From 742e3587b1311278a76e985748b0225da5010a31 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sun, 26 Jun 2022 23:32:01 +0200
Subject: [PATCH] fix(mok): Add missing FOWNER capability to setup chroot
 directories

---
 charts/mok/README.md                                 | 1 +
 charts/mok/tests/__snapshot__/dovecot_test.yaml.snap | 1 +
 charts/mok/values.yaml                               | 2 ++
 3 files changed, 4 insertions(+)

diff --git a/charts/mok/README.md b/charts/mok/README.md
index 1c51b608e..2760d37cc 100644
--- a/charts/mok/README.md
+++ b/charts/mok/README.md
@@ -39,6 +39,7 @@ Mail on Kubernetes (MoK) is a project to deploy a functional mailserver that run
 | dovecot.securityContext.capabilities.add[2] | string | `"CAP_NET_BIND_SERVICE"` | required to bind privileged ports in the container, such as 993, 143, 24, etc. |
 | dovecot.securityContext.capabilities.add[3] | string | `"SETUID"` | required to drop privileges with dovecot process |
 | dovecot.securityContext.capabilities.add[4] | string | `"SETGID"` | required to drop privileges with dovecot process |
+| dovecot.securityContext.capabilities.add[5] | string | `"FOWNER"` | required to create spool directories |
 | dovecot.securityContext.capabilities.drop[0] | string | `"ALL"` | required to drop privileges by default |
 | dovecot.securityContext.runAsNonRoot | bool | `false` |  |
 | dovecot.service.internal.type | string | `"ClusterIP"` | type of the public endpoint for lmtp, metrics, authentication |
diff --git a/charts/mok/tests/__snapshot__/dovecot_test.yaml.snap b/charts/mok/tests/__snapshot__/dovecot_test.yaml.snap
index a0353e1bf..638a388a8 100644
--- a/charts/mok/tests/__snapshot__/dovecot_test.yaml.snap
+++ b/charts/mok/tests/__snapshot__/dovecot_test.yaml.snap
@@ -122,6 +122,7 @@ should match snapshot:
                 - CAP_NET_BIND_SERVICE
                 - SETUID
                 - SETGID
+                - FOWNER
                 drop:
                 - ALL
               runAsNonRoot: false
diff --git a/charts/mok/values.yaml b/charts/mok/values.yaml
index 54b5400a1..d18a7cf6a 100644
--- a/charts/mok/values.yaml
+++ b/charts/mok/values.yaml
@@ -136,6 +136,8 @@ dovecot:
         - SETUID
         # -- required to drop privileges with dovecot process
         - SETGID
+        # -- required to create spool directories
+        - FOWNER
       drop:
         # -- required to drop privileges by default
         - ALL
-- 
GitLab