2022-06-25 12:26:12 |
asdasda |
bug |
|
|
added bug |
2022-06-25 12:26:52 |
asdasda |
description |
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has is on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd |
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd |
|
2022-06-27 11:36:37 |
Paride Legovini |
bug |
|
|
added subscriber Ubuntu Server |
2022-06-27 11:36:40 |
Paride Legovini |
samba (Ubuntu): status |
New |
Triaged |
|
2022-06-27 11:36:58 |
Paride Legovini |
bug task added |
|
apparmor (Ubuntu) |
|
2022-06-27 11:37:14 |
Paride Legovini |
apparmor (Ubuntu): status |
New |
Triaged |
|
2022-06-27 11:37:28 |
Paride Legovini |
tags |
|
server-todo |
|
2022-06-27 16:14:25 |
Paride Legovini |
nominated for series |
|
Ubuntu Jammy |
|
2022-06-27 16:14:25 |
Paride Legovini |
bug task added |
|
samba (Ubuntu Jammy) |
|
2022-06-27 16:14:25 |
Paride Legovini |
bug task added |
|
apparmor (Ubuntu Jammy) |
|
2022-06-27 16:14:33 |
Paride Legovini |
apparmor (Ubuntu Jammy): status |
New |
Triaged |
|
2022-06-27 16:14:36 |
Paride Legovini |
samba (Ubuntu Jammy): status |
New |
Triaged |
|
2022-06-27 16:14:41 |
Paride Legovini |
apparmor (Ubuntu): status |
Triaged |
Fix Released |
|
2022-06-27 16:15:01 |
Paride Legovini |
samba (Ubuntu): status |
Triaged |
Fix Released |
|
2022-06-27 16:15:15 |
Paride Legovini |
apparmor (Ubuntu): status |
Fix Released |
Invalid |
|
2022-06-27 16:15:24 |
Paride Legovini |
apparmor (Ubuntu Jammy): status |
Triaged |
Incomplete |
|
2022-06-27 16:16:00 |
Paride Legovini |
apparmor (Ubuntu Jammy): status |
Incomplete |
Triaged |
|
2022-06-29 15:10:51 |
Christian Ehrhardt |
tags |
server-todo |
bitesize server-todo |
|
2022-07-20 15:14:23 |
Michał Małoszewski |
apparmor (Ubuntu): assignee |
|
Michał Małoszewski (michal-maloszewski99) |
|
2022-07-20 15:14:25 |
Michał Małoszewski |
apparmor (Ubuntu Jammy): assignee |
|
Michał Małoszewski (michal-maloszewski99) |
|
2022-08-01 12:35:55 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~michal-maloszewski99/ubuntu/+source/apparmor/+git/apparmor/+merge/427682 |
|
2022-08-03 16:52:06 |
Robie Basak |
bug |
|
|
added subscriber Robie Basak |
2022-08-05 16:29:12 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~michal-maloszewski99/ubuntu/+source/apparmor/+git/apparmor/+merge/427973 |
|
2022-08-17 18:00:06 |
Michał Małoszewski |
apparmor (Ubuntu Jammy): status |
Triaged |
In Progress |
|
2022-08-30 12:27:58 |
Michał Małoszewski |
description |
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd |
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required in the *.tdb files. |
|
2022-08-30 12:33:34 |
Michał Małoszewski |
description |
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required in the *.tdb files. |
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. |
|
2022-09-09 11:21:11 |
Michał Małoszewski |
description |
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. |
[Impact]
Path to samba-bgqd is wrong on 22.04.
Changing from /usr/lib*/samba/samba-bgqd into /usr/lib/@{multiarch}/samba/samba-bgqd to align different architectures.
The @{multiarch} was initialized at the code before.
Before fixing it might confuse users with ambiguity.
This was later changed by moving the binary, but for an SRU let us just adapt the path in apparmor.
Obviously, the bug doesn’t affect users by default, because the samba profiles
are only installed and activated if you install the apparmor-profiles package and moreover it has to be in enforce mode to affect users. The profile is applied in complain mode by default.
After all these conditions are met, then the impact is that the samba services will fail to start.
The next thing which occurred was the problem with ‘k’ flag which was needed in for the *.tdb files within /etc/apparmor.d/abstractions/samba.
[Test Plan]
** Reproduction **
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
1.First of all, install apparmor-profiles, apparmor-utils and samba.
$ apt install apparmor-profiles apparmor-utils samba
2.Perform proper command to display current running processes. (e.g. ps fauxZ).
$ ps fauxZ
nmbd (complain) root 2129 0.0 0.0 68720 10628 ? Ss 16:43 0:00 /usr/sbin/nmbd --foreground --no-process-group
smbd (complain) root 2141 0.0 0.1 84840 16264 ? Ss 16:43 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) root 2143 0.0 0.0 82360 8544 ? S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) root 2144 0.0 0.0 82352 6820 ? S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
3.At the end of the output, you should be able to see smbd(complain) in the left column.
4.Then check the dmesg output.
$ dmesg -T
[Wed Aug 24 8:24:11 2022] audit: type=1400 audit(1661883574.507:2124): apparmor="ALLOWED" operation="exec" namespace="root//lxd-jammy-apparmor-testMMilion1_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=526045 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.875:92): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/names.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.887:93): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/gencache.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.899:94): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/brlock.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.903:95): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/locking.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
5.At the end of the output, you will notice profile=”samba-bgqd” apparmor=”ALLOWED”
6.Later, check the apparmor status using the aa-status command.
$ aa-status
24 profiles are in complain mode.
avahi-daemon
dnsmasq
dnsmasq//libvirt_leaseshelper
identd
klogd
mdnsd
nmbd
nscd
php-fpm
ping
samba-bgqd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
snap.git-ubuntu.git-ubuntu
snap.git-ubuntu.import-source-packages
snap.git-ubuntu.man
snap.git-ubuntu.merge-changelogs
snap.git-ubuntu.reconstruct-changelog
snap.git-ubuntu.self-test
snap.git-ubuntu.source-package-walker
snap.git-ubuntu.update-repository-alias
syslog-ng
syslogd
traceroute
You will notice that samba-bgqd is still in complain mode.
7.Type in aa-enforce /etc/apparmor.d/samba-bgqd /etc/apparmor.d/usr.sbin.smbd to set the paths to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Now when you display current running processes, you will see that smbd is enforced.
$ ps fauxZ
smbd (enforce) root 2281 0.0 0.1 84840 16416 ? Ss 14:50 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) root 2283 0.0 0.0 82360 8476 ? S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) root 2284 0.0 0.0 82352 6748 ? S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
Type in $ systemctl restart smbd.
Check dmesg output again and log.smbd file in /var/log/samba.
$ tail log.smbd
[2022/08/25 15:58:15.861776, 0] ../../source3/smbd/server.c:1734(main)
smbd version 4.15.9-Ubuntu started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
[2022/08/25 16:04:05.837877, 0] ../../source3/smbd/server.c:1734(main)
smbd version 4.15.9-Ubuntu started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
You shouldn’t notice that smbd is in complained status and you should notice that smbd is DENIED if you install a new package which was fixed with the package from proposed, smbd will start even with the profile in enforced mode.
[Where problems could occur]
Any code change might change the behavior of the package in a specific situation and cause other errors.
The old path is disallowed because the rule has been changed. The risk of regression becomes real when people move around the binary and replace the path, then it would fail after the update.
Moreover, for instance the user can install only apparmor-utils without the apparmor-profiles and the update will not be visible.
It is highly recommended to select the ubuntu-daily image while creating a VM, otherwise it might cause a regression and later use will not be able to set the enforce mode and Apparmor will not prevent applications from taking restricted actions.
Another possible regression source is the fact that the apparmor will be rebuilt against newer versions of its build dependencies, on Jammy and there are 2 profiles affected by the changes.
There are similar possibilities of regression for that ‘k’ flag which was added.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are using the block-proposed tag so that the fix can be bundled with another future apparmor SRU.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. |
|
2022-09-09 17:21:43 |
Andreas Hasenack |
bug task deleted |
samba (Ubuntu Jammy) |
|
|
2022-09-09 17:32:33 |
Jerome Haltom |
bug |
|
|
added subscriber Jerome Haltom |
2022-09-09 17:33:28 |
Andreas Hasenack |
description |
[Impact]
Path to samba-bgqd is wrong on 22.04.
Changing from /usr/lib*/samba/samba-bgqd into /usr/lib/@{multiarch}/samba/samba-bgqd to align different architectures.
The @{multiarch} was initialized at the code before.
Before fixing it might confuse users with ambiguity.
This was later changed by moving the binary, but for an SRU let us just adapt the path in apparmor.
Obviously, the bug doesn’t affect users by default, because the samba profiles
are only installed and activated if you install the apparmor-profiles package and moreover it has to be in enforce mode to affect users. The profile is applied in complain mode by default.
After all these conditions are met, then the impact is that the samba services will fail to start.
The next thing which occurred was the problem with ‘k’ flag which was needed in for the *.tdb files within /etc/apparmor.d/abstractions/samba.
[Test Plan]
** Reproduction **
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
1.First of all, install apparmor-profiles, apparmor-utils and samba.
$ apt install apparmor-profiles apparmor-utils samba
2.Perform proper command to display current running processes. (e.g. ps fauxZ).
$ ps fauxZ
nmbd (complain) root 2129 0.0 0.0 68720 10628 ? Ss 16:43 0:00 /usr/sbin/nmbd --foreground --no-process-group
smbd (complain) root 2141 0.0 0.1 84840 16264 ? Ss 16:43 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) root 2143 0.0 0.0 82360 8544 ? S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) root 2144 0.0 0.0 82352 6820 ? S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
3.At the end of the output, you should be able to see smbd(complain) in the left column.
4.Then check the dmesg output.
$ dmesg -T
[Wed Aug 24 8:24:11 2022] audit: type=1400 audit(1661883574.507:2124): apparmor="ALLOWED" operation="exec" namespace="root//lxd-jammy-apparmor-testMMilion1_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=526045 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.875:92): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/names.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.887:93): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/gencache.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.899:94): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/brlock.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.903:95): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/locking.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
5.At the end of the output, you will notice profile=”samba-bgqd” apparmor=”ALLOWED”
6.Later, check the apparmor status using the aa-status command.
$ aa-status
24 profiles are in complain mode.
avahi-daemon
dnsmasq
dnsmasq//libvirt_leaseshelper
identd
klogd
mdnsd
nmbd
nscd
php-fpm
ping
samba-bgqd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
snap.git-ubuntu.git-ubuntu
snap.git-ubuntu.import-source-packages
snap.git-ubuntu.man
snap.git-ubuntu.merge-changelogs
snap.git-ubuntu.reconstruct-changelog
snap.git-ubuntu.self-test
snap.git-ubuntu.source-package-walker
snap.git-ubuntu.update-repository-alias
syslog-ng
syslogd
traceroute
You will notice that samba-bgqd is still in complain mode.
7.Type in aa-enforce /etc/apparmor.d/samba-bgqd /etc/apparmor.d/usr.sbin.smbd to set the paths to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Now when you display current running processes, you will see that smbd is enforced.
$ ps fauxZ
smbd (enforce) root 2281 0.0 0.1 84840 16416 ? Ss 14:50 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) root 2283 0.0 0.0 82360 8476 ? S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) root 2284 0.0 0.0 82352 6748 ? S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
Type in $ systemctl restart smbd.
Check dmesg output again and log.smbd file in /var/log/samba.
$ tail log.smbd
[2022/08/25 15:58:15.861776, 0] ../../source3/smbd/server.c:1734(main)
smbd version 4.15.9-Ubuntu started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
[2022/08/25 16:04:05.837877, 0] ../../source3/smbd/server.c:1734(main)
smbd version 4.15.9-Ubuntu started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
You shouldn’t notice that smbd is in complained status and you should notice that smbd is DENIED if you install a new package which was fixed with the package from proposed, smbd will start even with the profile in enforced mode.
[Where problems could occur]
Any code change might change the behavior of the package in a specific situation and cause other errors.
The old path is disallowed because the rule has been changed. The risk of regression becomes real when people move around the binary and replace the path, then it would fail after the update.
Moreover, for instance the user can install only apparmor-utils without the apparmor-profiles and the update will not be visible.
It is highly recommended to select the ubuntu-daily image while creating a VM, otherwise it might cause a regression and later use will not be able to set the enforce mode and Apparmor will not prevent applications from taking restricted actions.
Another possible regression source is the fact that the apparmor will be rebuilt against newer versions of its build dependencies, on Jammy and there are 2 profiles affected by the changes.
There are similar possibilities of regression for that ‘k’ flag which was added.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are using the block-proposed tag so that the fix can be bundled with another future apparmor SRU.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. |
[Impact]
Users who have:
a) opted in to confining samba with apparmor (by installing apparmor-profiles); and
b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
will experience an error in starting the smbd service in jammy:
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
This "printing subsystem" is actually a new daemon called samba-bgqd. This errors prevents "smbd" from starting.
The reason it failed to start is that this binary is installed on a different path than what is allowed in the samba apparmor profiles, and as a result its execution is denied.
The chosen fix for this is to change the path of samba-bgqd in the samba apparmor profiles to match where it is actually being installed in the jammy packaging. Changing the actual path in the samba packaging would be a more invasive fix.
In kinetic and later, the installation path of samba-bgqd was changed instead, and requires no changes to the apparmor profiles.
However, once the path in the apparmor profiles was fixed for jammy, another error comes up which also requires an apparmor change. samba-bgqd is using locking when opening the *.tdb files in /run/samba, and that requires an extra "k" flag to apparmor rules that cover that directory and its tdb files.
This bug doesn't affect jammy samba users by default, as they have to complete steps (a) and (b) from above to be impacted. Therefore, on its own, this bug does not warrant an SRU, and we are using the block-proposed-jammy tag to prevent its release until such time when another more SRU-worthy apparmor bug is fixed for Jammy.
[Test Plan]
** Reproduction **
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
1.First of all, install apparmor-profiles, apparmor-utils and samba.
$ apt install apparmor-profiles apparmor-utils samba
2.Perform proper command to display current running processes. (e.g. ps fauxZ).
$ ps fauxZ
nmbd (complain) root 2129 0.0 0.0 68720 10628 ? Ss 16:43 0:00 /usr/sbin/nmbd --foreground --no-process-group
smbd (complain) root 2141 0.0 0.1 84840 16264 ? Ss 16:43 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) root 2143 0.0 0.0 82360 8544 ? S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) root 2144 0.0 0.0 82352 6820 ? S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
3.At the end of the output, you should be able to see smbd(complain) in the left column.
4.Then check the dmesg output.
$ dmesg -T
[Wed Aug 24 8:24:11 2022] audit: type=1400 audit(1661883574.507:2124): apparmor="ALLOWED" operation="exec" namespace="root//lxd-jammy-apparmor-testMMilion1_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=526045 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.875:92): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/names.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.887:93): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/gencache.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.899:94): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/brlock.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.903:95): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/locking.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
5.At the end of the output, you will notice profile=”samba-bgqd” apparmor=”ALLOWED”
6.Later, check the apparmor status using the aa-status command.
