# ------------------------------------------------------------------
#
#    Copyright (C) 2013-2016 Christian Boltz
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor

#include <tunables/global>
#include <tunables/dovecot>

/usr/lib/dovecot/dovecot-lda flags=(attach_disconnected) {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/dovecot-common>

  capability setuid,

  @{DOVECOT_MAILSTORE}/ rw,
  @{DOVECOT_MAILSTORE}/** rwkl,

  /etc/dovecot/** r,
  /proc/*/mounts r,
  owner /tmp/dovecot.lda.* rw,
  /{var/,}run/dovecot/mounts r,
  /run/dovecot/auth-userdb rw,
  /usr/bin/doveconf mrix,
  /usr/lib/dovecot/dovecot-lda mrix,
  /usr/{bin,sbin}/sendmail Cx -> sendmail,
  /usr/share/dovecot/protocols.d/ r,
  /usr/share/dovecot/protocols.d/** r,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.lib.dovecot.dovecot-lda>


  profile sendmail /usr/{bin,sbin}/sendmail flags=(attach_disconnected) {
    # this profile is based on the usr.sbin.sendmail profile in extras
    # and should support both postfix' and sendmail's sendmail binary

    #include <abstractions/base>
    #include <abstractions/consoles>
    #include <abstractions/nameservice>
    #include <abstractions/user-tmp>
    #include <abstractions/postfix-common>

    capability sys_ptrace,

    /etc/aliases rw,     # newaliases is a symlink to sendmail, so it's
    /etc/aliases.db rw,  # actually the same binary
    /etc/fstab r,
    /etc/hosts.allow r,
    /etc/hosts.deny r,
    /etc/mail/* r,
    /etc/mail/statistics rw,
    /etc/mtab r,
    /etc/postfix/aliases r,
    /etc/postfix/aliases.db rw,  # newaliases again
    /etc/sendmail.cf r,
    /etc/sendmail.cw r,
    /etc/shells r,
    /proc/loadavg r,
    /proc/net/if_inet6 r,
    /root/.forward r,
    /root/dead.letter w,
    /usr/bin/procmail Px,
    /usr/lib/postfix/master Px,
    /usr/lib/postfix/showq Px,
    /usr/lib/postfix/smtpd Px,
    /usr/{bin,sbin}/postalias Px,
    /usr/{bin,sbin}/postdrop Px,
    /usr/{bin,sbin}/postfix Px,
    /usr/{bin,sbin}/postqueue Px,
    /usr/{bin,sbin}/sendmail mrix,
    /usr/{bin,sbin}/sendmail.postfix mrix,
    /usr/{bin,sbin}/sendmail.sendmail mrix,
    /{var/,}run/sendmail.pid rwl,
    /{var/,}run/sm-client.pid rwl,
    /{var/,}run/utmp rw,
    /var/spool/clientmqueue/* rwl,
    /var/spool/mail/* rwl,
    /var/spool/mqueue/* rwl,
    /var/spool/postfix/maildrop/* rwl,
    /var/spool/postfix/public/pickup w,
    /var/spool/postfix/public/qmgr w,
    /var/spool/postfix/public/showq w,
  }
}