9 files changed, 526 insertions, 0 deletions
diff --git a/profiles/Makefile b/profiles/Makefile
new file mode 100644
index 0000000..210b72f
--- /dev/null
+++ b/profiles/Makefile
@@ -0,0 +1,2 @@
+all:
+	for p in usr.sbin.kopano-{dagent,server} usr.sbin.mysqld usr.sbin.kopano-search apache2.d/kopano-webapp; do scp autopkgtest:/etc/apparmor.d/$$p ./$$p; done
diff --git a/profiles/apache2.conf b/profiles/apache2.conf
new file mode 100644
index 0000000..ce0095c
--- /dev/null
+++ b/profiles/apache2.conf
@@ -0,0 +1,81 @@
+# example main configuration for kopano-webapp
+#vim: set ft=apache ts=4 sw=4 expandtab :#
+
+<Directory /usr/share/kopano-webapp/>
+    DirectoryIndex index.php
+    Options -Indexes +FollowSymLinks
+    AllowOverride Options
+
+    <IfModule apparmor_module>
+    AAHatName kopano-webapp
+    </IfModule>
+
+    # Only server Apache2.4
+    <IfVersion >= 2.3>
+        Require all granted
+    </IfVersion>
+
+    FileETag All
+
+    # Uncomment to enhance security of WebApp by restricting cookies to
+    # only be provided over HTTPS connections.
+    # php_flag session.cookie_secure on
+    # php_flag session.cookie_httponly on
+
+    # The maximum POST limit. To upload large files, this value must be
+    # larger than upload_max_filesize.
+    php_value post_max_size 31M
+    php_value upload_max_filesize 30M
+
+    # Manipulate the cache control headers if mod_expires and
+    # mod_headers are both enabled; otherwise the client will depend
+    # on the ETag header.  However, you can set FileETag to "None" if
+    # you have multiple servers serving WebApp to the same user.  In
+    # that case, apache will fall back to the config below so make
+    # sure these two modules are loaded!
+    <IfModule expires_module>
+        <IfModule headers_module>
+            ExpiresActive On
+            ExpiresDefault "now"
+
+            <FilesMatch "\.(jpg|gif|png)$">
+                # All (static) resources set to 2 months expiration time.
+                ExpiresDefault "access plus 2 months"
+                Header append Cache-Control "public"
+            </FilesMatch>
+
+            <FilesMatch "\.(js|css)$">
+                # All non-dynamic files set to 2 weeks expiration time.
+                ExpiresDefault "access plus 2 weeks"
+                # User agents are requested to revalidate for each resource
+                # so that the server can always serve a newer version if
+                # necessary.
+                Header append Cache-Control "no-cache, must-revalidate"
+
+                # Treat IE a little differently due to the remarks on no-cache
+                # on http://support.microsoft.com/kb/234067
+                <IfModule setenvif_module>
+                    BrowserMatch MSIE ie_bug
+                </IfModule>
+                Header set Cache-Control "must-revalidate, private" env=ie_bug
+            </FilesMatch>
+
+            <filesMatch "\.(php)$">
+                # PHP files must always be retrieved from the server.
