# AppArmor profile for postfix mail transport agent
# Version of program profiled: 3.9.0
# Homepage: https://github.com/krathalan/apparmor-profiles
# Copyright 2020-2024 (C) krathalan; Licensed under GPLv3

abi <abi/3.0>,
include <tunables/global>

profile postfix-master /usr/lib/postfix/bin/master {
  include if exists <local/postfix-master>
  include <abstractions/base>
  include <abstractions/postfix-common>
  include <abstractions/krathalans-nameservice>
  include <abstractions/krathalans-hardening>

  capability kill,

  /usr/lib/postfix/bin/qmgr rPx,
  /usr/lib/postfix/bin/pickup rPx,
  /usr/lib/postfix/bin/smtpd rPx,
  /usr/lib/postfix/bin/smtp rPx,
  /usr/lib/postfix/bin/trivial-rewrite rPx,
  /usr/lib/postfix/bin/local rPx,
  /usr/lib/postfix/bin/error rPx,
  /usr/lib/postfix/bin/bounce rPx,
  /usr/lib/postfix/bin/proxymap rPx,
  /usr/lib/postfix/bin/tlsmgr rPx,
  /usr/lib/postfix/bin/anvil rPx,
  /usr/lib/postfix/bin/cleanup rPx,
  /usr/lib/postfix/bin/pipe rPx,

  signal send set=term peer=postfix-anvil,
  signal send set=term peer=postfix-qmgr,
  signal send set=term peer=postfix-pickup,
  signal send set=term peer=postfix-smtpd,
  signal send set=term peer=postfix-trivial-rewrite,
  signal send set=term peer=postfix-local,
  signal send set=term peer=postfix-bounce,
  signal send set=term peer=postfix-proxymap,
  signal send set=term peer=postfix-smtp,
  signal send set=term peer=postfix-tlsmgr,
  signal send set=term peer=postfix-pipe,
  signal send set=term peer=postfix-cleanup,

  # Networking
  capability net_bind_service,
  network netlink raw,
  network inet stream,
  network inet dgram,
  network inet6 stream,
  network inet6 dgram,

  # Misc
  capability dac_read_search,
  capability dac_override,
  /etc/gai.conf r,
  /etc/services r,
  /proc/sys/kernel/random/boot_id r,
  /var/lib/postfix/master.lock rwk,
  /var/spool/postfix/pid/master.pid rwk,

  # Mail data
  /var/spool/postfix/{,**} rw,
}

profile postfix-anvil /usr/lib/postfix/bin/anvil {
  include if exists <local/postfix-anvil>
  include <abstractions/base>
  include <abstractions/postfix-common>
  include <abstractions/krathalans-nameservice>

  /usr/lib/postfix/bin/anvil r,
  signal receive set=term peer=postfix,

  # Networking
  network netlink raw,
  network inet stream,
  network inet6 stream,

  # Misc
  /etc/postfix/dynamicmaps.cf.d/postfix-lmdb.cf r,
  /proc/sys/kernel/random/boot_id r,
}

profile postfix-bounce /usr/lib/postfix/bin/bounce {
  include if exists <local/postfix-bounce>
  include <abstractions/base>
  include <abstractions/postfix-common>
  include <abstractions/krathalans-nameservice>

  /usr/lib/postfix/bin/bounce r,
  signal receive set=term peer=postfix,

  # Networking
  network netlink raw,
  network inet stream,
  network inet6 stream,

  # Misc
  /etc/postfix/dynamicmaps.cf.d/postfix-lmdb.cf r,
  /proc/sys/kernel/random/boot_id r,
  /var/spool/postfix/pid/unix.{defer,bounce,trace} rwk,

  # Mail data
  /var/spool/postfix/{active,defer,bounce,trace}/{,**} rwk,
}

profile postfix-cleanup /usr/lib/postfix/bin/cleanup {
  include if exists <local/postfix-cleanup>
  include <abstractions/base>
  include <abstractions/postfix-common>
  include <abstractions/krathalans-nameservice>

  /usr/lib/postfix/bin/cleanup r,

  # Networking
  network netlink raw,
  network inet stream,
  network inet6 stream,

  # Misc
  /var/spool/postfix/pid/unix.cleanup rwk,
  /proc/sys/kernel/random/boot_id r,

  # Mail data
  /etc/postfix/dynamicmaps.cf.d/postfix-lmdb.cf r,
  /var/spool/postfix/incoming/{,**} rw,
}

profile postfix-error /usr/lib/postfix/bin/error {
  include if exists <local/postfix-error>
  include <abstractions/base>
  include <abstractions/postfix-common>
  include <abstractions/krathalans-nameservice>

