kinetic
apparmor 3.0.7-1ubuntu1
sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
sudo apt install samba smbclient cups cups-client
Create a fake printer:
sudo lpadmin -p testprinter -E -v /dev/null
Set a password for the samba "root" user:
printf "root\nroot\n" | sudo smbpasswd -a root
Just to be sure, restart things:
sudo systemctl restart smbd nmbd
Check it's there:
sudo lpstat -l -p testprinter
This command (using the password you chose in smbpasswd earlier) will trigger a bunch of apparmor ALLOWED messages regarding the samba profiles:
rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.870:99): apparmor="ALLOWED" operation="mknod" profile="smbd" name="/run/samba/msg.sock/1002" pid=1002 comm="smbd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.886:100): apparmor="ALLOWED" operation="file_mmap" profile="samba-dcerpcd" name="/usr/libexec/samba/samba-dcerpcd" pid=1003 comm="samba-dcerpcd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.906:101): apparmor="ALLOWED" operation="open" profile="samba-dcerpcd" name="/usr/libexec/samba/" pid=1003 comm="samba-dcerpcd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.910:102): apparmor="ALLOWED" operation="mknod" profile="samba-dcerpcd" name="/run/samba/msg.sock/1003" pid=1003 comm="samba-dcerpcd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.910:103): apparmor="ALLOWED" operation="file_lock" profile="samba-dcerpcd" name="/run/samba/names.tdb" pid=1003 comm="samba-dcerpcd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.910:104): apparmor="ALLOWED" operation="mknod" profile="samba-dcerpcd" name="/run/samba/msg.sock/1004" pid=1004 comm="samba-dcerpcd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.914:105): apparmor="ALLOWED" operation="file_lock" profile="samba-dcerpcd" name="/run/samba/gencache.tdb" pid=1004 comm="samba-dcerpcd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.918:106): apparmor="ALLOWED" operation="file_lock" profile="samba-dcerpcd" name="/run/samba/epmdb.tdb" pid=1004 comm="samba-dcerpcd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.926:107): apparmor="ALLOWED" operation="file_mmap" profile="samba-rpcd" name="/usr/libexec/samba/rpcd_epmapper" pid=1007 comm="rpcd_epmapper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.926:108): apparmor="ALLOWED" operation="file_mmap" profile="samba-rpcd" name="/usr/libexec/samba/rpcd_fsrvp" pid=1008 comm="rpcd_fsrvp" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
We have the following classes:
a) /run/samba/msg.sock/<number>
This msg.sock/ stuff used to live in /var/lib/samba/private, and was covered by other apparmor rules, but in 2:4.16.1+dfsg-1 was moved[1] to /run/samba. I suggest this change in abstractions/samba:
- @{run}/{,lock/}samba/msg.lock/ rwk,
- @{run}/{,lock/}samba/msg.lock/[0-9]* rwk,
+ @{run}/{,lock/}samba/msg.{lock,sock}/ rwk,
+ @{run}/{,lock/}samba/msg.{lock,sock}/[0-9]* rwk,
b) "k" on /run/samba/*.tdb
I suggest this on abstractions/samba:
- @{run}/{,lock/}samba/*.tdb rw,
+ @{run}/{,lock/}samba/*.tdb rwk,
c) libexec
Since [2], many binary helpers were moved to /usr/libexec/samba
Unsure where this is best allowed. Not all profiles include abstractions/samba or abstractions/samba-rpcd
d) ncalrpc
Seems fixed already in upstream apparmor:
$ grep ncalrpc -r .
./profiles/apparmor.d/samba-dcerpcd: @{run}/samba/ncalrpc/ rw,
./profiles/apparmor.d/samba-dcerpcd: @{run}/samba/ncalrpc/** rw,
./profiles/apparmor.d/usr.sbin.smbd: @{run}/samba/ncalrpc/ rw,
./profiles/apparmor.d/usr.sbin.smbd: @{run}/samba/ncalrpc/** rw,
e) urandom access by samba-rpcd-spoolss
I guess just allow it in that profile, or have it include abstractions/base which allows /dev/urandom
f) samba-rpcd-spoolss access to /var/cache/samba/printing/ seems new, I didn't fine a rule for it in upstream apparmor
1. https://salsa.debian.org/samba-team/samba/-/blob/master/debian/changelog#L169
2. https://salsa.debian.org/samba-team/samba/-/blob/master/debian/changelog#L348
This bug was fixed in the package apparmor - 3.0.7-1ubuntu2
---------------
apparmor (3.0.7-1ubuntu2) kinetic; urgency=medium
* ubuntu/ add-mqueue- support. patch: add message queue IPC support to add-userns- support. patch: add user namespace support to lp1990692- update- samba-profile. patch: update samba policy to
parser, python tools, and regression tests.
* ubuntu/
parser.
* ubuntu/
enable the printing subsystem to work (LP: #1990692)
-- Georgia Garcia <email address hidden> Fri, 23 Sep 2022 18:21:44 -0300