$ aa-status
24 profiles are in complain mode.
avahi-daemon
dnsmasq
dnsmasq//libvirt_leaseshelper
identd
klogd
mdnsd
nmbd
nscd
php-fpm
ping
samba-bgqd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
snap.git-ubuntu.git-ubuntu
snap.git-ubuntu.import-source-packages
snap.git-ubuntu.man
snap.git-ubuntu.merge-changelogs
snap.git-ubuntu.reconstruct-changelog
snap.git-ubuntu.self-test
snap.git-ubuntu.source-package-walker
snap.git-ubuntu.update-repository-alias
syslog-ng
syslogd
traceroute
You will notice that samba-bgqd is still in complain mode.
7.Type in aa-enforce /etc/apparmor.d/samba-bgqd /etc/apparmor.d/usr.sbin.smbd to set the paths to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Now when you display current running processes, you will see that smbd is enforced.
$ ps fauxZ
smbd (enforce) root 2281 0.0 0.1 84840 16416 ? Ss 14:50 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) root 2283 0.0 0.0 82360 8476 ? S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) root 2284 0.0 0.0 82352 6748 ? S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
Type in $ systemctl restart smbd.
Check dmesg output again and log.smbd file in /var/log/samba.
$ tail log.smbd
[2022/08/25 15:58:15.861776, 0] ../../source3/smbd/server.c:1734(main)
smbd version 4.15.9-Ubuntu started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
[2022/08/25 16:04:05.837877, 0] ../../source3/smbd/server.c:1734(main)
smbd version 4.15.9-Ubuntu started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
You shouldn’t notice that smbd is in complained status and you should notice that smbd is DENIED if you install a new package which was fixed with the package from proposed, smbd will start even with the profile in enforced mode.
[Where problems could occur]
Any code change might change the behavior of the package in a specific situation and cause other errors.
The old path is disallowed because the rule has been changed. The risk of regression becomes real when people move around the binary and replace the path, then it would fail after the update.
Moreover, for instance the user can install only apparmor-utils without the apparmor-profiles and the update will not be visible.
It is highly recommended to select the ubuntu-daily image while creating a VM, otherwise it might cause a regression and later use will not be able to set the enforce mode and Apparmor will not prevent applications from taking restricted actions.
Another possible regression source is the fact that the apparmor will be rebuilt against newer versions of its build dependencies, on Jammy and there are 2 profiles affected by the changes.
There are similar possibilities of regression for that ‘k’ flag which was added.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are using the block-proposed tag so that the fix can be bundled with another future apparmor SRU.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. |
|
2022-09-09 17:34:21 |
Andreas Hasenack |
tags |
bitesize server-todo |
bitesize block-proposed-jammy server-todo |
|
2022-09-09 17:35:48 |
Andreas Hasenack |
description |
[Impact]
Users who have:
a) opted in to confining samba with apparmor (by installing apparmor-profiles); and
b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
will experience an error in starting the smbd service in jammy:
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
This "printing subsystem" is actually a new daemon called samba-bgqd. This errors prevents "smbd" from starting.
The reason it failed to start is that this binary is installed on a different path than what is allowed in the samba apparmor profiles, and as a result its execution is denied.
The chosen fix for this is to change the path of samba-bgqd in the samba apparmor profiles to match where it is actually being installed in the jammy packaging. Changing the actual path in the samba packaging would be a more invasive fix.
In kinetic and later, the installation path of samba-bgqd was changed instead, and requires no changes to the apparmor profiles.
However, once the path in the apparmor profiles was fixed for jammy, another error comes up which also requires an apparmor change. samba-bgqd is using locking when opening the *.tdb files in /run/samba, and that requires an extra "k" flag to apparmor rules that cover that directory and its tdb files.
This bug doesn't affect jammy samba users by default, as they have to complete steps (a) and (b) from above to be impacted. Therefore, on its own, this bug does not warrant an SRU, and we are using the block-proposed-jammy tag to prevent its release until such time when another more SRU-worthy apparmor bug is fixed for Jammy.
[Test Plan]
** Reproduction **
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
1.First of all, install apparmor-profiles, apparmor-utils and samba.
$ apt install apparmor-profiles apparmor-utils samba
2.Perform proper command to display current running processes. (e.g. ps fauxZ).
$ ps fauxZ
nmbd (complain) root 2129 0.0 0.0 68720 10628 ? Ss 16:43 0:00 /usr/sbin/nmbd --foreground --no-process-group
smbd (complain) root 2141 0.0 0.1 84840 16264 ? Ss 16:43 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) root 2143 0.0 0.0 82360 8544 ? S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) root 2144 0.0 0.0 82352 6820 ? S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
3.At the end of the output, you should be able to see smbd(complain) in the left column.
4.Then check the dmesg output.
$ dmesg -T
[Wed Aug 24 8:24:11 2022] audit: type=1400 audit(1661883574.507:2124): apparmor="ALLOWED" operation="exec" namespace="root//lxd-jammy-apparmor-testMMilion1_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=526045 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.875:92): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/names.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.887:93): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/gencache.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.899:94): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/brlock.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.903:95): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/locking.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
5.At the end of the output, you will notice profile=”samba-bgqd” apparmor=”ALLOWED”
6.Later, check the apparmor status using the aa-status command.
$ aa-status
24 profiles are in complain mode.
avahi-daemon
dnsmasq
dnsmasq//libvirt_leaseshelper
identd
klogd
mdnsd
nmbd
nscd
php-fpm
ping
samba-bgqd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
snap.git-ubuntu.git-ubuntu
snap.git-ubuntu.import-source-packages
snap.git-ubuntu.man
snap.git-ubuntu.merge-changelogs
snap.git-ubuntu.reconstruct-changelog
snap.git-ubuntu.self-test
snap.git-ubuntu.source-package-walker
snap.git-ubuntu.update-repository-alias
syslog-ng
syslogd
traceroute
You will notice that samba-bgqd is still in complain mode.
7.Type in aa-enforce /etc/apparmor.d/samba-bgqd /etc/apparmor.d/usr.sbin.smbd to set the paths to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Now when you display current running processes, you will see that smbd is enforced.
$ ps fauxZ
smbd (enforce) root 2281 0.0 0.1 84840 16416 ? Ss 14:50 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) root 2283 0.0 0.0 82360 8476 ? S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) root 2284 0.0 0.0 82352 6748 ? S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
Type in $ systemctl restart smbd.
Check dmesg output again and log.smbd file in /var/log/samba.
$ tail log.smbd
[2022/08/25 15:58:15.861776, 0] ../../source3/smbd/server.c:1734(main)
smbd version 4.15.9-Ubuntu started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
[2022/08/25 16:04:05.837877, 0] ../../source3/smbd/server.c:1734(main)
smbd version 4.15.9-Ubuntu started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
You shouldn’t notice that smbd is in complained status and you should notice that smbd is DENIED if you install a new package which was fixed with the package from proposed, smbd will start even with the profile in enforced mode.
[Where problems could occur]
Any code change might change the behavior of the package in a specific situation and cause other errors.
The old path is disallowed because the rule has been changed. The risk of regression becomes real when people move around the binary and replace the path, then it would fail after the update.
Moreover, for instance the user can install only apparmor-utils without the apparmor-profiles and the update will not be visible.
It is highly recommended to select the ubuntu-daily image while creating a VM, otherwise it might cause a regression and later use will not be able to set the enforce mode and Apparmor will not prevent applications from taking restricted actions.
Another possible regression source is the fact that the apparmor will be rebuilt against newer versions of its build dependencies, on Jammy and there are 2 profiles affected by the changes.
There are similar possibilities of regression for that ‘k’ flag which was added.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are using the block-proposed tag so that the fix can be bundled with another future apparmor SRU.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. |
[Impact]
Users who have:
a) opted in to confining samba with apparmor (by installing apparmor-profiles); and
b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
will experience an error in starting the smbd service in jammy:
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
This "printing subsystem" is actually a new daemon called samba-bgqd. This errors prevents "smbd" from starting.
The reason it failed to start is that this binary is installed on a different path than what is allowed in the samba apparmor profiles, and as a result its execution is denied.
The chosen fix for this is to change the path of samba-bgqd in the samba apparmor profiles to match where it is actually being installed in the jammy packaging. Changing the actual path in the samba packaging would be a more invasive fix.
In kinetic and later, the installation path of samba-bgqd was changed instead, and requires no changes to the apparmor profiles.
However, once the path in the apparmor profiles was fixed for jammy, another error comes up which also requires an apparmor change. samba-bgqd is using locking when opening the *.tdb files in /run/samba, and that requires an extra "k" flag to apparmor rules that cover that directory and its tdb files.
This bug doesn't affect jammy samba users by default, as they have to complete steps (a) and (b) from above to be impacted. Therefore, on its own, this bug does not warrant an SRU, and we are using the block-proposed-jammy tag to prevent its release until such time when another more SRU-worthy apparmor bug is fixed for Jammy.
[Test Plan]
** Reproduction **
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
1.First of all, install apparmor-profiles, apparmor-utils and samba.
$ apt install apparmor-profiles apparmor-utils samba
2.Perform proper command to display current running processes. (e.g. ps fauxZ).
$ ps fauxZ
nmbd (complain) root 2129 0.0 0.0 68720 10628 ? Ss 16:43 0:00 /usr/sbin/nmbd --foreground --no-process-group
smbd (complain) root 2141 0.0 0.1 84840 16264 ? Ss 16:43 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) root 2143 0.0 0.0 82360 8544 ? S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) root 2144 0.0 0.0 82352 6820 ? S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
3.At the end of the output, you should be able to see smbd(complain) in the left column.
4.Then check the dmesg output.
$ dmesg -T
[Wed Aug 24 8:24:11 2022] audit: type=1400 audit(1661883574.507:2124): apparmor="ALLOWED" operation="exec" namespace="root//lxd-jammy-apparmor-testMMilion1_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=526045 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.875:92): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/names.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.887:93): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/gencache.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.899:94): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/brlock.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.903:95): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/locking.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
5.At the end of the output, you will notice profile=”samba-bgqd” apparmor=”ALLOWED”
6.Later, check the apparmor status using the aa-status command.
$ aa-status
24 profiles are in complain mode.
avahi-daemon
dnsmasq
dnsmasq//libvirt_leaseshelper
identd
klogd
mdnsd
nmbd
nscd
php-fpm
ping
samba-bgqd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
snap.git-ubuntu.git-ubuntu
snap.git-ubuntu.import-source-packages
snap.git-ubuntu.man
snap.git-ubuntu.merge-changelogs
snap.git-ubuntu.reconstruct-changelog
snap.git-ubuntu.self-test
snap.git-ubuntu.source-package-walker
snap.git-ubuntu.update-repository-alias
syslog-ng
syslogd
traceroute
You will notice that samba-bgqd is still in complain mode.
7.Type in aa-enforce /etc/apparmor.d/samba-bgqd /etc/apparmor.d/usr.sbin.smbd to set the paths to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Now when you display current running processes, you will see that smbd is enforced.
$ ps fauxZ
smbd (enforce) root 2281 0.0 0.1 84840 16416 ? Ss 14:50 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) root 2283 0.0 0.0 82360 8476 ? S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) root 2284 0.0 0.0 82352 6748 ? S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
Type in $ systemctl restart smbd.
Check dmesg output again and log.smbd file in /var/log/samba.
$ tail log.smbd
[2022/08/25 15:58:15.861776, 0] ../../source3/smbd/server.c:1734(main)
smbd version 4.15.9-Ubuntu started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
[2022/08/25 16:04:05.837877, 0] ../../source3/smbd/server.c:1734(main)
smbd version 4.15.9-Ubuntu started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
You shouldn’t notice that smbd is in complained status and you should notice that smbd is DENIED if you install a new package which was fixed with the package from proposed, smbd will start even with the profile in enforced mode.
[Where problems could occur]
Any code change might change the behavior of the package in a specific situation and cause other errors.
The old path is disallowed because the rule has been changed. The risk of regression becomes real when people move around the binary and replace the path, then it would fail after the update.
Moreover, for instance the user can install only apparmor-utils without the apparmor-profiles and the update will not be visible.
It is highly recommended to select the ubuntu-daily image while creating a VM, otherwise it might cause a regression and later use will not be able to set the enforce mode and Apparmor will not prevent applications from taking restricted actions.
Another possible regression source is the fact that the apparmor will be rebuilt against newer versions of its build dependencies, on Jammy and there are 2 profiles affected by the changes.
There are similar possibilities of regression for that ‘k’ flag which was added.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are using the block-proposed-jammy tag so that the fix can be bundled with another future apparmor SRU.
Apparmor in Kinetic does not need the samba-bgqd path fix, but it might need the "k" locking one. We are waiting for an apparmor version update that will still happen in Kinetic to evaluate what is needed there.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. |
|
2022-09-09 17:48:44 |
Andreas Hasenack |
description |
[Impact]
Users who have:
a) opted in to confining samba with apparmor (by installing apparmor-profiles); and
b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
will experience an error in starting the smbd service in jammy:
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
This "printing subsystem" is actually a new daemon called samba-bgqd. This errors prevents "smbd" from starting.
The reason it failed to start is that this binary is installed on a different path than what is allowed in the samba apparmor profiles, and as a result its execution is denied.
The chosen fix for this is to change the path of samba-bgqd in the samba apparmor profiles to match where it is actually being installed in the jammy packaging. Changing the actual path in the samba packaging would be a more invasive fix.
In kinetic and later, the installation path of samba-bgqd was changed instead, and requires no changes to the apparmor profiles.
However, once the path in the apparmor profiles was fixed for jammy, another error comes up which also requires an apparmor change. samba-bgqd is using locking when opening the *.tdb files in /run/samba, and that requires an extra "k" flag to apparmor rules that cover that directory and its tdb files.
This bug doesn't affect jammy samba users by default, as they have to complete steps (a) and (b) from above to be impacted. Therefore, on its own, this bug does not warrant an SRU, and we are using the block-proposed-jammy tag to prevent its release until such time when another more SRU-worthy apparmor bug is fixed for Jammy.
[Test Plan]
** Reproduction **
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
1.First of all, install apparmor-profiles, apparmor-utils and samba.
$ apt install apparmor-profiles apparmor-utils samba
2.Perform proper command to display current running processes. (e.g. ps fauxZ).
$ ps fauxZ
nmbd (complain) root 2129 0.0 0.0 68720 10628 ? Ss 16:43 0:00 /usr/sbin/nmbd --foreground --no-process-group
smbd (complain) root 2141 0.0 0.1 84840 16264 ? Ss 16:43 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) root 2143 0.0 0.0 82360 8544 ? S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) root 2144 0.0 0.0 82352 6820 ? S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
3.At the end of the output, you should be able to see smbd(complain) in the left column.
4.Then check the dmesg output.
