From a57f01d86bdb01647966f3eeff7a1cc3fc6abd76 Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon@sdeziel.info>
Date: Sun, 10 Feb 2019 21:36:10 -0500
Subject: [PATCH 1/5] dovecot: allow FD passing between dovecot and dovecot's
 anvil

---
 profiles/apparmor.d/usr.lib.dovecot.anvil | 2 ++
 profiles/apparmor.d/usr.sbin.dovecot      | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/profiles/apparmor.d/usr.lib.dovecot.anvil b/profiles/apparmor.d/usr.lib.dovecot.anvil
index aba8854e9..652f13443 100644
--- a/profiles/apparmor.d/usr.lib.dovecot.anvil
+++ b/profiles/apparmor.d/usr.lib.dovecot.anvil
@@ -18,6 +18,8 @@
   capability setuid,
   capability sys_chroot,
 
+  unix (receive, send) type=stream peer=(label=dovecot),
+
   /run/dovecot/anvil rw,
   /usr/lib/dovecot/anvil mr,
 
diff --git a/profiles/apparmor.d/usr.sbin.dovecot b/profiles/apparmor.d/usr.sbin.dovecot
index 8eced4a64..d6d50c5e7 100644
--- a/profiles/apparmor.d/usr.sbin.dovecot
+++ b/profiles/apparmor.d/usr.sbin.dovecot
@@ -33,6 +33,8 @@ profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
 
   signal send set=(int,quit) peer=/usr/lib/dovecot/*,
 
+  unix (receive, send) type=stream peer=(label=/usr/lib/dovecot/anvil),
+
   /etc/dovecot/** r,
   /etc/mtab r,
   /etc/lsb-release r,

From d0aa863f6b670b455f919d922f6ce29f8e577294 Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon@sdeziel.info>
Date: Wed, 13 Feb 2019 22:27:08 -0500
Subject: [PATCH 2/5] dovecot: allow chroot'ing the auth processes

When using passdb/userdb not requiring root (!= /etc/shadow access)
it is recommended to run the auth processes as non root and chroot'ed

Signed-off-by: Simon Deziel <simon@sdeziel.info>
---
 profiles/apparmor.d/usr.lib.dovecot.auth | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/profiles/apparmor.d/usr.lib.dovecot.auth b/profiles/apparmor.d/usr.lib.dovecot.auth
index b44441e26..250566d6f 100644
--- a/profiles/apparmor.d/usr.lib.dovecot.auth
+++ b/profiles/apparmor.d/usr.lib.dovecot.auth
@@ -25,6 +25,7 @@
   capability dac_override,
   capability dac_read_search,
   capability setuid,
+  capability sys_chroot,
 
   /etc/my.cnf r,
   /etc/my.cnf.d/ r,
@@ -32,6 +33,7 @@
 
   /etc/dovecot/* r,
   /usr/lib/dovecot/auth mr,
+  /var/lib/dovecot/auth-chroot/* r,
 
   # kerberos replay cache
   /var/tmp/imap_* rw,

From 9afeb2254800eb3f09d5c00f599786178a637d75 Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon@sdeziel.info>
Date: Wed, 13 Feb 2019 22:33:44 -0500
Subject: [PATCH 3/5] dovecot: let dovecot/anvil rw the auth-penalty socket

Signed-off-by: Simon Deziel <simon@sdeziel.info>
---
 profiles/apparmor.d/usr.lib.dovecot.anvil | 1 +
 1 file changed, 1 insertion(+)

diff --git a/profiles/apparmor.d/usr.lib.dovecot.anvil b/profiles/apparmor.d/usr.lib.dovecot.anvil
index 652f13443..5b0fba6b2 100644
--- a/profiles/apparmor.d/usr.lib.dovecot.anvil
+++ b/profiles/apparmor.d/usr.lib.dovecot.anvil
@@ -21,6 +21,7 @@
   unix (receive, send) type=stream peer=(label=dovecot),
 
   /run/dovecot/anvil rw,
+  /run/dovecot/anvil-auth-penalty rw,
   /usr/lib/dovecot/anvil mr,
 
   # Site-specific additions and overrides. See local/README for details.

From 17db8f3884ca751ec17da90ce688b42172f002ce Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon@sdeziel.info>
Date: Wed, 13 Feb 2019 22:49:02 -0500
Subject: [PATCH 4/5] dovecot: auth processes need to read from postfix auth
 socket

They also need rw on the auth-userdb socket

Signed-off-by: Simon Deziel <simon@sdeziel.info>
---
 profiles/apparmor.d/usr.lib.dovecot.auth | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/profiles/apparmor.d/usr.lib.dovecot.auth b/profiles/apparmor.d/usr.lib.dovecot.auth
index 250566d6f..2545ede7f 100644
--- a/profiles/apparmor.d/usr.lib.dovecot.auth
+++ b/profiles/apparmor.d/usr.lib.dovecot.auth
@@ -42,6 +42,7 @@
   /var/tmp/smtp_* rw,
 
   /run/dovecot/auth-master rw,
+  /run/dovecot/auth-userdb rw,
   /run/dovecot/auth-worker rw,
   /run/dovecot/login/login rw,
   /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
@@ -49,7 +50,7 @@
   /{var/,}run/dovecot/stats-user rw,
   /{var/,}run/dovecot/anvil-auth-penalty rw,
 
-  /var/spool/postfix/private/auth w,
+  /var/spool/postfix/private/auth rw,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.lib.dovecot.auth>

From 6a7c49b149fce22781216592c341ef15ee86faaa Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon@sdeziel.info>
Date: Wed, 13 Feb 2019 22:59:18 -0500
Subject: [PATCH 5/5] dovecot: add abstractions/ssl_certs to lmtp

It already has abstractions/ssl_keys

Signed-off-by: Simon Deziel <simon@sdeziel.info>
---
 profiles/apparmor.d/usr.lib.dovecot.lmtp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/profiles/apparmor.d/usr.lib.dovecot.lmtp b/profiles/apparmor.d/usr.lib.dovecot.lmtp
index 436435f08..8dd15b835 100644
--- a/profiles/apparmor.d/usr.lib.dovecot.lmtp
+++ b/profiles/apparmor.d/usr.lib.dovecot.lmtp
@@ -17,6 +17,7 @@
   #include <abstractions/nameservice>
   #include <abstractions/dovecot-common>
   #include <abstractions/openssl>
+  #include <abstractions/ssl_certs>
   #include <abstractions/ssl_keys>
 
   capability dac_override,