[Touch-packages] [Bug 1952242] Re: [jammy] missing rules for samba profile

Andreas Hasenack Mon, 29 Nov 2021 06:31:01 -0800

I'm having to add the following just to allow samba to be started by systemd, 
and I'm still missing net_admin capa, which I'm reluctant to add:
--- a/profiles/apparmor.d/usr.sbin.smbd
+++ b/profiles/apparmor.d/usr.sbin.smbd
@@ -24,12 +24,22 @@
   capability sys_resource,
   capability sys_tty_config,
 
+  # when started by systemd
+  ptrace read peer=unconfined,
+
   /etc/mtab r,
   /etc/netgroup r,
   /etc/printcap r,
   /etc/samba/* rwk,
   @{PROC}/@{pid}/mounts r,
   @{PROC}/sys/kernel/core_pattern r,
+
+  # https://gitlab.com/apparmor/apparmor/-/issues/203
+  # needed when smbd is started by systemd
+  @{PROC}/1/environ r,
+  @{PROC}/cmdline r,
+  @{PROC}/sys/kernel/osrelease r,
+
   /usr/lib*/samba/vfs/*.so mr,
   /usr/lib*/samba/auth/*.so mr,
   /usr/lib*/samba/charset/*.so mr,
@@ -51,6 +61,8 @@
   @{run}/samba/ncalrpc/ rw,
   @{run}/samba/ncalrpc/** rw,
   @{run}/samba/smbd.pid rw,
+  # when started by systemd
+  @{run}/systemd/notify w,
   /var/spool/samba/** rw,
 
   @{HOMEDIRS}/** lrwk,



With the above, I only get this alert now:
[Mon Nov 29 14:18:54 2021] audit: type=1400 audit(1638195535.664:42): 
apparmor="ALLOWED" operation="capable" profile="smbd" pid=1046 comm="smbd" 
capability=12  capname="net_admin"


And only when starting smbd with systemd. Looks like we will have to live with 
that one, if I understood the comments in the usptream bug correctly.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1952242

Title:
  [jammy] missing rules for samba profile

Status in apparmor package in Ubuntu:
  New

Bug description:
  ubuntu jammy

  apparmor-profiles 3.0.3-0ubuntu3
  samba             2:4.13.5+dfsg-2ubuntu3

  smbd:
  Nov 25 14:59:56 jammy-samba-apparmor systemd[1]: Starting Samba SMB Daemon...
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.586080] audit: type=1400 
audit(1637852396.969:77): apparmor="ALLOWED" operation="capable" profile="smbd" 
pid=1094 comm="smbd" capability=12  capname="net_admin"
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.586241] audit: type=1400 
audit(1637852396.969:78): apparmor="ALLOWED" operation="sendmsg" profile="smbd" 
name="/run/systemd/notify" pid=1094 comm="smbd" requested_mask="w" 
denied_mask="w" fsuid=0 ouid=0
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.592258] audit: type=1400 
audit(1637852396.977:79): apparmor="ALLOWED" operation="open" profile="smbd" 
name="/proc/sys/kernel/osrelease" pid=1094 comm="smbd" requested_mask="r" 
denied_mask="r" fsuid=0 ouid=0
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.592460] audit: type=1400 
audit(1637852396.977:80): apparmor="ALLOWED" operation="open" profile="smbd" 
name="/proc/1/environ" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.592532] audit: type=1400 
audit(1637852396.977:81): apparmor="ALLOWED" operation="ptrace" profile="smbd" 
pid=1094 comm="smbd" requested_mask="read" denied_mask="read" peer="unconfined"
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.592683] audit: type=1400 
audit(1637852396.977:82): apparmor="ALLOWED" operation="open" profile="smbd" 
name="/proc/cmdline" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.600378] audit: type=1400 
audit(1637852396.985:83): apparmor="ALLOWED" operation="sendmsg" profile="smbd" 
name="/run/systemd/notify" pid=1094 comm="smbd" requested_mask="w" 
denied_mask="w" fsuid=0 ouid=0

  nmbd:
  Nov 25 14:59:26 jammy-samba-apparmor systemd[1]: Starting Samba NMB Daemon... 
                                                                                
                                
  Nov 25 14:59:26 jammy-samba-apparmor kernel: [  196.718721] audit: type=1400 
audit(1637852366.105:76): apparmor="ALLOWED" operation="capable" profile="nmbd" 
pid=1067 comm="nmbd" capability=1
  2  capname="net_admin"                               

  
  The systemd notify one for smbd was first fixed for nmbd in 
https://gitlab.com/apparmor/apparmor/-/merge_requests/236 for nmbd, but smbd 
was missed.

  net_admin might be https://github.com/systemd/systemd/pull/10085, I
  didn't check if jammy's systemd has that patch (it should, since it's
  old)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1952242/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1952242] Re: [jammy] missing rules for samba profile

Reply via email to