$ dmesg -T
[Wed Aug 24 8:24:11 2022] audit: type=1400 audit(1661883574.507:2124): apparmor="ALLOWED" operation="exec" namespace="root//lxd-jammy-apparmor-testMMilion1_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=526045 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.875:92): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/names.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.887:93): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/gencache.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.899:94): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/brlock.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.903:95): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/locking.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
5.At the end of the output, you will notice profile=”samba-bgqd” apparmor=”ALLOWED”
6.Later, check the apparmor status using the aa-status command.
$ aa-status
24 profiles are in complain mode.
avahi-daemon
dnsmasq
dnsmasq//libvirt_leaseshelper
identd
klogd
mdnsd
nmbd
nscd
php-fpm
ping
samba-bgqd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
snap.git-ubuntu.git-ubuntu
snap.git-ubuntu.import-source-packages
snap.git-ubuntu.man
snap.git-ubuntu.merge-changelogs
snap.git-ubuntu.reconstruct-changelog
snap.git-ubuntu.self-test
snap.git-ubuntu.source-package-walker
snap.git-ubuntu.update-repository-alias
syslog-ng
syslogd
traceroute
You will notice that samba-bgqd is still in complain mode.
7.Type in aa-enforce /etc/apparmor.d/samba-bgqd /etc/apparmor.d/usr.sbin.smbd to set the paths to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Now when you display current running processes, you will see that smbd is enforced.
$ ps fauxZ
smbd (enforce) root 2281 0.0 0.1 84840 16416 ? Ss 14:50 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) root 2283 0.0 0.0 82360 8476 ? S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) root 2284 0.0 0.0 82352 6748 ? S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
Type in $ systemctl restart smbd.
Check dmesg output again and log.smbd file in /var/log/samba.
$ tail log.smbd
[2022/08/25 15:58:15.861776, 0] ../../source3/smbd/server.c:1734(main)
smbd version 4.15.9-Ubuntu started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
[2022/08/25 16:04:05.837877, 0] ../../source3/smbd/server.c:1734(main)
smbd version 4.15.9-Ubuntu started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
You shouldn’t notice that smbd is in complained status and you should notice that smbd is DENIED if you install a new package which was fixed with the package from proposed, smbd will start even with the profile in enforced mode.
[Where problems could occur]
Any code change might change the behavior of the package in a specific situation and cause other errors.
The old path is disallowed because the rule has been changed. The risk of regression becomes real when people move around the binary and replace the path, then it would fail after the update.
Moreover, for instance the user can install only apparmor-utils without the apparmor-profiles and the update will not be visible.
It is highly recommended to select the ubuntu-daily image while creating a VM, otherwise it might cause a regression and later use will not be able to set the enforce mode and Apparmor will not prevent applications from taking restricted actions.
Another possible regression source is the fact that the apparmor will be rebuilt against newer versions of its build dependencies, on Jammy and there are 2 profiles affected by the changes.
There are similar possibilities of regression for that ‘k’ flag which was added.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are using the block-proposed-jammy tag so that the fix can be bundled with another future apparmor SRU.
Apparmor in Kinetic does not need the samba-bgqd path fix, but it might need the "k" locking one. We are waiting for an apparmor version update that will still happen in Kinetic to evaluate what is needed there.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. |
[Impact]
Users who have:
a) opted in to confining samba with apparmor (by installing apparmor-profiles); and
b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
will experience an error in starting the smbd service in jammy:
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
This "printing subsystem" is actually a new daemon called samba-bgqd. This errors prevents "smbd" from starting.
The reason it failed to start is that this binary is installed on a different path than what is allowed in the samba apparmor profiles, and as a result its execution is denied.
The chosen fix for this is to change the path of samba-bgqd in the samba apparmor profiles to match where it is actually being installed in the jammy packaging. Changing the actual path in the samba packaging would be a more invasive fix.
In kinetic and later, the installation path of samba-bgqd was changed instead, and requires no changes to the apparmor profiles.
However, once the path in the apparmor profiles was fixed for jammy, another error comes up which also requires an apparmor change. samba-bgqd is using locking when opening the *.tdb files in /run/samba, and that requires an extra "k" flag to apparmor rules that cover that directory and its tdb files.
This bug doesn't affect jammy samba users by default, as they have to complete steps (a) and (b) from above to be impacted. Therefore, on its own, this bug does not warrant an SRU, and we are using the block-proposed-jammy tag to prevent its release until such time when another more SRU-worthy apparmor bug is fixed for Jammy.
[Test Plan]
** Reproduction **
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
1.First of all, install apparmor-profiles, apparmor-utils and samba.
$ apt install apparmor-profiles apparmor-utils samba
2.Perform proper command to display current running processes. (e.g. ps fauxZ).
$ ps fauxZ
nmbd (complain) root 2129 0.0 0.0 68720 10628 ? Ss 16:43 0:00 /usr/sbin/nmbd --foreground --no-process-group
smbd (complain) root 2141 0.0 0.1 84840 16264 ? Ss 16:43 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) root 2143 0.0 0.0 82360 8544 ? S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) root 2144 0.0 0.0 82352 6820 ? S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
3.At the end of the output, you should be able to see smbd(complain) in the left column.
4.Then check the dmesg output.
$ dmesg -T
[Wed Aug 24 8:24:11 2022] audit: type=1400 audit(1661883574.507:2124): apparmor="ALLOWED" operation="exec" namespace="root//lxd-jammy-apparmor-testMMilion1_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=526045 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.875:92): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/names.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.887:93): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/gencache.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.899:94): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/brlock.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.903:95): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/locking.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
5.At the end of the output, you will notice profile=”samba-bgqd” apparmor=”ALLOWED”
6.Later, check the apparmor status using the aa-status command.
$ aa-status
24 profiles are in complain mode.
avahi-daemon
dnsmasq
dnsmasq//libvirt_leaseshelper
identd
klogd
mdnsd
nmbd
nscd
php-fpm
ping
samba-bgqd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
snap.git-ubuntu.git-ubuntu
snap.git-ubuntu.import-source-packages
snap.git-ubuntu.man
snap.git-ubuntu.merge-changelogs
snap.git-ubuntu.reconstruct-changelog
snap.git-ubuntu.self-test
snap.git-ubuntu.source-package-walker
snap.git-ubuntu.update-repository-alias
syslog-ng
syslogd
traceroute
You will notice that samba-bgqd is still in complain mode.
7.Type in aa-enforce /etc/apparmor.d/samba-bgqd /etc/apparmor.d/usr.sbin.smbd to set the paths to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Now when you display current running processes, you will see that smbd is enforced.
$ ps fauxZ
smbd (enforce) root 2281 0.0 0.1 84840 16416 ? Ss 14:50 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) root 2283 0.0 0.0 82360 8476 ? S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) root 2284 0.0 0.0 82352 6748 ? S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
Type in $ systemctl restart smbd.
Check dmesg output again and log.smbd file in /var/log/samba.
$ tail log.smbd
[2022/08/25 15:58:15.861776, 0] ../../source3/smbd/server.c:1734(main)
smbd version 4.15.9-Ubuntu started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
[2022/08/25 16:04:05.837877, 0] ../../source3/smbd/server.c:1734(main)
smbd version 4.15.9-Ubuntu started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
You shouldn’t notice that smbd is in complained status and you should notice that smbd is DENIED if you install a new package which was fixed with the package from proposed, smbd will start even with the profile in enforced mode.
[Where problems could occur]
An apparmor update will impact all ubuntu users, regardless if they are using samba or not. One has to weigh this carefully with the importance of the bug that is being fixed.
This update will restart apparmor on the target system. All sorts of things can happen due to that:
- all apparmor profiles will be reloaded and reapplied
- if users have modified default profiles in /etc/apparmor.d/* (not inside local/*), they will get a dpkg conf prompt during this update
- in particular, users who have changed the samba profiles to be in enforce mode (via aa-enforce) will definitely get a dpkg conf prompt, because the samba profiles coming in via the apparmor-profiles package are in complain mode. This is good, actually, as it will raise awareness about the change the update is bringing
- if apparmor profile files have syntax mistakes, these will show up at this time, and might end up leaving a service that was confined before, unconfined after the update
- the "k" change is being done in abstractions/samba, instead of samba-bgqd specifically, because it already had a rule to allow "rw" access to *.tdb files in there. That abstraction is only included by other samba profiles at the moment, so the change seems contained, but one might argue that it would be best to add the explicit "k" rule to the samba-bgqd profile instead.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are using the block-proposed-jammy tag so that the fix can be bundled with another future apparmor SRU.
Apparmor in Kinetic does not need the samba-bgqd path fix, but it might need the "k" locking one. We are waiting for an apparmor version update that will still happen in Kinetic to evaluate if some change will be needed there.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. |
|
2022-09-09 18:17:11 |
Andreas Hasenack |
description |
[Impact]
Users who have:
a) opted in to confining samba with apparmor (by installing apparmor-profiles); and
b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
will experience an error in starting the smbd service in jammy:
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
This "printing subsystem" is actually a new daemon called samba-bgqd. This errors prevents "smbd" from starting.
The reason it failed to start is that this binary is installed on a different path than what is allowed in the samba apparmor profiles, and as a result its execution is denied.
The chosen fix for this is to change the path of samba-bgqd in the samba apparmor profiles to match where it is actually being installed in the jammy packaging. Changing the actual path in the samba packaging would be a more invasive fix.
In kinetic and later, the installation path of samba-bgqd was changed instead, and requires no changes to the apparmor profiles.
However, once the path in the apparmor profiles was fixed for jammy, another error comes up which also requires an apparmor change. samba-bgqd is using locking when opening the *.tdb files in /run/samba, and that requires an extra "k" flag to apparmor rules that cover that directory and its tdb files.
This bug doesn't affect jammy samba users by default, as they have to complete steps (a) and (b) from above to be impacted. Therefore, on its own, this bug does not warrant an SRU, and we are using the block-proposed-jammy tag to prevent its release until such time when another more SRU-worthy apparmor bug is fixed for Jammy.
[Test Plan]
** Reproduction **
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
1.First of all, install apparmor-profiles, apparmor-utils and samba.
$ apt install apparmor-profiles apparmor-utils samba
2.Perform proper command to display current running processes. (e.g. ps fauxZ).
$ ps fauxZ
nmbd (complain) root 2129 0.0 0.0 68720 10628 ? Ss 16:43 0:00 /usr/sbin/nmbd --foreground --no-process-group
smbd (complain) root 2141 0.0 0.1 84840 16264 ? Ss 16:43 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) root 2143 0.0 0.0 82360 8544 ? S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) root 2144 0.0 0.0 82352 6820 ? S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
3.At the end of the output, you should be able to see smbd(complain) in the left column.
4.Then check the dmesg output.
$ dmesg -T
[Wed Aug 24 8:24:11 2022] audit: type=1400 audit(1661883574.507:2124): apparmor="ALLOWED" operation="exec" namespace="root//lxd-jammy-apparmor-testMMilion1_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=526045 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.875:92): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/names.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.887:93): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/gencache.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.899:94): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/brlock.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.903:95): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/locking.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
5.At the end of the output, you will notice profile=”samba-bgqd” apparmor=”ALLOWED”
6.Later, check the apparmor status using the aa-status command.
$ aa-status
24 profiles are in complain mode.
avahi-daemon
dnsmasq
dnsmasq//libvirt_leaseshelper
identd
klogd
mdnsd
nmbd
nscd
php-fpm
ping
samba-bgqd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
snap.git-ubuntu.git-ubuntu
snap.git-ubuntu.import-source-packages
snap.git-ubuntu.man
snap.git-ubuntu.merge-changelogs
snap.git-ubuntu.reconstruct-changelog
snap.git-ubuntu.self-test
snap.git-ubuntu.source-package-walker
snap.git-ubuntu.update-repository-alias
syslog-ng
syslogd
traceroute
You will notice that samba-bgqd is still in complain mode.
7.Type in aa-enforce /etc/apparmor.d/samba-bgqd /etc/apparmor.d/usr.sbin.smbd to set the paths to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Now when you display current running processes, you will see that smbd is enforced.
$ ps fauxZ
smbd (enforce) root 2281 0.0 0.1 84840 16416 ? Ss 14:50 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) root 2283 0.0 0.0 82360 8476 ? S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) root 2284 0.0 0.0 82352 6748 ? S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
Type in $ systemctl restart smbd.
Check dmesg output again and log.smbd file in /var/log/samba.
$ tail log.smbd
[2022/08/25 15:58:15.861776, 0] ../../source3/smbd/server.c:1734(main)
smbd version 4.15.9-Ubuntu started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
[2022/08/25 16:04:05.837877, 0] ../../source3/smbd/server.c:1734(main)
smbd version 4.15.9-Ubuntu started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
You shouldn’t notice that smbd is in complained status and you should notice that smbd is DENIED if you install a new package which was fixed with the package from proposed, smbd will start even with the profile in enforced mode.
[Where problems could occur]
An apparmor update will impact all ubuntu users, regardless if they are using samba or not. One has to weigh this carefully with the importance of the bug that is being fixed.
This update will restart apparmor on the target system. All sorts of things can happen due to that:
- all apparmor profiles will be reloaded and reapplied
- if users have modified default profiles in /etc/apparmor.d/* (not inside local/*), they will get a dpkg conf prompt during this update
- in particular, users who have changed the samba profiles to be in enforce mode (via aa-enforce) will definitely get a dpkg conf prompt, because the samba profiles coming in via the apparmor-profiles package are in complain mode. This is good, actually, as it will raise awareness about the change the update is bringing
- if apparmor profile files have syntax mistakes, these will show up at this time, and might end up leaving a service that was confined before, unconfined after the update
- the "k" change is being done in abstractions/samba, instead of samba-bgqd specifically, because it already had a rule to allow "rw" access to *.tdb files in there. That abstraction is only included by other samba profiles at the moment, so the change seems contained, but one might argue that it would be best to add the explicit "k" rule to the samba-bgqd profile instead.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are using the block-proposed-jammy tag so that the fix can be bundled with another future apparmor SRU.
Apparmor in Kinetic does not need the samba-bgqd path fix, but it might need the "k" locking one. We are waiting for an apparmor version update that will still happen in Kinetic to evaluate if some change will be needed there.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. |
[Impact]
Users who have:
a) opted in to confining samba with apparmor (by installing apparmor-profiles); and
b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
will experience an error in starting the smbd service in jammy:
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
This "printing subsystem" is actually a new daemon called samba-bgqd. This errors prevents "smbd" from starting.
The reason it failed to start is that this binary is installed on a different path than what is allowed in the samba apparmor profiles, and as a result its execution is denied.
The chosen fix for this is to change the path of samba-bgqd in the samba apparmor profiles to match where it is actually being installed in the jammy packaging. Changing the actual path in the samba packaging would be a more invasive fix.
In kinetic and later, the installation path of samba-bgqd was changed instead, and requires no changes to the apparmor profiles.
However, once the path in the apparmor profiles was fixed for jammy, another error comes up which also requires an apparmor change. samba-bgqd is using locking when opening the *.tdb files in /run/samba, and that requires an extra "k" flag to apparmor rules that cover that directory and its tdb files.
