mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-05 17:01:00 +01:00
eb8f9302aa
Host files accessed by tcp_wrapper can reference other files, from man 5 hosts.allow ``` A string that begins with a '/' character is treated as a file name. A host name or address is matched if it matches any host name or address pattern listed in the named file. The file format is zero or more lines with zero or more host name or address patterns separated by whitespace. A file name pattern can be used anywhere a host name or address pattern can be used. ``` This means adding a file to hosts requires updating multiple profiles Add a hosts abstraction so users only have to modify a single location. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/605 Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1864466 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de>
92 lines
2.8 KiB
Text
92 lines
2.8 KiB
Text
# ------------------------------------------------------------------
|
|
#
|
|
# Copyright (C) 2013-2020 Christian Boltz
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of version 2 of the GNU General Public
|
|
# License published by the Free Software Foundation.
|
|
#
|
|
# ------------------------------------------------------------------
|
|
# vim: ft=apparmor
|
|
|
|
abi <abi/3.0>,
|
|
|
|
include <tunables/global>
|
|
include <tunables/dovecot>
|
|
|
|
profile dovecot-dovecot-lda /usr/lib/dovecot/dovecot-lda flags=(attach_disconnected) {
|
|
include <abstractions/base>
|
|
include <abstractions/nameservice>
|
|
include <abstractions/dovecot-common>
|
|
|
|
capability setuid,
|
|
|
|
@{DOVECOT_MAILSTORE}/ rw,
|
|
@{DOVECOT_MAILSTORE}/** rwkl,
|
|
|
|
/etc/dovecot/** r,
|
|
@{PROC}/*/mounts r,
|
|
owner /tmp/dovecot.lda.* rw,
|
|
@{run}/dovecot/mounts r,
|
|
@{run}/dovecot/auth-userdb rw,
|
|
/usr/bin/doveconf mrix,
|
|
/usr/lib/dovecot/dovecot-lda mrix,
|
|
/usr/{bin,sbin}/sendmail Cx -> sendmail,
|
|
/usr/share/dovecot/protocols.d/ r,
|
|
/usr/share/dovecot/protocols.d/** r,
|
|
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
include if exists <local/usr.lib.dovecot.dovecot-lda>
|
|
|
|
|
|
profile sendmail /usr/{bin,sbin}/sendmail flags=(attach_disconnected) {
|
|
# this profile is based on the usr.sbin.sendmail profile in extras
|
|
# and should support both postfix' and sendmail's sendmail binary
|
|
|
|
include <abstractions/base>
|
|
include <abstractions/consoles>
|
|
include <abstractions/nameservice>
|
|
include <abstractions/user-tmp>
|
|
include <abstractions/postfix-common>
|
|
include <abstractions/hosts_access>
|
|
|
|
capability sys_ptrace,
|
|
|
|
/etc/aliases rw, # newaliases is a symlink to sendmail, so it's
|
|
/etc/aliases.db rw, # actually the same binary
|
|
/etc/fstab r,
|
|
/etc/mail/* r,
|
|
/etc/mail/statistics rw,
|
|
/etc/mtab r,
|
|
/etc/postfix/aliases r,
|
|
/etc/postfix/aliases.db rw, # newaliases again
|
|
/etc/sendmail.cf r,
|
|
/etc/sendmail.cw r,
|
|
/etc/shells r,
|
|
@{PROC}/loadavg r,
|
|
@{PROC}/net/if_inet6 r,
|
|
/root/.forward r,
|
|
/root/dead.letter w,
|
|
/usr/bin/procmail Px,
|
|
/usr/lib/postfix/{bin/,sbin/,}master Px,
|
|
/usr/lib/postfix/{bin/,sbin/,}showq Px,
|
|
/usr/lib/postfix/{bin/,sbin/,}smtpd Px,
|
|
/usr/{bin,sbin}/postalias Px,
|
|
/usr/{bin,sbin}/postdrop Px,
|
|
/usr/{bin,sbin}/postfix Px,
|
|
/usr/{bin,sbin}/postqueue Px,
|
|
/usr/{bin,sbin}/sendmail mrix,
|
|
/usr/{bin,sbin}/sendmail.postfix mrix,
|
|
/usr/{bin,sbin}/sendmail.sendmail mrix,
|
|
@{run}/sendmail.pid rwl,
|
|
@{run}/sm-client.pid rwl,
|
|
@{run}/utmp rw,
|
|
/var/spool/clientmqueue/* rwl,
|
|
/var/spool/mail/* rwl,
|
|
/var/spool/mqueue/* rwl,
|
|
/var/spool/postfix/maildrop/* rwl,
|
|
/var/spool/postfix/public/pickup w,
|
|
/var/spool/postfix/public/qmgr w,
|
|
/var/spool/postfix/public/showq w,
|
|
}
|
|
}
|