  /usr/lib/postfix/bin/error r,

  # Misc
  /var/spool/postfix/pid/unix.retry rwk,

  # Mail data
  /var/spool/postfix/active/{,**} rwk,
}

profile postfix-local /usr/lib/postfix/bin/local {
  include if exists <local/postfix-local>
  include <abstractions/base>
  include <abstractions/postfix-common>
  include <abstractions/krathalans-nameservice>

  /usr/lib/postfix/bin/local r,
  signal receive set=term peer=postfix,

  # Has to be U for now instead of P due to default dovecot profile breakages
  # Hopefully can change back to P soon if I can write a dovecot profile
  /usr/lib/dovecot/dovecot-lda rUx,

  # Networking
  network netlink raw,
  network inet stream,
  network inet6 stream,

  # Misc
  /etc/aliases.* rk,
  /etc/postfix/dynamicmaps.cf.d/postfix-lmdb.cf r,
  /proc/sys/kernel/random/boot_id r,
  /var/spool/postfix/pid/unix.local rwk,

  # Mail data
  /var/spool/postfix/active/{,**} rwk,
}

profile postfix-pickup /usr/lib/postfix/bin/pickup {
  include if exists <local/postfix-pickup>
  include <abstractions/base>
  include <abstractions/postfix-common>
  include <abstractions/krathalans-nameservice>

  /usr/lib/postfix/bin/pickup r,
  signal receive set=term peer=postfix,

  # Networking
  network netlink raw,
  network inet stream,
  network inet6 stream,

  # Misc
  /etc/postfix/dynamicmaps.cf.d/postfix-lmdb.cf r,
  /proc/sys/kernel/random/boot_id r,

  # Mail data
  /var/spool/postfix/maildrop/{,**} rwk,
}

profile postfix-pipe /usr/lib/postfix/bin/pipe {
  include if exists <local/postfix-pipe>
  include <abstractions/base>
  include <abstractions/postfix-common>
  include <abstractions/krathalans-nameservice>

  /usr/lib/postfix/bin/pipe r,

  /usr/bin/vendor_perl/spamc rPx,

  # Networking
  network netlink raw,
  network inet stream,
  network inet6 stream,

  # Misc
  /etc/postfix/dynamicmaps.cf.d/postfix-lmdb.cf r,
  /proc/sys/kernel/random/boot_id r,
  /var/spool/postfix/pid/unix.spamassassin rwk,

  # Mail data
  /var/spool/postfix/active/{,**} rwk,
}

profile postfix-postdrop /usr/bin/postdrop {
  include if exists <local/postfix-postdrop>
  include <abstractions/base>
  include <abstractions/postfix-common>
  include <abstractions/krathalans-hardening>
  include <abstractions/krathalans-nameservice>

  /usr/bin/postdrop r,

  # Networking
  network netlink raw,
  network inet stream,
  network inet6 stream,

  # Misc
  /etc/postfix/dynamicmaps.cf.d/postfix-lmdb.cf r,
  /proc/sys/kernel/random/boot_id r,

  # Mail data
  /var/spool/postfix/maildrop/{,**} rwk,
}

profile postfix-proxymap /usr/lib/postfix/bin/proxymap {
  include if exists <local/postfix-proxymap>
  include <abstractions/base>
  include <abstractions/postfix-common>
  include <abstractions/krathalans-nameservice>

  /usr/lib/postfix/bin/proxymap r,
  signal receive set=term peer=postfix,

  # Networking
  network netlink raw,
  network inet stream,
  network inet6 stream,

  # Misc
  /etc/postfix/dynamicmaps.cf.d/postfix-lmdb.cf r,
  /proc/sys/kernel/random/boot_id r,
}

profile postfix-qmgr /usr/lib/postfix/bin/qmgr {
  include if exists <local/postfix-qmgr>
  include <abstractions/base>
  include <abstractions/postfix-common>
  include <abstractions/krathalans-nameservice>

  /usr/lib/postfix/bin/qmgr r,
  signal receive set=term peer=postfix,

  # Networking
  network netlink raw,
  network inet stream,
  network inet6 stream,

  # Misc
  /etc/postfix/dynamicmaps.cf.d/postfix-lmdb.cf r,
  /proc/sys/kernel/random/boot_id r,

  # Mail data
  /var/spool/postfix/active/{,**} rwk,
  /var/spool/postfix/incoming/{,**} rw,
  /var/spool/postfix/defer/{,**} rw,
  /var/spool/postfix/deferred/{,**} rw,
}

profile postfix-sendmail /usr/bin/sendmail {
  include if exists <local/postfix-sendmail>
  include <abstractions/base>
  include <abstractions/postfix-common>
  include <abstractions/krathalans-hardening>
  include <abstractions/krathalans-nameservice>