This bug doesn't affect jammy samba users by default, as they have to complete steps (a) and (b) from above to be impacted. Therefore, on its own, this bug does not warrant an SRU, and we are using the block-proposed-jammy tag to prevent its release until such time when another more SRU-worthy apparmor bug is fixed for Jammy.
[Test Plan]
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
# First of all, install apparmor-profiles, apparmor-utils and samba.
# apt update && apt install apparmor-profiles apparmor-utils samba
# Confirm that you have smbd and samba-bgqd processes confined and in complain mode (check first column):
# ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
smbd (complain) 2432 ? Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2434 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2435 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S 0:00 \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
4.Then check the dmesg output.
$ dmesg -T
[Wed Aug 24 8:24:11 2022] audit: type=1400 audit(1661883574.507:2124): apparmor="ALLOWED" operation="exec" namespace="root//lxd-jammy-apparmor-testMMilion1_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=526045 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.875:92): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/names.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.887:93): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/gencache.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.899:94): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/brlock.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.903:95): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/locking.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
5.At the end of the output, you will notice profile=”samba-bgqd” apparmor=”ALLOWED”
6.Later, check the apparmor status using the aa-status command.
$ aa-status
24 profiles are in complain mode.
avahi-daemon
dnsmasq
dnsmasq//libvirt_leaseshelper
identd
klogd
mdnsd
nmbd
nscd
php-fpm
ping
samba-bgqd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
snap.git-ubuntu.git-ubuntu
snap.git-ubuntu.import-source-packages
snap.git-ubuntu.man
snap.git-ubuntu.merge-changelogs
snap.git-ubuntu.reconstruct-changelog
snap.git-ubuntu.self-test
snap.git-ubuntu.source-package-walker
snap.git-ubuntu.update-repository-alias
syslog-ng
syslogd
traceroute
You will notice that samba-bgqd is still in complain mode.
7.Type in aa-enforce /etc/apparmor.d/samba-bgqd /etc/apparmor.d/usr.sbin.smbd to set the paths to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Now when you display current running processes, you will see that smbd is enforced.
$ ps fauxZ
smbd (enforce) root 2281 0.0 0.1 84840 16416 ? Ss 14:50 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) root 2283 0.0 0.0 82360 8476 ? S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) root 2284 0.0 0.0 82352 6748 ? S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
Type in $ systemctl restart smbd.
Check dmesg output again and log.smbd file in /var/log/samba.
$ tail log.smbd
[2022/08/25 15:58:15.861776, 0] ../../source3/smbd/server.c:1734(main)
smbd version 4.15.9-Ubuntu started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
[2022/08/25 16:04:05.837877, 0] ../../source3/smbd/server.c:1734(main)
smbd version 4.15.9-Ubuntu started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
You shouldn’t notice that smbd is in complained status and you should notice that smbd is DENIED if you install a new package which was fixed with the package from proposed, smbd will start even with the profile in enforced mode.
[Where problems could occur]
An apparmor update will impact all ubuntu users, regardless if they are using samba or not. One has to weigh this carefully with the importance of the bug that is being fixed.
This update will restart apparmor on the target system. All sorts of things can happen due to that:
- all apparmor profiles will be reloaded and reapplied
- if users have modified default profiles in /etc/apparmor.d/* (not inside local/*), they will get a dpkg conf prompt during this update
- in particular, users who have changed the samba profiles to be in enforce mode (via aa-enforce) will definitely get a dpkg conf prompt, because the samba profiles coming in via the apparmor-profiles package are in complain mode. This is good, actually, as it will raise awareness about the change the update is bringing
- if apparmor profile files have syntax mistakes, these will show up at this time, and might end up leaving a service that was confined before, unconfined after the update
- the "k" change is being done in abstractions/samba, instead of samba-bgqd specifically, because it already had a rule to allow "rw" access to *.tdb files in there. That abstraction is only included by other samba profiles at the moment, so the change seems contained, but one might argue that it would be best to add the explicit "k" rule to the samba-bgqd profile instead.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are using the block-proposed-jammy tag so that the fix can be bundled with another future apparmor SRU.
Apparmor in Kinetic does not need the samba-bgqd path fix, but it might need the "k" locking one. We are waiting for an apparmor version update that will still happen in Kinetic to evaluate if some change will be needed there.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. |
|
2022-09-09 18:24:07 |
Andreas Hasenack |
description |
[Impact]
Users who have:
a) opted in to confining samba with apparmor (by installing apparmor-profiles); and
b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
will experience an error in starting the smbd service in jammy:
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
This "printing subsystem" is actually a new daemon called samba-bgqd. This errors prevents "smbd" from starting.
The reason it failed to start is that this binary is installed on a different path than what is allowed in the samba apparmor profiles, and as a result its execution is denied.
The chosen fix for this is to change the path of samba-bgqd in the samba apparmor profiles to match where it is actually being installed in the jammy packaging. Changing the actual path in the samba packaging would be a more invasive fix.
In kinetic and later, the installation path of samba-bgqd was changed instead, and requires no changes to the apparmor profiles.
However, once the path in the apparmor profiles was fixed for jammy, another error comes up which also requires an apparmor change. samba-bgqd is using locking when opening the *.tdb files in /run/samba, and that requires an extra "k" flag to apparmor rules that cover that directory and its tdb files.
This bug doesn't affect jammy samba users by default, as they have to complete steps (a) and (b) from above to be impacted. Therefore, on its own, this bug does not warrant an SRU, and we are using the block-proposed-jammy tag to prevent its release until such time when another more SRU-worthy apparmor bug is fixed for Jammy.
[Test Plan]
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
# First of all, install apparmor-profiles, apparmor-utils and samba.
# apt update && apt install apparmor-profiles apparmor-utils samba
# Confirm that you have smbd and samba-bgqd processes confined and in complain mode (check first column):
# ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
smbd (complain) 2432 ? Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2434 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2435 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S 0:00 \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
4.Then check the dmesg output.
$ dmesg -T
[Wed Aug 24 8:24:11 2022] audit: type=1400 audit(1661883574.507:2124): apparmor="ALLOWED" operation="exec" namespace="root//lxd-jammy-apparmor-testMMilion1_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=526045 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.875:92): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/names.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.887:93): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/gencache.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.899:94): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/brlock.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.903:95): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/locking.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
5.At the end of the output, you will notice profile=”samba-bgqd” apparmor=”ALLOWED”
6.Later, check the apparmor status using the aa-status command.
$ aa-status
24 profiles are in complain mode.
avahi-daemon
dnsmasq
dnsmasq//libvirt_leaseshelper
identd
klogd
mdnsd
nmbd
nscd
php-fpm
ping
samba-bgqd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
snap.git-ubuntu.git-ubuntu
snap.git-ubuntu.import-source-packages
snap.git-ubuntu.man
snap.git-ubuntu.merge-changelogs
snap.git-ubuntu.reconstruct-changelog
snap.git-ubuntu.self-test
snap.git-ubuntu.source-package-walker
snap.git-ubuntu.update-repository-alias
syslog-ng
syslogd
traceroute
You will notice that samba-bgqd is still in complain mode.
7.Type in aa-enforce /etc/apparmor.d/samba-bgqd /etc/apparmor.d/usr.sbin.smbd to set the paths to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Now when you display current running processes, you will see that smbd is enforced.
$ ps fauxZ
smbd (enforce) root 2281 0.0 0.1 84840 16416 ? Ss 14:50 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) root 2283 0.0 0.0 82360 8476 ? S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) root 2284 0.0 0.0 82352 6748 ? S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
Type in $ systemctl restart smbd.
Check dmesg output again and log.smbd file in /var/log/samba.
$ tail log.smbd
[2022/08/25 15:58:15.861776, 0] ../../source3/smbd/server.c:1734(main)
smbd version 4.15.9-Ubuntu started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
[2022/08/25 16:04:05.837877, 0] ../../source3/smbd/server.c:1734(main)
smbd version 4.15.9-Ubuntu started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
You shouldn’t notice that smbd is in complained status and you should notice that smbd is DENIED if you install a new package which was fixed with the package from proposed, smbd will start even with the profile in enforced mode.
[Where problems could occur]
An apparmor update will impact all ubuntu users, regardless if they are using samba or not. One has to weigh this carefully with the importance of the bug that is being fixed.
This update will restart apparmor on the target system. All sorts of things can happen due to that:
- all apparmor profiles will be reloaded and reapplied
- if users have modified default profiles in /etc/apparmor.d/* (not inside local/*), they will get a dpkg conf prompt during this update
- in particular, users who have changed the samba profiles to be in enforce mode (via aa-enforce) will definitely get a dpkg conf prompt, because the samba profiles coming in via the apparmor-profiles package are in complain mode. This is good, actually, as it will raise awareness about the change the update is bringing
- if apparmor profile files have syntax mistakes, these will show up at this time, and might end up leaving a service that was confined before, unconfined after the update
- the "k" change is being done in abstractions/samba, instead of samba-bgqd specifically, because it already had a rule to allow "rw" access to *.tdb files in there. That abstraction is only included by other samba profiles at the moment, so the change seems contained, but one might argue that it would be best to add the explicit "k" rule to the samba-bgqd profile instead.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are using the block-proposed-jammy tag so that the fix can be bundled with another future apparmor SRU.
Apparmor in Kinetic does not need the samba-bgqd path fix, but it might need the "k" locking one. We are waiting for an apparmor version update that will still happen in Kinetic to evaluate if some change will be needed there.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. |
[Impact]
Users who have:
a) opted in to confining samba with apparmor (by installing apparmor-profiles); and
b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
will experience an error in starting the smbd service in jammy:
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
This "printing subsystem" is actually a new daemon called samba-bgqd. This errors prevents "smbd" from starting.
The reason it failed to start is that this binary is installed on a different path than what is allowed in the samba apparmor profiles, and as a result its execution is denied.
The chosen fix for this is to change the path of samba-bgqd in the samba apparmor profiles to match where it is actually being installed in the jammy packaging. Changing the actual path in the samba packaging would be a more invasive fix.
In kinetic and later, the installation path of samba-bgqd was changed instead, and requires no changes to the apparmor profiles.
However, once the path in the apparmor profiles was fixed for jammy, another error comes up which also requires an apparmor change. samba-bgqd is using locking when opening the *.tdb files in /run/samba, and that requires an extra "k" flag to apparmor rules that cover that directory and its tdb files.
This bug doesn't affect jammy samba users by default, as they have to complete steps (a) and (b) from above to be impacted. Therefore, on its own, this bug does not warrant an SRU, and we are using the block-proposed-jammy tag to prevent its release until such time when another more SRU-worthy apparmor bug is fixed for Jammy.
[Test Plan]
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
Install the needed packages:
# apt update && apt install apparmor-profiles apparmor-utils samba
Confirm that you have smbd and samba-bgqd processes confined and in complain mode (check first column):
# ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
smbd (complain) 2432 ? Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2434 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2435 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S 0:00 \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Change the samba profiles to enforce mode:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart smbd:
# systemctl restart smbd
systemctl won't complain, but smbd failed to start:
root@jammy-test:~# ps faxZ | grep smbd | grep -v smbd
root@jammy-test:~#
# tail -2 /var/log/samba/log.smbd
[2022/09/09 18:20:35.200901, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
And dmesg on the *host* (not the container) will log a few DENIED messages like this:
[sex set 9 15:20:30 2022] audit: type=1400 audit(1662747635.194:10356): apparmor="DENIED" operation="exec" namespace="root//lxd-jammy-test_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=994396 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
[Where problems could occur]
An apparmor update will impact all ubuntu users, regardless if they are using samba or not. One has to weigh this carefully with the importance of the bug that is being fixed.
This update will restart apparmor on the target system. All sorts of things can happen due to that:
- all apparmor profiles will be reloaded and reapplied
- if users have modified default profiles in /etc/apparmor.d/* (not inside local/*), they will get a dpkg conf prompt during this update
- in particular, users who have changed the samba profiles to be in enforce mode (via aa-enforce) will definitely get a dpkg conf prompt, because the samba profiles coming in via the apparmor-profiles package are in complain mode. This is good, actually, as it will raise awareness about the change the update is bringing
- if apparmor profile files have syntax mistakes, these will show up at this time, and might end up leaving a service that was confined before, unconfined after the update
- the "k" change is being done in abstractions/samba, instead of samba-bgqd specifically, because it already had a rule to allow "rw" access to *.tdb files in there. That abstraction is only included by other samba profiles at the moment, so the change seems contained, but one might argue that it would be best to add the explicit "k" rule to the samba-bgqd profile instead.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are using the block-proposed-jammy tag so that the fix can be bundled with another future apparmor SRU.
Apparmor in Kinetic does not need the samba-bgqd path fix, but it might need the "k" locking one. We are waiting for an apparmor version update that will still happen in Kinetic to evaluate if some change will be needed there.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. |
|
2022-09-09 18:43:58 |
Andreas Hasenack |
description |
[Impact]
Users who have:
a) opted in to confining samba with apparmor (by installing apparmor-profiles); and
b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
will experience an error in starting the smbd service in jammy:
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
This "printing subsystem" is actually a new daemon called samba-bgqd. This errors prevents "smbd" from starting.
The reason it failed to start is that this binary is installed on a different path than what is allowed in the samba apparmor profiles, and as a result its execution is denied.
The chosen fix for this is to change the path of samba-bgqd in the samba apparmor profiles to match where it is actually being installed in the jammy packaging. Changing the actual path in the samba packaging would be a more invasive fix.
In kinetic and later, the installation path of samba-bgqd was changed instead, and requires no changes to the apparmor profiles.
However, once the path in the apparmor profiles was fixed for jammy, another error comes up which also requires an apparmor change. samba-bgqd is using locking when opening the *.tdb files in /run/samba, and that requires an extra "k" flag to apparmor rules that cover that directory and its tdb files.
This bug doesn't affect jammy samba users by default, as they have to complete steps (a) and (b) from above to be impacted. Therefore, on its own, this bug does not warrant an SRU, and we are using the block-proposed-jammy tag to prevent its release until such time when another more SRU-worthy apparmor bug is fixed for Jammy.
[Test Plan]
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
Install the needed packages:
# apt update && apt install apparmor-profiles apparmor-utils samba
Confirm that you have smbd and samba-bgqd processes confined and in complain mode (check first column):
# ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
smbd (complain) 2432 ? Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2434 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2435 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S 0:00 \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Change the samba profiles to enforce mode:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart smbd:
# systemctl restart smbd
systemctl won't complain, but smbd failed to start:
root@jammy-test:~# ps faxZ | grep smbd | grep -v smbd
root@jammy-test:~#
# tail -2 /var/log/samba/log.smbd
[2022/09/09 18:20:35.200901, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
And dmesg on the *host* (not the container) will log a few DENIED messages like this:
[sex set 9 15:20:30 2022] audit: type=1400 audit(1662747635.194:10356): apparmor="DENIED" operation="exec" namespace="root//lxd-jammy-test_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=994396 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
[Where problems could occur]
An apparmor update will impact all ubuntu users, regardless if they are using samba or not. One has to weigh this carefully with the importance of the bug that is being fixed.