+                ExpiresActive Off
+                Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"
+                Header set Pragma "no-cache"
+            </filesMatch>
+        </IfModule>
+    </IfModule>
+
+    # Enable gzip compression if the module is available
+    <IfModule deflate_module>
+        <filesMatch "\.(js|css)$">
+            SetOutputFilter DEFLATE
+        </filesMatch>
+    </IfModule>
+
+</Directory>
+
+# vim: autoindent ts=4 sw=4 expandtab softtabstop=4 ft=conf
diff --git a/profiles/apache2.d/kopano-webapp b/profiles/apache2.d/kopano-webapp
new file mode 100644
index 0000000..17654c5
--- /dev/null
+++ b/profiles/apache2.d/kopano-webapp
@@ -0,0 +1,26 @@
+# Last Modified: Fri Sep 11 13:27:22 2009
+# Author: Guido Günther <agx@sigxcpu.org>
+
+  ^kopano-webapp {
+    #include <abstractions/apache2-common>
+    #include <abstractions/base>
+    #include <abstractions/nameservice>
+    #include <abstractions/php5>
+    
+    @{PROC}/@{pid}/task/@{tid}/comm rw,
+    @{PROC}/@{pid}/cmdline r,
+
+    /etc/gss/mech.d/ r,
+    /etc/gss/mech.d/*.conf r,
+    
+    /etc/kopano/webapp/config.php r,
+
+    /usr/share/kopano-webapp/** r,
+
+    /var/lib/kopano-webapp/tmp/** rwk,
+
+    /var/log/apache2/ r,
+    # FIXME: we should use separate logfiles for kopano upfront
+    /var/log/apache2/error.log rw,
+    /var/log/apache2/other_vhosts_access.log rw,
+  }
diff --git a/profiles/kopano-webapp b/profiles/kopano-webapp
new file mode 100644
index 0000000..28d11bd
--- /dev/null
+++ b/profiles/kopano-webapp
@@ -0,0 +1,28 @@
+# Author: Guido Günther <agx@sigxcpu.org>
+
+  ^kopano-webapp {
+    #include <abstractions/apache2-common>
+    #include <abstractions/base>
+    #include <abstractions/nameservice>
+    #include <abstractions/php5>
+
+    @{PROC}/@{pid}/task/@{tid}/comm rw,
+    @{PROC}/@{pid}/cmdline r,
+
+    /etc/gss/mech.d/ r,
+    /etc/gss/mech.d/*.conf r,
+
+    /etc/kopano/webapp/*.php r,
+
+    /usr/share/kopano-webapp/** r,
+
+    /var/lib/kopano-webapp/tmp/** rwk,
+
+    /var/log/apache2/ r,
+    # FIXME: we should use separate logfiles for kopano upfront
+    /var/log/apache2/error.log rw,
+    /var/log/apache2/other_vhosts_access.log rw,
+
+    # Useful when in debugging mode
+    /usr/share/kopano-webapp/debug.txt rw,
+  }
diff --git a/profiles/usr.sbin.apache2 b/profiles/usr.sbin.apache2
new file mode 100644
index 0000000..dd23f51
--- /dev/null
+++ b/profiles/usr.sbin.apache2
@@ -0,0 +1,109 @@
+# Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
+
+#include <tunables/global>
+/usr/sbin/apache2 flags=(attach_disconnected) {
+
+  # This profile is completely permissive.
+  # It is designed to target specific applications using mod_apparmor,
+  # hats, and the apache2.d directory.
+  #
+  # In order to enable this profile, you must:
+  #
+  # 0- Stop apache:
+  #    sudo service apache2 stop
+  #
+  # 1- Enable the profile:
+  #    sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2
+  #
+  # 2- Load the mpm_prefork and mod_apparmor modules:
+  #    sudo a2dismod <other non-prefork mpm>
+  #    sudo a2enmod mpm_prefork
+  #    sudo a2enmod apparmor
+  #    sudo service apache2 restart
+  #
+  # 3- Place an appropriate profile containing the desired hat in the
+  #    /etc/apparmor.d/apache2.d directory.  Such profiles must include
+  #    the "apache2-common" abstraction:
+  #
+  #    ^example.com flags=(complain) {
+  #        #include <abstractions/apache2-common>
+  #        /var/www/html/             r,
+  #        /var/www/html/**           r,
+  #        /var/log/apache2/*.log     w,
+  #    }
+  #
+  # 4- Use the "AADefaultHatName" apache configuration option to specify a
+  #    hat to be used for a given apache virtualhost or "AAHatName" for
+  #    a given apache directory or location directive:
+  #
+  #    <VirtualHost example.com:80>
+  #        <IfModule mod_apparmor.c>
+  #            AADefaultHatName example.com
+  #        </IfModule>
+  #        ...
