Skip to content

Securing the Mail Server with Apparmor

Rspamd

#include <tunables/global>

/usr/bin/rspamd {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  /dev/shm/rhm.* rw,

  # Read configuration files
  /etc/rspamd/** r,

  # System files
  /etc/nsswitch.conf r,
  /etc/host.conf r,
  /etc/resolv.conf r,
  /etc/hosts r,
  /etc/nsswitch.conf r,
  /etc/host.conf r,
  /etc/gai.conf r,
  /etc/magic r,

  # prof file system
  /proc/sys/kernel/random/uuid r,

  # Run programs
  /lib/x86_64-linux-gnu/ld-*.so mr,
  /usr/bin/rspamd mr,

  # Read/write data
  /var/lib/rspamd/ r,
  /var/lib/rspamd/** rwk,
  /{var/,}run/rspamd/* rwk,

  # log files
  /var/log/rspamd/rspamd.log* rwk,

  # Read cached nscd
  /var/cache/nscd/hosts r,

  # Read usr config - for the web administration interface as well
  /usr/share/rspamd/** r,

  # Read certificates
  /usr/share/ca-certificates/** r,
}

Redis

https://github.com/vitvegl/AppArmor-profiles/blob/master/ubuntu/x86_64/usr.bin.redis-server

/apparmor.d/abstractions/redis  
#include <abstractions/base>
#include <abstractions/nameservice>

network inet  stream,
network inet6 stream,

owner /proc/@{pid}/maps r,
owner /proc/@{pid}/smaps r,
owner /proc/@{pid}/stat r,

/proc/sys/net/core/somaxconn r,
/proc/sys/vm/overcommit_memory r,

/sys/kernel/mm/transparent_hugepage/enabled r,


/apparmor.d/usr.sbin.redis
#
# LICENSED UNDER AGPL 3.0
#
#include <tunables/global>


##################################################################
#
# All the actual profiles are assigned via
#
# /usr/lib/systemd/system/redis@.service.d/apparmor.conf
#
# For a normal redis server:
#
# copy /etc/apparmor.d/redis.d/redis.template to
#      /etc/apparmor.d/redis.d/redis.<instancename>
#
# The paths have to match /etc/redis/<instancename>.conf
#
##################################################################

##################################################################
#
# /usr/lib/systemd/system/redis-sentinel@.service.d/apparmor.conf
#
# For a normal redis-sentinel server:
#
# copy /etc/apparmor.d/redis.d/sentinel.template to
#      /etc/apparmor.d/redis.d/sentinel.<instancename>
#
# The paths have to match /etc/redis/sentinel-<instancename>.conf
#
##################################################################

#include <redis.d>

Dovecot

https://gitlab.com/apparmor/apparmor/blob/master/profiles/apparmor.d/

Postfix