This update will restart apparmor on the target system. All sorts of things can happen due to that:
- all apparmor profiles will be reloaded and reapplied
- if users have modified default profiles in /etc/apparmor.d/* (not inside local/*), they will get a dpkg conf prompt during this update
- in particular, users who have changed the samba profiles to be in enforce mode (via aa-enforce) will definitely get a dpkg conf prompt, because the samba profiles coming in via the apparmor-profiles package are in complain mode. This is good, actually, as it will raise awareness about the change the update is bringing
- if apparmor profile files have syntax mistakes, these will show up at this time, and might end up leaving a service that was confined before, unconfined after the update
- the "k" change is being done in abstractions/samba, instead of samba-bgqd specifically, because it already had a rule to allow "rw" access to *.tdb files in there. That abstraction is only included by other samba profiles at the moment, so the change seems contained, but one might argue that it would be best to add the explicit "k" rule to the samba-bgqd profile instead.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are using the block-proposed-jammy tag so that the fix can be bundled with another future apparmor SRU.
Apparmor in Kinetic does not need the samba-bgqd path fix, but it might need the "k" locking one. We are waiting for an apparmor version update that will still happen in Kinetic to evaluate if some change will be needed there.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. |
[Impact]
Users who have:
a) opted in to confining samba with apparmor (by installing apparmor-profiles); and
b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
will experience an error in starting the smbd service in jammy:
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
This "printing subsystem" is actually a new daemon called samba-bgqd. This errors prevents "smbd" from starting.
The reason it failed to start is that this binary is installed on a different path than what is allowed in the samba apparmor profiles, and as a result its execution is denied.
The chosen fix for this is to change the path of samba-bgqd in the samba apparmor profiles to match where it is actually being installed in the jammy packaging. Changing the actual path in the samba packaging would be a more invasive fix.
In kinetic and later, the installation path of samba-bgqd was changed instead, and requires no changes to the apparmor profiles.
However, once the path in the apparmor profiles was fixed for jammy, another error comes up which also requires an apparmor change. samba-bgqd is using locking when opening the *.tdb files in /run/samba, and that requires an extra "k" flag to apparmor rules that cover that directory and its tdb files.
This bug doesn't affect jammy samba users by default, as they have to complete steps (a) and (b) from above to be impacted. Therefore, on its own, this bug does not warrant an SRU, and we are using the block-proposed-jammy tag to prevent its release until such time when another more SRU-worthy apparmor bug is fixed for Jammy.
[Test Plan]
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
Install the needed packages:
# apt update && apt install apparmor-profiles apparmor-utils samba
Confirm that you have smbd and samba-bgqd processes confined and in complain mode (check first column):
# ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
smbd (complain) 2432 ? Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2434 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2435 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S 0:00 \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Change the samba profiles to enforce mode:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart smbd:
# systemctl restart smbd
systemctl won't complain, but smbd failed to start:
root@jammy-test:~# ps faxZ | grep smbd | grep -v smbd
root@jammy-test:~#
# tail -2 /var/log/samba/log.smbd
[2022/09/09 18:20:35.200901, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
And dmesg on the *host* (not the container) will log a few DENIED messages like this:
[sex set 9 15:20:30 2022] audit: type=1400 audit(1662747635.194:10356): apparmor="DENIED" operation="exec" namespace="root//lxd-jammy-test_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=994396 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
After installing the fixed package (and accepting the dpkg conf prompt changes), the new profile will be loaded in complain mode again. So let's put it in enforce mode one more time:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart:
# systemctl restart smbd
And confirm that smbd and samba-bgqd are running this time, and in enforce mode:
TBD
[Where problems could occur]
An apparmor update will impact all ubuntu users, regardless if they are using samba or not. One has to weigh this carefully with the importance of the bug that is being fixed.
This update will restart apparmor on the target system. All sorts of things can happen due to that:
- all apparmor profiles will be reloaded and reapplied
- if users have modified default profiles in /etc/apparmor.d/* (not inside local/*), they will get a dpkg conf prompt during this update
- in particular, users who have changed the samba profiles to be in enforce mode (via aa-enforce) will definitely get a dpkg conf prompt, because the samba profiles coming in via the apparmor-profiles package are in complain mode. This is good, actually, as it will raise awareness about the change the update is bringing
- if apparmor profile files have syntax mistakes, these will show up at this time, and might end up leaving a service that was confined before, unconfined after the update
- the "k" change is being done in abstractions/samba, instead of samba-bgqd specifically, because it already had a rule to allow "rw" access to *.tdb files in there. That abstraction is only included by other samba profiles at the moment, so the change seems contained, but one might argue that it would be best to add the explicit "k" rule to the samba-bgqd profile instead.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are using the block-proposed-jammy tag so that the fix can be bundled with another future apparmor SRU.
Apparmor in Kinetic does not need the samba-bgqd path fix, but it might need the "k" locking one. We are waiting for an apparmor version update that will still happen in Kinetic to evaluate if some change will be needed there.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. |
|
2022-11-09 16:17:17 |
Christian Ehrhardt |
apparmor (Ubuntu Jammy): assignee |
Michał Małoszewski (michal-maloszewski99) |
Andreas Hasenack (ahasenack) |
|
2022-11-09 16:17:22 |
Christian Ehrhardt |
apparmor (Ubuntu): assignee |
Michał Małoszewski (michal-maloszewski99) |
Andreas Hasenack (ahasenack) |
|
2022-11-24 14:21:16 |
Andreas Hasenack |
description |
[Impact]
Users who have:
a) opted in to confining samba with apparmor (by installing apparmor-profiles); and
b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
will experience an error in starting the smbd service in jammy:
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
This "printing subsystem" is actually a new daemon called samba-bgqd. This errors prevents "smbd" from starting.
The reason it failed to start is that this binary is installed on a different path than what is allowed in the samba apparmor profiles, and as a result its execution is denied.
The chosen fix for this is to change the path of samba-bgqd in the samba apparmor profiles to match where it is actually being installed in the jammy packaging. Changing the actual path in the samba packaging would be a more invasive fix.
In kinetic and later, the installation path of samba-bgqd was changed instead, and requires no changes to the apparmor profiles.
However, once the path in the apparmor profiles was fixed for jammy, another error comes up which also requires an apparmor change. samba-bgqd is using locking when opening the *.tdb files in /run/samba, and that requires an extra "k" flag to apparmor rules that cover that directory and its tdb files.
This bug doesn't affect jammy samba users by default, as they have to complete steps (a) and (b) from above to be impacted. Therefore, on its own, this bug does not warrant an SRU, and we are using the block-proposed-jammy tag to prevent its release until such time when another more SRU-worthy apparmor bug is fixed for Jammy.
[Test Plan]
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
Install the needed packages:
# apt update && apt install apparmor-profiles apparmor-utils samba
Confirm that you have smbd and samba-bgqd processes confined and in complain mode (check first column):
# ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
smbd (complain) 2432 ? Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2434 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2435 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S 0:00 \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Change the samba profiles to enforce mode:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart smbd:
# systemctl restart smbd
systemctl won't complain, but smbd failed to start:
root@jammy-test:~# ps faxZ | grep smbd | grep -v smbd
root@jammy-test:~#
# tail -2 /var/log/samba/log.smbd
[2022/09/09 18:20:35.200901, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
And dmesg on the *host* (not the container) will log a few DENIED messages like this:
[sex set 9 15:20:30 2022] audit: type=1400 audit(1662747635.194:10356): apparmor="DENIED" operation="exec" namespace="root//lxd-jammy-test_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=994396 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
After installing the fixed package (and accepting the dpkg conf prompt changes), the new profile will be loaded in complain mode again. So let's put it in enforce mode one more time:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart:
# systemctl restart smbd
And confirm that smbd and samba-bgqd are running this time, and in enforce mode:
TBD
[Where problems could occur]
An apparmor update will impact all ubuntu users, regardless if they are using samba or not. One has to weigh this carefully with the importance of the bug that is being fixed.
This update will restart apparmor on the target system. All sorts of things can happen due to that:
- all apparmor profiles will be reloaded and reapplied
- if users have modified default profiles in /etc/apparmor.d/* (not inside local/*), they will get a dpkg conf prompt during this update
- in particular, users who have changed the samba profiles to be in enforce mode (via aa-enforce) will definitely get a dpkg conf prompt, because the samba profiles coming in via the apparmor-profiles package are in complain mode. This is good, actually, as it will raise awareness about the change the update is bringing
- if apparmor profile files have syntax mistakes, these will show up at this time, and might end up leaving a service that was confined before, unconfined after the update
- the "k" change is being done in abstractions/samba, instead of samba-bgqd specifically, because it already had a rule to allow "rw" access to *.tdb files in there. That abstraction is only included by other samba profiles at the moment, so the change seems contained, but one might argue that it would be best to add the explicit "k" rule to the samba-bgqd profile instead.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are using the block-proposed-jammy tag so that the fix can be bundled with another future apparmor SRU.
Apparmor in Kinetic does not need the samba-bgqd path fix, but it might need the "k" locking one. We are waiting for an apparmor version update that will still happen in Kinetic to evaluate if some change will be needed there.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. |
[Impact]
Users who have:
a) opted in to confining samba with apparmor (by installing apparmor-profiles); and
b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
will experience an error in starting the smbd service in jammy:
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
This "printing subsystem" is actually a new daemon called samba-bgqd. This errors prevents "smbd" from starting.
The reason it failed to start is that this binary is installed on a different path than what is allowed in the samba apparmor profiles, and as a result its execution is denied.
The chosen fix for this is to change the path of samba-bgqd in the samba apparmor profiles to match where it is actually being installed in the jammy packaging. Changing the actual path in the samba packaging would be a more invasive fix.
In kinetic and later, the installation path of samba-bgqd was changed instead, and requires no changes to the apparmor profiles.
However, once the path in the apparmor profiles was fixed for jammy, another error comes up which also requires an apparmor change. samba-bgqd is using locking when opening the *.tdb files in /run/samba, and that requires an extra "k" flag to apparmor rules that cover that directory and its tdb files.
This bug doesn't affect jammy samba users by default, as they have to complete steps (a) and (b) from above to be impacted. Therefore, on its own, this bug does not warrant an SRU, and we are using the block-proposed-jammy tag to prevent its release until such time when another more SRU-worthy apparmor bug is fixed for Jammy.
[Test Plan]
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
Install the needed packages in this order, with two separate commands:L
# apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
# apt install samba smbclient cups cups-client
Confirm that you have smbd and samba-bgqd processes confined and in complain mode (check first column):
# ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
smbd (complain) 2432 ? Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2434 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2435 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S 0:00 \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Change the samba profiles to enforce mode:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart smbd:
# systemctl restart smbd
systemctl won't complain, but smbd failed to start:
root@jammy-test:~# ps faxZ | grep smbd | grep -v smbd
root@jammy-test:~#
# tail -2 /var/log/samba/log.smbd
[2022/09/09 18:20:35.200901, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
And dmesg on the *host* (not the container) will log a few DENIED messages like this:
[sex set 9 15:20:30 2022] audit: type=1400 audit(1662747635.194:10356): apparmor="DENIED" operation="exec" namespace="root//lxd-jammy-test_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=994396 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
After installing the fixed package (and accepting the dpkg conf prompt changes), the new profile will be loaded in complain mode again. So let's put it in enforce mode one more time:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart:
# systemctl restart smbd
And confirm that smbd and samba-bgqd are running this time, and in enforce mode:
TBD
[Where problems could occur]
An apparmor update will impact all ubuntu users, regardless if they are using samba or not. One has to weigh this carefully with the importance of the bug that is being fixed.
This update will restart apparmor on the target system. All sorts of things can happen due to that:
- all apparmor profiles will be reloaded and reapplied
- if users have modified default profiles in /etc/apparmor.d/* (not inside local/*), they will get a dpkg conf prompt during this update
- in particular, users who have changed the samba profiles to be in enforce mode (via aa-enforce) will definitely get a dpkg conf prompt, because the samba profiles coming in via the apparmor-profiles package are in complain mode. This is good, actually, as it will raise awareness about the change the update is bringing
- if apparmor profile files have syntax mistakes, these will show up at this time, and might end up leaving a service that was confined before, unconfined after the update
- the "k" change is being done in abstractions/samba, instead of samba-bgqd specifically, because it already had a rule to allow "rw" access to *.tdb files in there. That abstraction is only included by other samba profiles at the moment, so the change seems contained, but one might argue that it would be best to add the explicit "k" rule to the samba-bgqd profile instead.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are using the block-proposed-jammy tag so that the fix can be bundled with another future apparmor SRU.
Apparmor in Kinetic does not need the samba-bgqd path fix, but it might need the "k" locking one. We are waiting for an apparmor version update that will still happen in Kinetic to evaluate if some change will be needed there.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. |
|
2022-11-24 14:21:33 |
Andreas Hasenack |
description |
[Impact]
Users who have:
a) opted in to confining samba with apparmor (by installing apparmor-profiles); and
b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
will experience an error in starting the smbd service in jammy:
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
This "printing subsystem" is actually a new daemon called samba-bgqd. This errors prevents "smbd" from starting.
The reason it failed to start is that this binary is installed on a different path than what is allowed in the samba apparmor profiles, and as a result its execution is denied.
The chosen fix for this is to change the path of samba-bgqd in the samba apparmor profiles to match where it is actually being installed in the jammy packaging. Changing the actual path in the samba packaging would be a more invasive fix.
In kinetic and later, the installation path of samba-bgqd was changed instead, and requires no changes to the apparmor profiles.
However, once the path in the apparmor profiles was fixed for jammy, another error comes up which also requires an apparmor change. samba-bgqd is using locking when opening the *.tdb files in /run/samba, and that requires an extra "k" flag to apparmor rules that cover that directory and its tdb files.
This bug doesn't affect jammy samba users by default, as they have to complete steps (a) and (b) from above to be impacted. Therefore, on its own, this bug does not warrant an SRU, and we are using the block-proposed-jammy tag to prevent its release until such time when another more SRU-worthy apparmor bug is fixed for Jammy.
[Test Plan]
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
Install the needed packages in this order, with two separate commands:L
# apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
# apt install samba smbclient cups cups-client
Confirm that you have smbd and samba-bgqd processes confined and in complain mode (check first column):
# ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
smbd (complain) 2432 ? Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2434 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2435 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S 0:00 \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Change the samba profiles to enforce mode:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart smbd:
# systemctl restart smbd
systemctl won't complain, but smbd failed to start:
root@jammy-test:~# ps faxZ | grep smbd | grep -v smbd
root@jammy-test:~#
# tail -2 /var/log/samba/log.smbd
[2022/09/09 18:20:35.200901, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
And dmesg on the *host* (not the container) will log a few DENIED messages like this:
[sex set 9 15:20:30 2022] audit: type=1400 audit(1662747635.194:10356): apparmor="DENIED" operation="exec" namespace="root//lxd-jammy-test_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=994396 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
After installing the fixed package (and accepting the dpkg conf prompt changes), the new profile will be loaded in complain mode again. So let's put it in enforce mode one more time:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart:
# systemctl restart smbd
And confirm that smbd and samba-bgqd are running this time, and in enforce mode:
TBD
[Where problems could occur]
An apparmor update will impact all ubuntu users, regardless if they are using samba or not. One has to weigh this carefully with the importance of the bug that is being fixed.