+  #    </VirtualHost>
+  #
+  #
+  # There is an example profile for phpsysinfo included in the
+  # apparmor-profiles package. To try it:
+  #
+  # 1- Install the phpsysinfo and the apparmor-profiles packages:
+  #    sudo apt-get install phpsysinfo apparmor-profiles
+  #
+  # 2- Enable the main apache2 profile
+  #    sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2
+  #
+  # 3- Configure apache with the following (or similar):
+  #    Alias /phpsysinfo /usr/share/phpsysinfo
+  #    <Location /phpsysinfo>
+  #        <IfModule mod_apparmor.c>
+  #          AAHatName phpsysinfo
+  #        </IfModule>
+  #
+  #        # adjust as necessary:
+  #        Options None
+  #        Require local
+  #        Require ip 192.168.0.0/16
+  #    </Location>
+  #
+
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+
+  # Send signals to all hats.
+  signal (send) peer=@{profile_name}//*,
+
+  capability dac_override,
+  capability kill,
+  capability net_bind_service,
+  capability setgid,
+  capability setuid,
+  capability sys_tty_config,
+
+  / rw,
+  /** mrwlkix,
+
+
+  ^DEFAULT_URI flags=(attach_disconnected) {
+    #include <abstractions/base>
+    #include <abstractions/apache2-common>
+
+    / rw,
+    /** mrwlkix,
+  }
+
+  ^HANDLING_UNTRUSTED_INPUT flags=(attach_disconnected) {
+    #include <abstractions/apache2-common>
+
+    / rw,
+    /** mrwlkix,
+  }
+
+  # This directory contains web application
+  # package-specific apparmor files.
+
+  #include <apache2.d>
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.apache2>
+}
diff --git a/profiles/usr.sbin.kopano-dagent b/profiles/usr.sbin.kopano-dagent
new file mode 100644
index 0000000..068919b
--- /dev/null
+++ b/profiles/usr.sbin.kopano-dagent
@@ -0,0 +1,35 @@
+#include <tunables/global>
+
+/usr/sbin/kopano-dagent {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/user-tmp>
+  #include <abstractions/python>
+
+  capability chown,
+  capability dac_override,
+  capability dac_read_search,
+  capability setgid,
+  capability setuid,
+
+  @{PROC}/@{pid}/task/@{tid}/comm rw,
+  @{PROC}/@{pid}/cmdline r,
+
+  /etc/gai.conf r,
+  /etc/gss/mech.d/ r,
+  /etc/gss/mech.d/*.conf r,
+  /etc/kopano/dagent.cfg r,
+
+  /usr/share/kopano-dagent/python/*.py{,c} r,
+
+  /var/lib/kopano/dagent/plugins/ r,
+
+  /etc/mapi/ r,
+  /etc/mapi/* r,
+
+  /run/kopano/dagent.pid rw,
+  /var/log/kopano/dagent.log rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.kopano-dagent>
+}
diff --git a/profiles/usr.sbin.kopano-search b/profiles/usr.sbin.kopano-search
new file mode 100644
index 0000000..6ee700b
--- /dev/null
+++ b/profiles/usr.sbin.kopano-search
@@ -0,0 +1,50 @@
+# Last Modified: Fri Sep  8 14:49:47 2017
+#include <tunables/global>
+
+/usr/sbin/kopano-search {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/python>
+  #include <abstractions/user-tmp>
+
+  capability chown,
+  capability dac_override,
