Re: [apparmor] Let's enable AppArmor by default (why not?)

[Christian Boltz]

Hello,

Am Dienstag, 20. März 2018, 01:37:03 CET schrieb Seth Arnold:
> On Mon, Mar 19, 2018 at 10:10:02AM -0400, Marvin Renich wrote:
> > Is there a way that an app (e.g. smbd) whose file access
> > requirements
> > change dynamically through admin and user configuration can at least
> > inspect its own apparmor profile and give the user a clue that the
> > admin must update the profile?
> 
> Our friends at SUSE have a script that automatically generates
> portions of an AppArmor profile for Samba based on the Samba
> configuration: https://bugzilla.novell.com/show_bug.cgi?id=688040
> 
> I'm not entirely sold on the idea, as a hand-authored security policy
> can serve as belt-and-suspenders against misconfiguration or a broken
> management system that allows unauthenticated users to create too-wide
> shares.
> 
> The usability gain is undeniable.

As the author of that script, I can tell you that it made *lots of* 
users happy ;-)  Before we had that script, we[1] got a bugreport each month 
about AppArmor denials in Samba because of shares outside of /home. 
Since the script is in use, that number went down to zero :-)

Yes, there is a risk that a samba misconfiguration results in too wide 
permissions, but the script has a few safety checks and won't auto-add
- paths with variables (anything containing a % sign)
- "/" - because sharing your complete filesystem is insane
to reduce that risk.

The big advantage of the script is that we can ship the samba profile
in enforce mode without annoying users ;-) - and that's much better
than having to disable the profile by default because it breaks Samba
with non-default configuration/shares.
Oh, and the smb profile helped to prevent exploiting SambaCry :-)

I'll attach the latest version of the script to this mail. [2]

You'll need to call it in smb.service as:
ExecStartPre=/usr/share/samba/update-apparmor-samba-profile

You'll also need to apply

https://build.opensuse.org/package/view_file/openSUSE:Factory/apparmor/apparmor-samba-include-permissions-for-shares.diff?expand=1
to the smb AppArmor profile to include the autogenerated sniplet. [3]


Regards,

Christian Boltz

[1] Just in case it isn't obvious on Debian mailinglists - "we" means 
"openSUSE" ;-)

[2] directly taken from the package:
https://build.opensuse.org/package/show/openSUSE:Factory/samba
(it's in the vendor-files-*.tar.bz2 tarball)

[3] Actually it should now be possible to push this patch upstream
using "#include if exists" ;-)

-- 
I am supposed to be the info provider, so here is my answer:
42
By the way:
What is the question?
[Johannes Meixner in https://bugzilla.novell.com/show_bug.cgi?id=190173]


update-apparmor-samba-profile
Description: application/shellscript


signature.asc
Description: This is a digitally signed message part.

Bug#893648: ITP: wallabako -- wallabag commandline client

[Antoine Beaupre]

Package: wnpp
Severity: wishlist
Owner: Antoine Beaupre 

* Package name: wallabako
  Version : 1.2.0+git20180320.1.5c15e02-1
  Upstream Author : Antoine Beaupre
* URL : https://gitlab.com/anarcat/wallabako
* License : AGPLv3
  Programming Lang: Go
  Description : wallabag commandline client

Wallabako is a Wallabag (read-it later service) client for Kobo
readers. It downloads unread articles as individual EPUB files.

Features:

 * fast: downloads only files that have changed, in parallel
 * unattended: runs in the background, when the wifi is turned on,
   only requires you to tap the fake USB connection screen for the
   Kobo to rescan its database
 * status synchronization: read books are marked as read in the
   Wallabag instance

--

This can serve as a backup/synchronization tool for your Wallabag
instance, although it is currently restricted only to ePUB versions.

Bug#893628: ITP: golang-github-a8m-tree -- implementation of the tree command

[Dr. Tobias Quathamer]

Package: wnpp
Severity: wishlist
Owner: Dr. Tobias Quathamer 

* Package name: golang-github-a8m-tree
  Version : 0.0~git20171213.cf42b1e-1
  Upstream Author : Ariel Mashraki
* URL : https://github.com/a8m/tree
* License : MIT
  Programming Lang: Go
  Description: implementation of the tree command
 An implementation of the tree
 (http://mama.indstate.edu/users/ice/tree/)
 command written in Go, that can be used programmatically.


This package is needed as dependency for the new upstream version of rclone.

Regards,
Tobias



signature.asc
Description: OpenPGP digital signature

Bug#893616: ITP: puppet-module-joshuabaird-ipaclient -- Puppet module for Joshuabaird IPAclient

[Thomas Goirand]

Package: wnpp
Severity: wishlist
Owner: Thomas Goirand 

* Package name: puppet-module-joshuabaird-ipaclient
  Version : 2.5.2
  Upstream Author : Stephen Benjamin & Josh Baird
* URL : https://github.com/joshuabaird/puppet-ipaclient
* License : Expat
  Programming Lang: Puppet
  Description : Puppet module for Joshuabaird IPAclient

 Puppet lets you centrally manage every important aspect of your system using a
 cross-platform specification language that manages all the separate elements
 normally aggregated in different files, like users, cron jobs, and hosts,
 along with obviously discrete elements like packages, services, and files.
 .
 This module configures clients to use FreeIPA with as little fuss as possible.
 This module used to be known as stbenjam/puppet-ipaclient, but is now being
 maintained at joshuabaird/puppet-ipaclient.