This update will restart apparmor on the target system. All sorts of things can happen due to that:
- all apparmor profiles will be reloaded and reapplied
- if users have modified default profiles in /etc/apparmor.d/* (not inside local/*), they will get a dpkg conf prompt during this update
- in particular, users who have changed the samba profiles to be in enforce mode (via aa-enforce) will definitely get a dpkg conf prompt, because the samba profiles coming in via the apparmor-profiles package are in complain mode. This is good, actually, as it will raise awareness about the change the update is bringing
- if apparmor profile files have syntax mistakes, these will show up at this time, and might end up leaving a service that was confined before, unconfined after the update
- the "k" change is being done in abstractions/samba, instead of samba-bgqd specifically, because it already had a rule to allow "rw" access to *.tdb files in there. That abstraction is only included by other samba profiles at the moment, so the change seems contained, but one might argue that it would be best to add the explicit "k" rule to the samba-bgqd profile instead.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are using the block-proposed-jammy tag so that the fix can be bundled with another future apparmor SRU.
Apparmor in Kinetic does not need the samba-bgqd path fix, but it might need the "k" locking one. We are waiting for an apparmor version update that will still happen in Kinetic to evaluate if some change will be needed there.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. |
[Impact]
Users who have:
a) opted in to confining samba with apparmor (by installing apparmor-profiles); and
b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
will experience an error in starting the smbd service in jammy:
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
This "printing subsystem" is actually a new daemon called samba-bgqd. This errors prevents "smbd" from starting.
The reason it failed to start is that this binary is installed on a different path than what is allowed in the samba apparmor profiles, and as a result its execution is denied.
The chosen fix for this is to change the path of samba-bgqd in the samba apparmor profiles to match where it is actually being installed in the jammy packaging. Changing the actual path in the samba packaging would be a more invasive fix.
In kinetic and later, the installation path of samba-bgqd was changed instead, and requires no changes to the apparmor profiles.
However, once the path in the apparmor profiles was fixed for jammy, another error comes up which also requires an apparmor change. samba-bgqd is using locking when opening the *.tdb files in /run/samba, and that requires an extra "k" flag to apparmor rules that cover that directory and its tdb files.
This bug doesn't affect jammy samba users by default, as they have to complete steps (a) and (b) from above to be impacted. Therefore, on its own, this bug does not warrant an SRU, and we are using the block-proposed-jammy tag to prevent its release until such time when another more SRU-worthy apparmor bug is fixed for Jammy.
[Test Plan]
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
Install the needed packages in this order, with two separate commands:L
# apt update
# apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
# apt install samba smbclient cups cups-client
Confirm that you have smbd and samba-bgqd processes confined and in complain mode (check first column):
# ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
smbd (complain) 2432 ? Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2434 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2435 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S 0:00 \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Change the samba profiles to enforce mode:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart smbd:
# systemctl restart smbd
systemctl won't complain, but smbd failed to start:
root@jammy-test:~# ps faxZ | grep smbd | grep -v smbd
root@jammy-test:~#
# tail -2 /var/log/samba/log.smbd
[2022/09/09 18:20:35.200901, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
And dmesg on the *host* (not the container) will log a few DENIED messages like this:
[sex set 9 15:20:30 2022] audit: type=1400 audit(1662747635.194:10356): apparmor="DENIED" operation="exec" namespace="root//lxd-jammy-test_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=994396 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
After installing the fixed package (and accepting the dpkg conf prompt changes), the new profile will be loaded in complain mode again. So let's put it in enforce mode one more time:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart:
# systemctl restart smbd
And confirm that smbd and samba-bgqd are running this time, and in enforce mode:
TBD
[Where problems could occur]
An apparmor update will impact all ubuntu users, regardless if they are using samba or not. One has to weigh this carefully with the importance of the bug that is being fixed.
This update will restart apparmor on the target system. All sorts of things can happen due to that:
- all apparmor profiles will be reloaded and reapplied
- if users have modified default profiles in /etc/apparmor.d/* (not inside local/*), they will get a dpkg conf prompt during this update
- in particular, users who have changed the samba profiles to be in enforce mode (via aa-enforce) will definitely get a dpkg conf prompt, because the samba profiles coming in via the apparmor-profiles package are in complain mode. This is good, actually, as it will raise awareness about the change the update is bringing
- if apparmor profile files have syntax mistakes, these will show up at this time, and might end up leaving a service that was confined before, unconfined after the update
- the "k" change is being done in abstractions/samba, instead of samba-bgqd specifically, because it already had a rule to allow "rw" access to *.tdb files in there. That abstraction is only included by other samba profiles at the moment, so the change seems contained, but one might argue that it would be best to add the explicit "k" rule to the samba-bgqd profile instead.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are using the block-proposed-jammy tag so that the fix can be bundled with another future apparmor SRU.
Apparmor in Kinetic does not need the samba-bgqd path fix, but it might need the "k" locking one. We are waiting for an apparmor version update that will still happen in Kinetic to evaluate if some change will be needed there.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. |
|
2022-11-24 14:24:27 |
Andreas Hasenack |
description |
[Impact]
Users who have:
a) opted in to confining samba with apparmor (by installing apparmor-profiles); and
b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
will experience an error in starting the smbd service in jammy:
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
This "printing subsystem" is actually a new daemon called samba-bgqd. This errors prevents "smbd" from starting.
The reason it failed to start is that this binary is installed on a different path than what is allowed in the samba apparmor profiles, and as a result its execution is denied.
The chosen fix for this is to change the path of samba-bgqd in the samba apparmor profiles to match where it is actually being installed in the jammy packaging. Changing the actual path in the samba packaging would be a more invasive fix.
In kinetic and later, the installation path of samba-bgqd was changed instead, and requires no changes to the apparmor profiles.
However, once the path in the apparmor profiles was fixed for jammy, another error comes up which also requires an apparmor change. samba-bgqd is using locking when opening the *.tdb files in /run/samba, and that requires an extra "k" flag to apparmor rules that cover that directory and its tdb files.
This bug doesn't affect jammy samba users by default, as they have to complete steps (a) and (b) from above to be impacted. Therefore, on its own, this bug does not warrant an SRU, and we are using the block-proposed-jammy tag to prevent its release until such time when another more SRU-worthy apparmor bug is fixed for Jammy.
[Test Plan]
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
Install the needed packages in this order, with two separate commands:L
# apt update
# apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
# apt install samba smbclient cups cups-client
Confirm that you have smbd and samba-bgqd processes confined and in complain mode (check first column):
# ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
smbd (complain) 2432 ? Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2434 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2435 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S 0:00 \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Change the samba profiles to enforce mode:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart smbd:
# systemctl restart smbd
systemctl won't complain, but smbd failed to start:
root@jammy-test:~# ps faxZ | grep smbd | grep -v smbd
root@jammy-test:~#
# tail -2 /var/log/samba/log.smbd
[2022/09/09 18:20:35.200901, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
And dmesg on the *host* (not the container) will log a few DENIED messages like this:
[sex set 9 15:20:30 2022] audit: type=1400 audit(1662747635.194:10356): apparmor="DENIED" operation="exec" namespace="root//lxd-jammy-test_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=994396 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
After installing the fixed package (and accepting the dpkg conf prompt changes), the new profile will be loaded in complain mode again. So let's put it in enforce mode one more time:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart:
# systemctl restart smbd
And confirm that smbd and samba-bgqd are running this time, and in enforce mode:
TBD
[Where problems could occur]
An apparmor update will impact all ubuntu users, regardless if they are using samba or not. One has to weigh this carefully with the importance of the bug that is being fixed.
This update will restart apparmor on the target system. All sorts of things can happen due to that:
- all apparmor profiles will be reloaded and reapplied
- if users have modified default profiles in /etc/apparmor.d/* (not inside local/*), they will get a dpkg conf prompt during this update
- in particular, users who have changed the samba profiles to be in enforce mode (via aa-enforce) will definitely get a dpkg conf prompt, because the samba profiles coming in via the apparmor-profiles package are in complain mode. This is good, actually, as it will raise awareness about the change the update is bringing
- if apparmor profile files have syntax mistakes, these will show up at this time, and might end up leaving a service that was confined before, unconfined after the update
- the "k" change is being done in abstractions/samba, instead of samba-bgqd specifically, because it already had a rule to allow "rw" access to *.tdb files in there. That abstraction is only included by other samba profiles at the moment, so the change seems contained, but one might argue that it would be best to add the explicit "k" rule to the samba-bgqd profile instead.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are using the block-proposed-jammy tag so that the fix can be bundled with another future apparmor SRU.
Apparmor in Kinetic does not need the samba-bgqd path fix, but it might need the "k" locking one. We are waiting for an apparmor version update that will still happen in Kinetic to evaluate if some change will be needed there.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. |
[Impact]
Users who have:
a) opted in to confining samba with apparmor (by installing apparmor-profiles); and
b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
will experience an error in starting the smbd service in jammy:
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
This "printing subsystem" is actually a new daemon called samba-bgqd. This errors prevents "smbd" from starting.
The reason it failed to start is that this binary is installed on a different path than what is allowed in the samba apparmor profiles, and as a result its execution is denied.
The chosen fix for this is to change the path of samba-bgqd in the samba apparmor profiles to match where it is actually being installed in the jammy packaging. Changing the actual path in the samba packaging would be a more invasive fix.
In kinetic and later, the installation path of samba-bgqd was changed instead, and requires no changes to the apparmor profiles.
However, once the path in the apparmor profiles was fixed for jammy, another error comes up which also requires an apparmor change. samba-bgqd is using locking when opening the *.tdb files in /run/samba, and that requires an extra "k" flag to apparmor rules that cover that directory and its tdb files.
This bug doesn't affect jammy samba users by default, as they have to complete steps (a) and (b) from above to be impacted. Therefore, on its own, this bug does not warrant an SRU, and we are using the block-proposed-jammy tag to prevent its release until such time when another more SRU-worthy apparmor bug is fixed for Jammy.
[Test Plan]
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
Install the needed packages in this order, with two separate commands:L
# apt update
# apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
# apt install samba smbclient cups cups-client
Confirm that you have smbd and samba-bgqd processes confined and in complain mode (check first column):
# ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
smbd (complain) 2432 ? Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2434 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2435 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S 0:00 \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Change the samba profiles to enforce mode:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart smbd:
# systemctl restart smbd
systemctl won't complain, but smbd failed to start:
# ps faxZ | grep smbd | grep -v smbd
#
# tail -2 /var/log/samba/log.smbd
[2022/09/09 18:20:35.200901, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
And dmesg on the *host* (not the container) will log a few DENIED messages like this:
[sex set 9 15:20:30 2022] audit: type=1400 audit(1662747635.194:10356): apparmor="DENIED" operation="exec" namespace="root//lxd-jammy-test_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=994396 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
After installing the fixed package (and accepting the dpkg conf prompt changes), the new profile will be loaded in complain mode again. So let's put it in enforce mode one more time:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart:
# systemctl restart smbd
And confirm that smbd and samba-bgqd are running this time, and in enforce mode:
TBD
[Where problems could occur]
An apparmor update will impact all ubuntu users, regardless if they are using samba or not. One has to weigh this carefully with the importance of the bug that is being fixed.
This update will restart apparmor on the target system. All sorts of things can happen due to that:
- all apparmor profiles will be reloaded and reapplied
- if users have modified default profiles in /etc/apparmor.d/* (not inside local/*), they will get a dpkg conf prompt during this update
- in particular, users who have changed the samba profiles to be in enforce mode (via aa-enforce) will definitely get a dpkg conf prompt, because the samba profiles coming in via the apparmor-profiles package are in complain mode. This is good, actually, as it will raise awareness about the change the update is bringing
- if apparmor profile files have syntax mistakes, these will show up at this time, and might end up leaving a service that was confined before, unconfined after the update
- the "k" change is being done in abstractions/samba, instead of samba-bgqd specifically, because it already had a rule to allow "rw" access to *.tdb files in there. That abstraction is only included by other samba profiles at the moment, so the change seems contained, but one might argue that it would be best to add the explicit "k" rule to the samba-bgqd profile instead.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are using the block-proposed-jammy tag so that the fix can be bundled with another future apparmor SRU.
Apparmor in Kinetic does not need the samba-bgqd path fix, but it might need the "k" locking one. We are waiting for an apparmor version update that will still happen in Kinetic to evaluate if some change will be needed there.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. |
|
2022-11-24 14:28:04 |
Andreas Hasenack |
description |
[Impact]
Users who have:
a) opted in to confining samba with apparmor (by installing apparmor-profiles); and
b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
will experience an error in starting the smbd service in jammy:
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
This "printing subsystem" is actually a new daemon called samba-bgqd. This errors prevents "smbd" from starting.
The reason it failed to start is that this binary is installed on a different path than what is allowed in the samba apparmor profiles, and as a result its execution is denied.
The chosen fix for this is to change the path of samba-bgqd in the samba apparmor profiles to match where it is actually being installed in the jammy packaging. Changing the actual path in the samba packaging would be a more invasive fix.
In kinetic and later, the installation path of samba-bgqd was changed instead, and requires no changes to the apparmor profiles.
However, once the path in the apparmor profiles was fixed for jammy, another error comes up which also requires an apparmor change. samba-bgqd is using locking when opening the *.tdb files in /run/samba, and that requires an extra "k" flag to apparmor rules that cover that directory and its tdb files.
This bug doesn't affect jammy samba users by default, as they have to complete steps (a) and (b) from above to be impacted. Therefore, on its own, this bug does not warrant an SRU, and we are using the block-proposed-jammy tag to prevent its release until such time when another more SRU-worthy apparmor bug is fixed for Jammy.
[Test Plan]
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
Install the needed packages in this order, with two separate commands:L
# apt update
# apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
# apt install samba smbclient cups cups-client
Confirm that you have smbd and samba-bgqd processes confined and in complain mode (check first column):
# ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
smbd (complain) 2432 ? Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2434 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2435 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S 0:00 \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Change the samba profiles to enforce mode:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart smbd:
# systemctl restart smbd
systemctl won't complain, but smbd failed to start:
# ps faxZ | grep smbd | grep -v smbd
#
# tail -2 /var/log/samba/log.smbd
[2022/09/09 18:20:35.200901, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
And dmesg on the *host* (not the container) will log a few DENIED messages like this:
[sex set 9 15:20:30 2022] audit: type=1400 audit(1662747635.194:10356): apparmor="DENIED" operation="exec" namespace="root//lxd-jammy-test_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=994396 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
After installing the fixed package (and accepting the dpkg conf prompt changes), the new profile will be loaded in complain mode again. So let's put it in enforce mode one more time:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart:
# systemctl restart smbd
And confirm that smbd and samba-bgqd are running this time, and in enforce mode:
TBD
[Where problems could occur]
An apparmor update will impact all ubuntu users, regardless if they are using samba or not. One has to weigh this carefully with the importance of the bug that is being fixed.