+  capability dac_read_search,
+  capability setgid,
+  capability setuid,
+
+  @{PROC}/@{pid}/cmdline r,
+  @{PROC}/@{pid}/mounts r,
+  @{PROC}/@{pid}/status r,
+  @{PROC}/@{pid}/task/@{tid}/comm rw,
+
+  deny /usr/lib/python2.7/dist-packages/kopano_search/*.pyc w,
+
+  # FIXME: it would be nice if search would use search- like pa
+  /dev/shm/* rwl,
+
+  /etc/gss/mech.d/ r,
+  /etc/gss/mech.d/*.conf r,
+
+  /lib/x86_64-linux-gnu/ld-*.so mr,
+  /usr/bin/python2.7 ix,
+  /usr/sbin/kopano-search r,
+
+  /etc/kopano/search.cfg r,
+
+  /bin/dash Pix,
+  /bin/rm Pix,
+  /sbin/ldconfig Pix,
+
+  /etc/mapi/ r,
+  /etc/mapi/kopano.inf r,
+  /etc/mapi/zcontacts.inf r,
+
+  /run/kopano/search.pid rw,
+  /run/kopano/search.pid.lock lrw,
+  /run/kopano/search.sock rw,
+  /run/kopano/*.*-* rw,
+
+  /var/lib/kopano/search/** rwlk,
+  /var/log/kopano/search.log rw,
+}
diff --git a/profiles/usr.sbin.kopano-server b/profiles/usr.sbin.kopano-server
new file mode 100644
index 0000000..0f3648c
--- /dev/null
+++ b/profiles/usr.sbin.kopano-server
@@ -0,0 +1,43 @@
+#include <tunables/global>
+
+/usr/sbin/kopano-server {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/user-tmp>
+  #include <abstractions/mysql>
+
+  capability chown,
+  capability dac_override,
+  capability dac_read_search,
+  capability setgid,
+  capability setuid,
+
+  network tcp,
+
+  /etc/kopano/debian-db.cfg r,
+  /etc/kopano/server.cfg r,
+
+  @{PROC}/@{pid}/task/@{tid}/comm rw,
+
+  /run/kopano/prio.sock rw,
+  /run/kopano/server.pid rw,
+  /run/kopano/server.sock rw,
+
+  /usr/lib/x86_64-linux-gnu/kopano/*.so m,
+
+  /var/lib/kopano/attachments/ r,
+  /var/lib/kopano/attachments/** rw,
+  /var/log/kopano/server.log rw,
+
+  /etc/kopano/userscripts/* Cxr -> kopano_userscripts,
+
+  # There's little we can do if the server is allowed to run
+  # arbitrary scripts
+  profile kopano_userscripts {
+    file,
+    network,
+  }
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.kopano-server>
+}
diff --git a/profiles/usr.sbin.mysqld b/profiles/usr.sbin.mysqld
new file mode 100644
index 0000000..862cee0
--- /dev/null
+++ b/profiles/usr.sbin.mysqld
@@ -0,0 +1,152 @@
+# Last Modified: Fri Mar  1 18:55:47 2013
+# Based on usr.sbin.mysqld packaged in mysql-server in Ubuntu.
+# This AppArmor profile has been copied under BSD License from
+# Percona XtraDB Cluster, along with some additions.
+
+#include <tunables/global>
+
+/usr/sbin/mysqld {
+  #include <abstractions/base>
+  #include <abstractions/mysql>
+  #include <abstractions/nameservice>
+  #include <abstractions/user-tmp>
+  #include <abstractions/winbind>
+
+  capability chown,
+  capability dac_override,
+  capability setgid,
+  capability setuid,
+  capability sys_rawio,
+  capability sys_resource,
+
+  network tcp,
+
+  /bin/dash rcx,
+  /dev/dm-0 r,
+  /etc/gai.conf r,
+  /etc/group r,
+  /etc/hosts.allow r,
+  /etc/hosts.deny r,