  /usr/bin/sendmail r,
  /usr/bin/postdrop rPx,
  /usr/bin/postalias rPx,

  # Networking
  network netlink raw,
  network inet stream,
  network inet6 stream,

  # Misc
  /etc/postfix/dynamicmaps.cf.d/postfix-lmdb.cf r,
  /proc/sys/kernel/random/boot_id r,
}

profile postfix-postalias /usr/bin/postalias {
  include if exists <local/postfix-sendmail>
  include <abstractions/base>
  include <abstractions/postfix-common>
  include <abstractions/krathalans-hardening>
  include <abstractions/krathalans-nameservice>

  /usr/bin/postalias r,

  # Necessary to update files
  /etc/aliases{,*} rwk,

  # Networking
  network inet stream,
  network netlink raw,

  # Misc
  /etc/machine-id r,
  /etc/postfix/dynamicmaps.cf.d/postfix-lmdb.cf r,
  /proc/sys/kernel/random/boot_id r,
}

profile postfix-smtp /usr/lib/postfix/bin/smtp {
  include if exists <local/postfix-smtp>
  include <abstractions/base>
  include <abstractions/postfix-common>
  include <abstractions/krathalans-nameservice>

  capability dac_read_search,

  /usr/lib/postfix/bin/smtp r,

  # Networking
  include <abstractions/krathalans-networking>
  include <abstractions/ssl_certs>
  network netlink raw,
  network inet stream,
  network inet dgram,
  network inet6 stream,
  network inet6 dgram,

  # Misc
  /etc/services r,
  /etc/postfix/dynamicmaps.cf.d/postfix-lmdb.cf r,
  /proc/sys/kernel/random/boot_id r,
  /var/spool/postfix/pid/inet.smtp rwk,
  /var/spool/postfix/pid/unix.smtp rwk,

  # Mail data
  /var/spool/postfix/active/{,**} rwk,
}

profile postfix-smtpd /usr/lib/postfix/bin/smtpd {
  include if exists <local/postfix-smtpd>
  include <abstractions/base>
  include <abstractions/postfix-common>
  include <abstractions/krathalans-nameservice>

  capability dac_read_search,

  /usr/lib/postfix/bin/smtpd r,
  signal receive set=term peer=postfix,

  # Networking
  include <abstractions/krathalans-networking>
  include <abstractions/ssl_certs>
  include <abstractions/ssl_keys>
  network netlink raw,
  network inet stream,
  network inet dgram,
  network inet6 stream,
  network inet6 dgram,
  # https://weakdh.org/sysadmin.html
  /etc/krathalan/dhparams.pem r,

  # Misc
  /etc/aliases.* rk,
  /etc/postfix/dynamicmaps.cf.d/postfix-lmdb.cf r,
  /proc/sys/kernel/random/boot_id r,
  /var/spool/postfix/pid/inet.submission rwk,
  /var/spool/postfix/pid/inet.smtp rwk,
  /var/spool/postfix/pid/inet.smtps rwk,
}

profile postfix-tlsmgr /usr/lib/postfix/bin/tlsmgr {
  include if exists <local/postfix-tlsmgr>
  include <abstractions/base>
  include <abstractions/postfix-common>
  include <abstractions/krathalans-nameservice>

  /usr/lib/postfix/bin/tlsmgr r,
  signal receive set=term peer=postfix,

  # Networking
  include <abstractions/openssl>
  network netlink raw,
  network inet stream,
  network inet6 stream,

  # Misc
  /etc/postfix/dynamicmaps.cf.d/postfix-lmdb.cf r,
  /proc/sys/kernel/random/boot_id r,
  /var/lib/postfix/prng_exch rwk,
  /var/lib/postfix/smtp{,d}_scache.{db,lmdb} rwk,
}

profile postfix-trivial-rewrite /usr/lib/postfix/bin/trivial-rewrite {
  include if exists <local/postfix-trivial-rewrite>
  include <abstractions/base>
  include <abstractions/postfix-common>
  include <abstractions/krathalans-nameservice>

  /usr/lib/postfix/bin/trivial-rewrite r,
  signal receive set=term peer=postfix,

  # Networking
  network netlink raw,
  network inet stream,
  network inet6 stream,

  # Misc
  /etc/postfix/dynamicmaps.cf.d/postfix-lmdb.cf r,
  /proc/sys/kernel/random/boot_id r,
}