This update will restart apparmor on the target system. All sorts of things can happen due to that:
- all apparmor profiles will be reloaded and reapplied
- if users have modified default profiles in /etc/apparmor.d/* (not inside local/*), they will get a dpkg conf prompt during this update
- in particular, users who have changed the samba profiles to be in enforce mode (via aa-enforce) will definitely get a dpkg conf prompt, because the samba profiles coming in via the apparmor-profiles package are in complain mode. This is good, actually, as it will raise awareness about the change the update is bringing
- if apparmor profile files have syntax mistakes, these will show up at this time, and might end up leaving a service that was confined before, unconfined after the update
- the "k" change is being done in abstractions/samba, instead of samba-bgqd specifically, because it already had a rule to allow "rw" access to *.tdb files in there. That abstraction is only included by other samba profiles at the moment, so the change seems contained, but one might argue that it would be best to add the explicit "k" rule to the samba-bgqd profile instead.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are using the block-proposed-jammy tag so that the fix can be bundled with another future apparmor SRU.
Apparmor in Kinetic does not need the samba-bgqd path fix, but it might need the "k" locking one. We are waiting for an apparmor version update that will still happen in Kinetic to evaluate if some change will be needed there.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. |
[Impact]
Users who have:
a) opted in to confining samba with apparmor (by installing apparmor-profiles); and
b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
will experience an error in starting the smbd service in jammy:
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
This "printing subsystem" is actually a new daemon called samba-bgqd. This errors prevents "smbd" from starting.
The reason it failed to start is that this binary is installed on a different path than what is allowed in the samba apparmor profiles, and as a result its execution is denied.
The chosen fix for this is to change the path of samba-bgqd in the samba apparmor profiles to match where it is actually being installed in the jammy packaging. Changing the actual path in the samba packaging would be a more invasive fix.
In kinetic and later, the installation path of samba-bgqd was changed instead, and requires no changes to the apparmor profiles.
However, once the path in the apparmor profiles was fixed for jammy, another error comes up which also requires an apparmor change. samba-bgqd is using locking when opening the *.tdb files in /run/samba, and that requires an extra "k" flag to apparmor rules that cover that directory and its tdb files.
This bug doesn't affect jammy samba users by default, as they have to complete steps (a) and (b) from above to be impacted. Therefore, on its own, this bug does not warrant an SRU, and we are using the block-proposed-jammy tag to prevent its release until such time when another more SRU-worthy apparmor bug is fixed for Jammy.
[Test Plan]
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
Install the needed packages in this order, with two separate commands:L
# apt update
# apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
# apt install samba smbclient cups cups-client
Confirm that you have smbd and samba-bgqd processes confined and in complain mode (check first column):
# ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
smbd (complain) 2432 ? Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2434 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2435 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S 0:00 \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Change the samba profiles to enforce mode:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart smbd:
# systemctl restart smbd
systemctl won't complain, but smbd failed to start:
# ps faxZ | grep smbd | grep -v grep
#
# tail -2 /var/log/samba/log.smbd
[2022/09/09 18:20:35.200901, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
And dmesg on the *host* (not the container) will log a few DENIED messages like this:
[sex set 9 15:20:30 2022] audit: type=1400 audit(1662747635.194:10356): apparmor="DENIED" operation="exec" namespace="root//lxd-jammy-test_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=994396 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
After installing the fixed package (and accepting the dpkg conf prompt changes), the new profile will be loaded in complain mode again. So let's put it in enforce mode one more time:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart:
# systemctl restart smbd
And confirm that smbd and samba-bgqd are running this time, and in enforce mode:
TBD
[Where problems could occur]
An apparmor update will impact all ubuntu users, regardless if they are using samba or not. One has to weigh this carefully with the importance of the bug that is being fixed.
This update will restart apparmor on the target system. All sorts of things can happen due to that:
- all apparmor profiles will be reloaded and reapplied
- if users have modified default profiles in /etc/apparmor.d/* (not inside local/*), they will get a dpkg conf prompt during this update
- in particular, users who have changed the samba profiles to be in enforce mode (via aa-enforce) will definitely get a dpkg conf prompt, because the samba profiles coming in via the apparmor-profiles package are in complain mode. This is good, actually, as it will raise awareness about the change the update is bringing
- if apparmor profile files have syntax mistakes, these will show up at this time, and might end up leaving a service that was confined before, unconfined after the update
- the "k" change is being done in abstractions/samba, instead of samba-bgqd specifically, because it already had a rule to allow "rw" access to *.tdb files in there. That abstraction is only included by other samba profiles at the moment, so the change seems contained, but one might argue that it would be best to add the explicit "k" rule to the samba-bgqd profile instead.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are using the block-proposed-jammy tag so that the fix can be bundled with another future apparmor SRU.
Apparmor in Kinetic does not need the samba-bgqd path fix, but it might need the "k" locking one. We are waiting for an apparmor version update that will still happen in Kinetic to evaluate if some change will be needed there.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. |
|
2022-11-24 14:39:27 |
Andreas Hasenack |
description |
[Impact]
Users who have:
a) opted in to confining samba with apparmor (by installing apparmor-profiles); and
b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
will experience an error in starting the smbd service in jammy:
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
This "printing subsystem" is actually a new daemon called samba-bgqd. This errors prevents "smbd" from starting.
The reason it failed to start is that this binary is installed on a different path than what is allowed in the samba apparmor profiles, and as a result its execution is denied.
The chosen fix for this is to change the path of samba-bgqd in the samba apparmor profiles to match where it is actually being installed in the jammy packaging. Changing the actual path in the samba packaging would be a more invasive fix.
In kinetic and later, the installation path of samba-bgqd was changed instead, and requires no changes to the apparmor profiles.
However, once the path in the apparmor profiles was fixed for jammy, another error comes up which also requires an apparmor change. samba-bgqd is using locking when opening the *.tdb files in /run/samba, and that requires an extra "k" flag to apparmor rules that cover that directory and its tdb files.
This bug doesn't affect jammy samba users by default, as they have to complete steps (a) and (b) from above to be impacted. Therefore, on its own, this bug does not warrant an SRU, and we are using the block-proposed-jammy tag to prevent its release until such time when another more SRU-worthy apparmor bug is fixed for Jammy.
[Test Plan]
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
Install the needed packages in this order, with two separate commands:L
# apt update
# apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
# apt install samba smbclient cups cups-client
Confirm that you have smbd and samba-bgqd processes confined and in complain mode (check first column):
# ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
smbd (complain) 2432 ? Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2434 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2435 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S 0:00 \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Change the samba profiles to enforce mode:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart smbd:
# systemctl restart smbd
systemctl won't complain, but smbd failed to start:
# ps faxZ | grep smbd | grep -v grep
#
# tail -2 /var/log/samba/log.smbd
[2022/09/09 18:20:35.200901, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
And dmesg on the *host* (not the container) will log a few DENIED messages like this:
[sex set 9 15:20:30 2022] audit: type=1400 audit(1662747635.194:10356): apparmor="DENIED" operation="exec" namespace="root//lxd-jammy-test_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=994396 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
After installing the fixed package (and accepting the dpkg conf prompt changes), the new profile will be loaded in complain mode again. So let's put it in enforce mode one more time:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart:
# systemctl restart smbd
And confirm that smbd and samba-bgqd are running this time, and in enforce mode:
TBD
[Where problems could occur]
An apparmor update will impact all ubuntu users, regardless if they are using samba or not. One has to weigh this carefully with the importance of the bug that is being fixed.
This update will restart apparmor on the target system. All sorts of things can happen due to that:
- all apparmor profiles will be reloaded and reapplied
- if users have modified default profiles in /etc/apparmor.d/* (not inside local/*), they will get a dpkg conf prompt during this update
- in particular, users who have changed the samba profiles to be in enforce mode (via aa-enforce) will definitely get a dpkg conf prompt, because the samba profiles coming in via the apparmor-profiles package are in complain mode. This is good, actually, as it will raise awareness about the change the update is bringing
- if apparmor profile files have syntax mistakes, these will show up at this time, and might end up leaving a service that was confined before, unconfined after the update
- the "k" change is being done in abstractions/samba, instead of samba-bgqd specifically, because it already had a rule to allow "rw" access to *.tdb files in there. That abstraction is only included by other samba profiles at the moment, so the change seems contained, but one might argue that it would be best to add the explicit "k" rule to the samba-bgqd profile instead.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are using the block-proposed-jammy tag so that the fix can be bundled with another future apparmor SRU.
Apparmor in Kinetic does not need the samba-bgqd path fix, but it might need the "k" locking one. We are waiting for an apparmor version update that will still happen in Kinetic to evaluate if some change will be needed there.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. |
[Impact]
Users who have:
a) opted in to confining samba with apparmor (by installing apparmor-profiles); and
b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
will experience an error in starting the smbd service in jammy:
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
This "printing subsystem" is actually a new daemon called samba-bgqd. This errors prevents "smbd" from starting.
The reason it failed to start is that this binary is installed on a different path than what is allowed in the samba apparmor profiles, and as a result its execution is denied.
The chosen fix for this is to change the path of samba-bgqd in the samba apparmor profiles to match where it is actually being installed in the jammy packaging. Changing the actual path in the samba packaging would be a more invasive fix.
In kinetic and later, the installation path of samba-bgqd was changed instead, and requires no changes to the apparmor profiles.
However, once the path in the apparmor profiles was fixed for jammy, another error comes up which also requires an apparmor change. samba-bgqd is using locking when opening the *.tdb files in /run/samba, and that requires an extra "k" flag to apparmor rules that cover that directory and its tdb files.
This bug doesn't affect jammy samba users by default, as they have to complete steps (a) and (b) from above to be impacted. Therefore, on its own, this bug does not warrant an SRU, and we are using the block-proposed-jammy tag to prevent its release until such time when another more SRU-worthy apparmor bug is fixed for Jammy.
[Test Plan]
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
Install the needed packages in this order, with two separate commands:L
# apt update
# apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
# apt install samba smbclient cups cups-client
Confirm that you have smbd and samba-bgqd processes confined and in complain mode (check first column):
# ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
smbd (complain) 2432 ? Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2434 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2435 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S 0:00 \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Change the samba profiles to enforce mode:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart smbd:
# systemctl restart smbd
systemctl won't complain, but smbd failed to start:
# ps faxZ | grep smbd | grep -v grep
#
# tail -2 /var/log/samba/log.smbd
[2022/09/09 18:20:35.200901, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
And dmesg on the *host* (not the container) will log a few DENIED messages like this:
[sex set 9 15:20:30 2022] audit: type=1400 audit(1662747635.194:10356): apparmor="DENIED" operation="exec" namespace="root//lxd-jammy-test_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=994396 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
After installing the fixed package (and accepting the dpkg conf prompt changes), the new profile will be loaded in complain mode again. So let's put it in enforce mode one more time:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart:
# systemctl restart smbd
And confirm that smbd and samba-bgqd are running this time, and in enforce mode:
# ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
avahi-daemon (complain) 4363 ? Ss 0:00 avahi-daemon: running [j-samba-bgqd-apparmor.local]
smbd (enforce) 6734 ? Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) 6736 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) 6737 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
samba-bgqd (enforce) 6738 ? S 0:00 \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd --ready-signal-fd=45 --parent-watch-fd=11 --debuglevel=0 -F
Now that the bgqd daemon is running, let's create an actual printer and interact with it:
First, set a password for the samba "root" user:
# printf "root\nroot\n" | sudo smbpasswd -a root
Create a fake printer:
# lpadmin -p testprinter -E -v /dev/null
Check it's there:
# lpstat -l -p testprinter
Probe it via samba:
# rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
(some printer related output, or even an error, doesn't matter)
Confirm dmesg on the *host* has no apparmor DENIED events related to the rpcclient command above.
[Where problems could occur]
An apparmor update will impact all ubuntu users, regardless if they are using samba or not. One has to weigh this carefully with the importance of the bug that is being fixed.
This update will restart apparmor on the target system. All sorts of things can happen due to that:
- all apparmor profiles will be reloaded and reapplied
- if users have modified default profiles in /etc/apparmor.d/* (not inside local/*), they will get a dpkg conf prompt during this update
- in particular, users who have changed the samba profiles to be in enforce mode (via aa-enforce) will definitely get a dpkg conf prompt, because the samba profiles coming in via the apparmor-profiles package are in complain mode. This is good, actually, as it will raise awareness about the change the update is bringing
- if apparmor profile files have syntax mistakes, these will show up at this time, and might end up leaving a service that was confined before, unconfined after the update
- the "k" change is being done in abstractions/samba, instead of samba-bgqd specifically, because it already had a rule to allow "rw" access to *.tdb files in there. That abstraction is only included by other samba profiles at the moment, so the change seems contained, but one might argue that it would be best to add the explicit "k" rule to the samba-bgqd profile instead.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are using the block-proposed-jammy tag so that the fix can be bundled with another future apparmor SRU.
Apparmor in Kinetic does not need the samba-bgqd path fix, but it might need the "k" locking one. We are waiting for an apparmor version update that will still happen in Kinetic to evaluate if some change will be needed there.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. |
|
2022-11-24 15:08:32 |
Andreas Hasenack |
description |
[Impact]
Users who have:
a) opted in to confining samba with apparmor (by installing apparmor-profiles); and
b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
will experience an error in starting the smbd service in jammy:
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
This "printing subsystem" is actually a new daemon called samba-bgqd. This errors prevents "smbd" from starting.
The reason it failed to start is that this binary is installed on a different path than what is allowed in the samba apparmor profiles, and as a result its execution is denied.
The chosen fix for this is to change the path of samba-bgqd in the samba apparmor profiles to match where it is actually being installed in the jammy packaging. Changing the actual path in the samba packaging would be a more invasive fix.
In kinetic and later, the installation path of samba-bgqd was changed instead, and requires no changes to the apparmor profiles.
However, once the path in the apparmor profiles was fixed for jammy, another error comes up which also requires an apparmor change. samba-bgqd is using locking when opening the *.tdb files in /run/samba, and that requires an extra "k" flag to apparmor rules that cover that directory and its tdb files.
This bug doesn't affect jammy samba users by default, as they have to complete steps (a) and (b) from above to be impacted. Therefore, on its own, this bug does not warrant an SRU, and we are using the block-proposed-jammy tag to prevent its release until such time when another more SRU-worthy apparmor bug is fixed for Jammy.