+  /etc/ld.so.cache r,
+  /etc/mtab r,
+  /etc/my.cnf r,
+  /etc/mysql/*.cnf r,
+  /etc/mysql/*.pem r,
+  /etc/mysql/conf.d/ r,
+  /etc/mysql/conf.d/* r,
+  /etc/mysql/mariadb.conf.d/ r,
+  /etc/mysql/mariadb.conf.d/* r,
+  /etc/nsswitch.conf r,
+  /etc/passwd r,
+  /etc/services r,
+  /run/mysqld/mysqld.pid w,
+  /run/mysqld/mysqld.sock w,
+  /sys/devices/system/cpu/ r,
+  owner /tmp/** lk,
+  /tmp/** rw,
+  /usr/lib/mysql/plugin/ r,
+  /usr/lib/mysql/plugin/*.so* mr,
+  /usr/sbin/mysqld mr,
+  /usr/share/mysql/** r,
+  /var/lib/mysql/ r,
+  /var/lib/mysql/** rwk,
+  /var/log/mysql.err rw,
+  /var/log/mysql.log rw,
+  /var/log/mysql/ r,
+  /var/log/mysql/* rw,
+  /var/run/mysqld/mysqld.pid w,
+  /var/run/mysqld/mysqld.sock w,
+
+
+  profile /bin/dash {
+    #include <abstractions/base>
+    #include <abstractions/bash>
+    #include <abstractions/mysql>
+    #include <abstractions/nameservice>
+    #include <abstractions/perl>
+
+
+
+    /bin/cat rix,
+    /bin/dash rix,
+    /bin/date rix,
+    /bin/grep rix,
+    /bin/nc.openbsd rix,
+    /bin/netstat rix,
+    /bin/ps rix,
+    /bin/rm rix,
+    /bin/sed rix,
+    /bin/sleep rix,
+    /bin/tar rix,
+    /bin/which rix,
+    /dev/tty rw,
+    /etc/ld.so.cache r,
+    /etc/my.cnf r,
+    /proc/ r,
+    /proc/*/cmdline r,
+    /proc/*/fd/ r,
+    /proc/*/net/dev r,
+    /proc/*/net/if_inet6 r,
+    /proc/*/net/tcp r,
+    /proc/*/net/tcp6 r,
+    /proc/*/stat r,
+    /proc/*/status r,
+    /proc/sys/kernel/pid_max r,
+    /proc/tty/drivers r,
+    /proc/uptime r,
+    /proc/version r,
+    /sbin/ifconfig rix,
+    /sys/devices/system/cpu/ r,
+    /tmp/** rw,
+    /usr/bin/cut rix,
+    /usr/bin/dirname rix,
+    /usr/bin/gawk rix,
+    /usr/bin/innobackupex rix,
+    /usr/bin/mysql rix,
+    /usr/bin/perl rix,
+    /usr/bin/seq rix,
+    /usr/bin/wsrep_sst* rix,
+    /usr/bin/wsrep_sst_common r,
+    /usr/bin/xtrabackup* rix,
+    /var/lib/mysql/ r,
+    /var/lib/mysql/** rw,
+    /var/lib/mysql/*.log w,
+    /var/lib/mysql/*.err w,
+
+# MariaDB additions
+    ptrace peer=@{profile_name},
+
+    /bin/hostname rix,
+    /bin/ip rix,
+    /bin/mktemp rix,
+    /bin/ss rix,
+    /bin/sync rix,
+    /bin/touch rix,
+    /bin/uname rix,
+    /etc/mysql/*.cnf r,
+    /etc/mysql/conf.d/ r,
+    /etc/mysql/conf.d/* r,
+    /proc/*/attr/current r,
+    /proc/*/fdinfo/* r,
+    /proc/*/net/* r,
+    /proc/locks r,
+    /proc/sys/net/ipv4/ip_local_port_range r,
+    /run/mysqld/mysqld.sock rw,
+    /sbin/ip rix,
+    /usr/bin/basename rix,
+    /usr/bin/du rix,
+    /usr/bin/find rix,
+    /usr/bin/lsof rix,
+    /usr/bin/my_print_defaults rix,
+    /usr/bin/mysqldump rix,
+    /usr/bin/pv rix,
+    /usr/bin/rsync rix,
+    /usr/bin/socat rix,
+    /usr/bin/tail rix,
+    /usr/bin/timeout rix,
+    /usr/bin/xargs rix,
+    /usr/bin/xbstream rix,
+  }
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.mysqld>
+}