AppArmor profiles for dovecot/postfix/amavisd stack

Registered by Kees Cook

This is to discuss what is needed to build and test the AppArmor profiles needed to confine the dovecot/postfix/amavisd email stack. (clamav is already profiled.)

Blueprint information

Status:
Not started
Approver:
Rick Clark
Priority:
Undefined
Drafter:
Kees Cook
Direction:
Needs approval
Assignee:
None
Definition:
Discussion
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

Goal: how to confine the entire mail stack since it is now more integrated

* Identify stack contents
 * dovecot plugins
  * options, maildir vs mbox, plugins
  * authentication pieces need investigation
 * amavisd plugins
  * can't assume users will complain and test (backported apparmor profile
    in clamd bears this out)
 * postfix plugins
  * postfix is already in a chroot
  * it can have just one large profile
  * policy servers and 3rd party software could be problematic
  * policy servers tend to run separately
 * ClamAV (which is already confined)

* Design considerations
 * confine root-run applications
 * confine long-running daemons

* Explore implementation details
 * postfix
  * is it worth confining at this time? (maybe look at last)
  * leave jailed (jail configuration is now well understood and documented)
 * dovecot
 * amavisd (communicates over tcp port)
  * supports many different scanners
  * be sure to check all packages that plug in to amavisd (main and
    universe). Could just say that universe binaries are unconfined
  * spamd could be confined?
  * package notification software for apparmor and hook into apport (possibly
    consider telling how to edit the broken profile or advise how to turn off
    the profile only)

Profile work found in: https://code.launchpad.net/~ubuntu-core-dev/apparmor/profiles-devel

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.