Ubuntu
apparmor package

samba profile needs updating

Bug #1990692 reported by Andreas Hasenack
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

kinetic
apparmor 3.0.7-1ubuntu1

sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
sudo apt install samba smbclient cups cups-client

Create a fake printer:
sudo lpadmin -p testprinter -E -v /dev/null

Set a password for the samba "root" user:
printf "root\nroot\n" | sudo smbpasswd -a root

Just to be sure, restart things:
sudo systemctl restart smbd nmbd

Check it's there:
sudo lpstat -l -p testprinter

This command (using the password you chose in smbpasswd earlier) will trigger a bunch of apparmor ALLOWED messages regarding the samba profiles:
rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'

[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.870:99): apparmor="ALLOWED" operation="mknod" profile="smbd" name="/run/samba/msg.sock/1002" pid=1002 comm="smbd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.886:100): apparmor="ALLOWED" operation="file_mmap" profile="samba-dcerpcd" name="/usr/libexec/samba/samba-dcerpcd" pid=1003 comm="samba-dcerpcd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.906:101): apparmor="ALLOWED" operation="open" profile="samba-dcerpcd" name="/usr/libexec/samba/" pid=1003 comm="samba-dcerpcd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.910:102): apparmor="ALLOWED" operation="mknod" profile="samba-dcerpcd" name="/run/samba/msg.sock/1003" pid=1003 comm="samba-dcerpcd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.910:103): apparmor="ALLOWED" operation="file_lock" profile="samba-dcerpcd" name="/run/samba/names.tdb" pid=1003 comm="samba-dcerpcd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.910:104): apparmor="ALLOWED" operation="mknod" profile="samba-dcerpcd" name="/run/samba/msg.sock/1004" pid=1004 comm="samba-dcerpcd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.914:105): apparmor="ALLOWED" operation="file_lock" profile="samba-dcerpcd" name="/run/samba/gencache.tdb" pid=1004 comm="samba-dcerpcd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.918:106): apparmor="ALLOWED" operation="file_lock" profile="samba-dcerpcd" name="/run/samba/epmdb.tdb" pid=1004 comm="samba-dcerpcd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.926:107): apparmor="ALLOWED" operation="file_mmap" profile="samba-rpcd" name="/usr/libexec/samba/rpcd_epmapper" pid=1007 comm="rpcd_epmapper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.926:108): apparmor="ALLOWED" operation="file_mmap" profile="samba-rpcd" name="/usr/libexec/samba/rpcd_fsrvp" pid=1008 comm="rpcd_fsrvp" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

We have the following classes:
a) /run/samba/msg.sock/<number>
This msg.sock/ stuff used to live in /var/lib/samba/private, and was covered by other apparmor rules, but in 2:4.16.1+dfsg-1 was moved[1] to /run/samba. I suggest this change in abstractions/samba:
- @{run}/{,lock/}samba/msg.lock/ rwk,
- @{run}/{,lock/}samba/msg.lock/[0-9]* rwk,
+ @{run}/{,lock/}samba/msg.{lock,sock}/ rwk,
+ @{run}/{,lock/}samba/msg.{lock,sock}/[0-9]* rwk,

b) "k" on /run/samba/*.tdb
I suggest this on abstractions/samba:
- @{run}/{,lock/}samba/*.tdb rw,
+ @{run}/{,lock/}samba/*.tdb rwk,

c) libexec
Since [2], many binary helpers were moved to /usr/libexec/samba
Unsure where this is best allowed. Not all profiles include abstractions/samba or abstractions/samba-rpcd

d) ncalrpc
Seems fixed already in upstream apparmor:
$ grep ncalrpc -r .
./profiles/apparmor.d/samba-dcerpcd: @{run}/samba/ncalrpc/ rw,
./profiles/apparmor.d/samba-dcerpcd: @{run}/samba/ncalrpc/** rw,
./profiles/apparmor.d/usr.sbin.smbd: @{run}/samba/ncalrpc/ rw,
./profiles/apparmor.d/usr.sbin.smbd: @{run}/samba/ncalrpc/** rw,

e) urandom access by samba-rpcd-spoolss
I guess just allow it in that profile, or have it include abstractions/base which allows /dev/urandom

f) samba-rpcd-spoolss access to /var/cache/samba/printing/ seems new, I didn't fine a rule for it in upstream apparmor

1. https://salsa.debian.org/samba-team/samba/-/blob/master/debian/changelog#L169
2. https://salsa.debian.org/samba-team/samba/-/blob/master/debian/changelog#L348

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 3.0.7-1ubuntu2

---------------
apparmor (3.0.7-1ubuntu2) kinetic; urgency=medium

  * ubuntu/add-mqueue-support.patch: add message queue IPC support to
    parser, python tools, and regression tests.
  * ubuntu/add-userns-support.patch: add user namespace support to
    parser.
  * ubuntu/lp1990692-update-samba-profile.patch: update samba policy to
    enable the printing subsystem to work (LP: #1990692)

 -- Georgia Garcia <email address hidden> Fri, 23 Sep 2022 18:21:44 -0300

Changed in apparmor (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.