spool/clientmqueue/* rwl,
    /var/spool/mail/* rwl,
    /var/spool/mqueue/* rwl,
    /var/spool/postfix/maildrop/* rwl,
    /var/spool/postfix/public/pickup w,
    /var/spool/postfix/public/qmgr w,
    /var/spool/postfix/public/showq w,
  }
}