From 895164fad28dbb6b726ecebc73f7ced51a3d0029 Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Tue, 15 Jul 2025 18:16:09 +0000
Subject: [PATCH] Merge Profiles: dovecot add access for dovecot 2.4 doveconf
 paths

Dovecot 2.4 now creates a "binary" version of its config via doveconf. This needs new access rules, as it otherwise prevents all Dovecot processes from accessing this new configuration.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1733
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit fc636c7ff3f7331b11bb8e4c26a9aa8c1a179844)

021f701e Profiles: dovecot add access for dovecot 2.4 doveconf paths

Co-authored-by: Christian Boltz <apparmor@cboltz.de>
---
 profiles/apparmor.d/abstractions/dovecot-common | 2 ++
 profiles/apparmor.d/usr.lib.dovecot.config      | 2 ++
 profiles/apparmor.d/usr.sbin.dovecot            | 1 +
 3 files changed, 5 insertions(+)

diff --git a/profiles/apparmor.d/abstractions/dovecot-common b/profiles/apparmor.d/abstractions/dovecot-common
index d0722eb14..d39159ecf 100644
--- a/profiles/apparmor.d/abstractions/dovecot-common
+++ b/profiles/apparmor.d/abstractions/dovecot-common
@@ -19,6 +19,8 @@
   signal receive peer=dovecot,
 
   owner @{run}/dovecot/config rw,
+  owner @{run}/dovecot/dovecot.conf.binary r,
+  owner /tmp/doveconf.* r,
 
   # Include additions to the abstraction
   include if exists <abstractions/dovecot-common.d>
diff --git a/profiles/apparmor.d/usr.lib.dovecot.config b/profiles/apparmor.d/usr.lib.dovecot.config
index 06ff4b863..8e5c6bae3 100644
--- a/profiles/apparmor.d/usr.lib.dovecot.config
+++ b/profiles/apparmor.d/usr.lib.dovecot.config
@@ -28,6 +28,8 @@ profile dovecot-config /usr/lib*/dovecot/config {
   /usr/lib*/dovecot/managesieve Px,
   /usr/share/dovecot/** r,
   /var/lib/dovecot/ssl-parameters.dat r,
+  owner @{run}/dovecot/dovecot.conf.binary* rw,
+  owner /tmp/doveconf.* rw,
 
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/usr.lib.dovecot.config>
diff --git a/profiles/apparmor.d/usr.sbin.dovecot b/profiles/apparmor.d/usr.sbin.dovecot
index cb13a1096..a8d4ed988 100644
--- a/profiles/apparmor.d/usr.sbin.dovecot
+++ b/profiles/apparmor.d/usr.sbin.dovecot
@@ -78,6 +78,7 @@ profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
   @{run}/dovecot/ rw,
   @{run}/dovecot/** rw,
   link @{run}/dovecot/** -> /var/lib/dovecot/**,
+  owner /tmp/doveconf.* rw,
 
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/usr.sbin.dovecot>