mirror of
https://github.com/stalwartlabs/stalwart.git
synced 2026-03-17 14:34:03 +00:00
Added AppArmor
This commit is contained in:
mdecimus
@@ -10,6 +10,7 @@ To upgrade replace the `stalwart-mail` binary and then upgrade to the latest web
|
||||
- AI-powered Spam filtering and Sieve scripting (Enterprise feature).
|
||||
|
||||
### Changed
|
||||
- The untrusted Sieve interpreter now has the `vnd.stalwart.expressions` extension enabled by default. This allows Sieve users to use the `eval` function to evaluate expressions in their scripts. If you would like to disable this extension, you can do so by adding `vnd.stalwart.expressions` to `sieve.untrusted.disabled-capabilities`.
|
||||
|
||||
### Fixed
|
||||
- S3-compatible backends: Retry on `5xx` errors.
|
||||
|
||||
59
resources/apparmor.d/stalwart-mail
Normal file
59
resources/apparmor.d/stalwart-mail
Normal file
@@ -0,0 +1,59 @@
|
||||
#include <tunables/global>
|
||||
|
||||
profile stalwart-mail flags=(attach_disconnected) {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/openssl>
|
||||
|
||||
# Allow network access
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
|
||||
# Outgoing access to port 25 and 443
|
||||
network tcp,
|
||||
network udp,
|
||||
owner /proc/*/net/if_inet6 r,
|
||||
owner /proc/*/net/ipv6_route r,
|
||||
|
||||
# Full write access to /opt/stalwart-mail
|
||||
/opt/stalwart-mail/** rwk,
|
||||
|
||||
# Allow creating directories under /tmp
|
||||
/tmp/ r,
|
||||
/tmp/** rwk,
|
||||
|
||||
# Allow binding to specific ports
|
||||
network inet stream bind port 25,
|
||||
network inet stream bind port 587,
|
||||
network inet stream bind port 465,
|
||||
network inet stream bind port 143,
|
||||
network inet stream bind port 993,
|
||||
network inet stream bind port 110,
|
||||
network inet stream bind port 995,
|
||||
network inet stream bind port 4190,
|
||||
network inet stream bind port 443,
|
||||
network inet stream bind port 8080,
|
||||
network inet6 stream bind port 25,
|
||||
network inet6 stream bind port 587,
|
||||
network inet6 stream bind port 465,
|
||||
network inet6 stream bind port 143,
|
||||
network inet6 stream bind port 993,
|
||||
network inet6 stream bind port 110,
|
||||
network inet6 stream bind port 995,
|
||||
network inet6 stream bind port 4190,
|
||||
network inet6 stream bind port 443,
|
||||
network inet6 stream bind port 8080,
|
||||
|
||||
# Allow UDP port 7911
|
||||
network inet dgram bind port 7911,
|
||||
network inet6 dgram bind port 7911,
|
||||
|
||||
# Basic system access
|
||||
/usr/bin/stalwart-mail rix,
|
||||
/etc/stalwart-mail/** r,
|
||||
/var/log/stalwart-mail/** w,
|
||||
|
||||
# Additional permissions might be needed depending on specific requirements
|
||||
}
|
||||
Reference in New Issue
Block a user