smbd and nmbd can start up before their respective apparmor profiles are loaded

Diff for smbd:

diff --git a/etc/init/smbd.conf b/etc/init/smbd.conf
index 3e85ea4..cdb077c 100644
--- a/init/smbd.conf
+++ b/init/smbd.conf
@@ -14,6 +14,7 @@ pre-start script
        [ "$RUN_MODE" = inetd ] && { stop; exit 0; }

        install -o root -g root -m 755 -d /var/run/samba
+ /lib/init/apparmor-profile-load usr.sbin.smbd
 end script

 exec smbd -F

Diff for nmbd:
diff --git a/etc/init/nmbd.conf b/etc/init/nmbd.conf
index 908c284..8aa4ffb 100644
--- a/init/nmbd.conf
+++ b/init/nmbd.conf
@@ -11,6 +11,7 @@ pre-start script
        [ -f /etc/samba/smb.conf ] || { stop; exit 0; }

        install -o root -g root -m 755 -d /var/run/samba
+ /lib/init/apparmor-profile-load usr.sbin.nmbd
        NMBD_DISABLED=`testparm -s --parameter-name='disable netbios' 2>/dev/null || true`

        [ "x$NMBD_DISABLED" = xYes ] && { stop; exit 0; }

Ignore the previous two patch comments, I will attach the patches to this bug.

The attachment "smbd.conf.diff" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

This is not an appropriate change to apply to the samba package in its current form, because we are not shipping an apparmor profile for either smbd or nmbd by default. If you have a local apparmor profile, you will need to be responsible for local modifications as well. It's not reasonable to have each upstart job provide apparmor integration that won't be used on most systems (and indeed, the upstart jobs need to run correctly on systems that don't have apparmor installed - e.g., in Debian).

@Steve it is *reasonable* to have this in the upstart smb.conf configuration because the apparmor profiles package does carry smbd and nmbd apparmor profiles. Also, I am not asking for this in all upstart init configuration files just in smbd & nmbd which *historically* (samba) are prone to security flaws and *both* samba and nmbd run as root.

Please consider re-opening this bug and resolving this issue.

I'll just note here that as per the apparmor man page it is possible to ensure that the samba and nmbd apparmor profiles are enforced by symlinking to their apparmor profiles in the /etc/apparmor/init/network-interface-security directory.

ah, I overlooked the apparmor-profiles package, which I don't have installed here. In that case, yes, it would be reasonable to provide proper support for this in the samba package.

Note that if this is going to be in the samba upstart jobs, then, it needs to be guarded by a check for the existence of /lib/init/apparmor-profile-load. See the cups job for an example.