[Test Plan]
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
Install the needed packages in this order, with two separate commands:L
# apt update
# apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
# apt install samba smbclient cups cups-client
Confirm that you have smbd and samba-bgqd processes confined and in complain mode (check first column):
# ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
smbd (complain) 2432 ? Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2434 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2435 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S 0:00 \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Change the samba profiles to enforce mode:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart smbd:
# systemctl restart smbd
systemctl won't complain, but smbd failed to start:
# ps faxZ | grep smbd | grep -v grep
#
# tail -2 /var/log/samba/log.smbd
[2022/09/09 18:20:35.200901, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
And dmesg on the *host* (not the container) will log a few DENIED messages like this:
[sex set 9 15:20:30 2022] audit: type=1400 audit(1662747635.194:10356): apparmor="DENIED" operation="exec" namespace="root//lxd-jammy-test_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=994396 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
After installing the fixed package (and accepting the dpkg conf prompt changes), the new profile will be loaded in complain mode again. So let's put it in enforce mode one more time:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart:
# systemctl restart smbd
And confirm that smbd and samba-bgqd are running this time, and in enforce mode:
# ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
avahi-daemon (complain) 4363 ? Ss 0:00 avahi-daemon: running [j-samba-bgqd-apparmor.local]
smbd (enforce) 6734 ? Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) 6736 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) 6737 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
samba-bgqd (enforce) 6738 ? S 0:00 \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd --ready-signal-fd=45 --parent-watch-fd=11 --debuglevel=0 -F
Now that the bgqd daemon is running, let's create an actual printer and interact with it:
First, set a password for the samba "root" user:
# printf "root\nroot\n" | sudo smbpasswd -a root
Create a fake printer:
# lpadmin -p testprinter -E -v /dev/null
Check it's there:
# lpstat -l -p testprinter
Probe it via samba:
# rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
(some printer related output, or even an error, doesn't matter)
Confirm dmesg on the *host* has no apparmor DENIED events related to the rpcclient command above.
[Where problems could occur]
An apparmor update will impact all ubuntu users, regardless if they are using samba or not. One has to weigh this carefully with the importance of the bug that is being fixed.
This update will restart apparmor on the target system. All sorts of things can happen due to that:
- all apparmor profiles will be reloaded and reapplied
- if users have modified default profiles in /etc/apparmor.d/* (not inside local/*), they will get a dpkg conf prompt during this update
- in particular, users who have changed the samba profiles to be in enforce mode (via aa-enforce) will definitely get a dpkg conf prompt, because the samba profiles coming in via the apparmor-profiles package are in complain mode. This is good, actually, as it will raise awareness about the change the update is bringing
- if apparmor profile files have syntax mistakes, these will show up at this time, and might end up leaving a service that was confined before, unconfined after the update
- the "k" change is being done in abstractions/samba, instead of samba-bgqd specifically, because it already had a rule to allow "rw" access to *.tdb files in there. That abstraction is only included by other samba profiles at the moment, so the change seems contained, but one might argue that it would be best to add the explicit "k" rule to the samba-bgqd profile instead.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are using the block-proposed-jammy tag so that the fix can be bundled with another future apparmor SRU.
Apparmor in Kinetic does not need the samba-bgqd path fix, but it might need the "k" locking one. We are waiting for an apparmor version update that will still happen in Kinetic to evaluate if some change will be needed there.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. |
[Impact]
Users who have:
a) opted in to confining samba with apparmor (by installing apparmor-profiles); and
b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
will experience an error in starting the smbd service in jammy:
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
This "printing subsystem" is actually a new daemon called samba-bgqd. This errors prevents "smbd" from starting.
The reason it failed to start is that this binary is installed on a different path than what is allowed in the samba apparmor profiles, and as a result its execution is denied.
The chosen fix for this is to change the path of samba-bgqd in the samba apparmor profiles to match where it is actually being installed in the jammy packaging. Changing the actual path in the samba packaging would be a more invasive fix.
In kinetic and later, the installation path of samba-bgqd was changed instead, and requires no changes to the apparmor profiles.
However, once the path in the apparmor profiles was fixed for jammy, another error comes up which also requires an apparmor change. samba-bgqd is using locking when opening the *.tdb files in /run/samba, and that requires an extra "k" flag to apparmor rules that cover that directory and its tdb files.
This bug doesn't affect jammy samba users by default, as they have to complete steps (a) and (b) from above to be impacted. Therefore, on its own, this bug does not warrant an SRU, and we are using the block-proposed-jammy tag to prevent its release until such time when another more SRU-worthy apparmor bug is fixed for Jammy.
[Test Plan]
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
Install the needed packages in this order, with two separate commands:L
# apt update
# apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
# apt install samba smbclient cups cups-client
Confirm that you have smbd and samba-bgqd processes confined and in complain mode (check first column):
# ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
smbd (complain) 2432 ? Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2434 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2435 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S 0:00 \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Change the samba profiles to enforce mode:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart smbd:
# systemctl restart smbd
systemctl won't complain, but smbd failed to start:
# ps faxZ | grep smbd | grep -v grep
#
# tail -2 /var/log/samba/log.smbd
[2022/09/09 18:20:35.200901, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
And dmesg on the *host* (not the container) will log a few DENIED messages like this:
[sex set 9 15:20:30 2022] audit: type=1400 audit(1662747635.194:10356): apparmor="DENIED" operation="exec" namespace="root//lxd-jammy-test_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=994396 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
After installing the fixed package (and accepting the dpkg conf prompt changes), the new profile will be loaded in complain mode again. So let's put it in enforce mode one more time:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart:
# systemctl restart smbd
And confirm that smbd and samba-bgqd are running this time, and in enforce mode:
# ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
avahi-daemon (complain) 4363 ? Ss 0:00 avahi-daemon: running [j-samba-bgqd-apparmor.local]
smbd (enforce) 6734 ? Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) 6736 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) 6737 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
samba-bgqd (enforce) 6738 ? S 0:00 \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd --ready-signal-fd=45 --parent-watch-fd=11 --debuglevel=0 -F
Now that the bgqd daemon is running, let's create an actual printer and interact with it:
First, set a password for the samba "root" user:
# printf "root\nroot\n" | sudo smbpasswd -a root
Create a fake printer:
# lpadmin -p testprinter -E -v /dev/null
Check it's there:
# lpstat -l -p testprinter
Add this section to the end of /etc/samba/smb.conf:
[testprinter]
browseable = No
comment = All Printers
create mask = 0700
path = /var/spool/samba
printable = Yes
Restart samba so we don't have to wait for it to pick up the changes:
systemctl restart smbd nmbd
Probe the printer via samba:
# rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
(some printer related output)
This is the test: confirm dmesg on the *host* has no apparmor DENIED events related to the rpcclient command above.
[Where problems could occur]
An apparmor update will impact all ubuntu users, regardless if they are using samba or not. One has to weigh this carefully with the importance of the bug that is being fixed.
This update will restart apparmor on the target system. All sorts of things can happen due to that:
- all apparmor profiles will be reloaded and reapplied
- if users have modified default profiles in /etc/apparmor.d/* (not inside local/*), they will get a dpkg conf prompt during this update
- in particular, users who have changed the samba profiles to be in enforce mode (via aa-enforce) will definitely get a dpkg conf prompt, because the samba profiles coming in via the apparmor-profiles package are in complain mode. This is good, actually, as it will raise awareness about the change the update is bringing
- if apparmor profile files have syntax mistakes, these will show up at this time, and might end up leaving a service that was confined before, unconfined after the update
- the "k" change is being done in abstractions/samba, instead of samba-bgqd specifically, because it already had a rule to allow "rw" access to *.tdb files in there. That abstraction is only included by other samba profiles at the moment, so the change seems contained, but one might argue that it would be best to add the explicit "k" rule to the samba-bgqd profile instead.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are using the block-proposed-jammy tag so that the fix can be bundled with another future apparmor SRU.
Apparmor in Kinetic does not need the samba-bgqd path fix, but it might need the "k" locking one. We are waiting for an apparmor version update that will still happen in Kinetic to evaluate if some change will be needed there.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. |
|
2022-11-24 15:23:08 |
Andreas Hasenack |
tags |
bitesize block-proposed-jammy server-todo |
bitesize block-proposed-jammy |
|
2023-11-27 21:29:34 |
Andreas Hasenack |
description |
[Impact]
Users who have:
a) opted in to confining samba with apparmor (by installing apparmor-profiles); and
b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
will experience an error in starting the smbd service in jammy:
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
This "printing subsystem" is actually a new daemon called samba-bgqd. This errors prevents "smbd" from starting.
The reason it failed to start is that this binary is installed on a different path than what is allowed in the samba apparmor profiles, and as a result its execution is denied.
The chosen fix for this is to change the path of samba-bgqd in the samba apparmor profiles to match where it is actually being installed in the jammy packaging. Changing the actual path in the samba packaging would be a more invasive fix.
In kinetic and later, the installation path of samba-bgqd was changed instead, and requires no changes to the apparmor profiles.
However, once the path in the apparmor profiles was fixed for jammy, another error comes up which also requires an apparmor change. samba-bgqd is using locking when opening the *.tdb files in /run/samba, and that requires an extra "k" flag to apparmor rules that cover that directory and its tdb files.
This bug doesn't affect jammy samba users by default, as they have to complete steps (a) and (b) from above to be impacted. Therefore, on its own, this bug does not warrant an SRU, and we are using the block-proposed-jammy tag to prevent its release until such time when another more SRU-worthy apparmor bug is fixed for Jammy.
[Test Plan]
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
Install the needed packages in this order, with two separate commands:L
# apt update
# apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
# apt install samba smbclient cups cups-client
Confirm that you have smbd and samba-bgqd processes confined and in complain mode (check first column):
# ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
smbd (complain) 2432 ? Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2434 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2435 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S 0:00 \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Change the samba profiles to enforce mode:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart smbd:
# systemctl restart smbd
systemctl won't complain, but smbd failed to start:
# ps faxZ | grep smbd | grep -v grep
#
# tail -2 /var/log/samba/log.smbd
[2022/09/09 18:20:35.200901, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
And dmesg on the *host* (not the container) will log a few DENIED messages like this:
[sex set 9 15:20:30 2022] audit: type=1400 audit(1662747635.194:10356): apparmor="DENIED" operation="exec" namespace="root//lxd-jammy-test_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=994396 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
After installing the fixed package (and accepting the dpkg conf prompt changes), the new profile will be loaded in complain mode again. So let's put it in enforce mode one more time:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart:
# systemctl restart smbd
And confirm that smbd and samba-bgqd are running this time, and in enforce mode:
# ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
avahi-daemon (complain) 4363 ? Ss 0:00 avahi-daemon: running [j-samba-bgqd-apparmor.local]
smbd (enforce) 6734 ? Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) 6736 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) 6737 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
samba-bgqd (enforce) 6738 ? S 0:00 \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd --ready-signal-fd=45 --parent-watch-fd=11 --debuglevel=0 -F
Now that the bgqd daemon is running, let's create an actual printer and interact with it:
First, set a password for the samba "root" user:
# printf "root\nroot\n" | sudo smbpasswd -a root
Create a fake printer:
# lpadmin -p testprinter -E -v /dev/null
Check it's there:
# lpstat -l -p testprinter
Add this section to the end of /etc/samba/smb.conf:
[testprinter]
browseable = No
comment = All Printers
create mask = 0700
path = /var/spool/samba
printable = Yes
Restart samba so we don't have to wait for it to pick up the changes:
systemctl restart smbd nmbd
Probe the printer via samba:
# rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
(some printer related output)
This is the test: confirm dmesg on the *host* has no apparmor DENIED events related to the rpcclient command above.
[Where problems could occur]
An apparmor update will impact all ubuntu users, regardless if they are using samba or not. One has to weigh this carefully with the importance of the bug that is being fixed.
This update will restart apparmor on the target system. All sorts of things can happen due to that:
- all apparmor profiles will be reloaded and reapplied
- if users have modified default profiles in /etc/apparmor.d/* (not inside local/*), they will get a dpkg conf prompt during this update
- in particular, users who have changed the samba profiles to be in enforce mode (via aa-enforce) will definitely get a dpkg conf prompt, because the samba profiles coming in via the apparmor-profiles package are in complain mode. This is good, actually, as it will raise awareness about the change the update is bringing
- if apparmor profile files have syntax mistakes, these will show up at this time, and might end up leaving a service that was confined before, unconfined after the update
- the "k" change is being done in abstractions/samba, instead of samba-bgqd specifically, because it already had a rule to allow "rw" access to *.tdb files in there. That abstraction is only included by other samba profiles at the moment, so the change seems contained, but one might argue that it would be best to add the explicit "k" rule to the samba-bgqd profile instead.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are using the block-proposed-jammy tag so that the fix can be bundled with another future apparmor SRU.
Apparmor in Kinetic does not need the samba-bgqd path fix, but it might need the "k" locking one. We are waiting for an apparmor version update that will still happen in Kinetic to evaluate if some change will be needed there.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. |
[Impact]
Users who have:
a) opted in to confining samba with apparmor (by installing apparmor-profiles); and
b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
will experience an error in starting the smbd service in jammy:
[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
This "printing subsystem" is actually a new daemon called samba-bgqd. This errors prevents "smbd" from starting.
The reason it failed to start is that this binary is installed on a different path than what is allowed in the samba apparmor profiles, and as a result its execution is denied.
The chosen fix for this is to change the path of samba-bgqd in the samba apparmor profiles to match where it is actually being installed in the jammy packaging. Changing the actual path in the samba packaging would be a more invasive fix.
In kinetic and later, the installation path of samba-bgqd was changed instead, and requires no changes to the apparmor profiles.
However, once the path in the apparmor profiles was fixed for jammy, another error comes up which also requires an apparmor change. samba-bgqd is using locking when opening the *.tdb files in /run/samba, and that requires an extra "k" flag to apparmor rules that cover that directory and its tdb files.
This bug doesn't affect jammy samba users by default, as they have to complete steps (a) and (b) from above to be impacted. Therefore, on its own, this bug does not warrant an SRU, and we are using the block-proposed-jammy tag to prevent its release until such time when another more SRU-worthy apparmor bug is fixed for Jammy.
[Test Plan]
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
Install the needed packages in this order, with two separate commands:
# apt update
# apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
# apt install samba smbclient cups cups-client
Confirm that you have smbd and samba-bgqd processes confined and in complain mode (check first column):
# ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
smbd (complain) 2432 ? Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2434 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2435 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S 0:00 \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Change the samba profiles to enforce mode:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart smbd:
# systemctl restart smbd
systemctl won't complain, but smbd failed to start:
# ps faxZ | grep smbd | grep -v grep
#
# tail -2 /var/log/samba/log.smbd
[2022/09/09 18:20:35.200901, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13
And dmesg on the *host* (not the container) will log a few DENIED messages like this:
[sex set 9 15:20:30 2022] audit: type=1400 audit(1662747635.194:10356): apparmor="DENIED" operation="exec" namespace="root//lxd-jammy-test_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=994396 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
After installing the fixed package (and accepting the dpkg conf prompt changes), the new profile will be loaded in complain mode again. So let's put it in enforce mode one more time:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Restart:
# systemctl restart smbd
And confirm that smbd and samba-bgqd are running this time, and in enforce mode:
# ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
avahi-daemon (complain) 4363 ? Ss 0:00 avahi-daemon: running [j-samba-bgqd-apparmor.local]
smbd (enforce) 6734 ? Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) 6736 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) 6737 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
samba-bgqd (enforce) 6738 ? S 0:00 \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd --ready-signal-fd=45 --parent-watch-fd=11 --debuglevel=0 -F
Now that the bgqd daemon is running, let's create an actual printer and interact with it:
First, set a password for the samba "root" user:
# printf "root\nroot\n" | sudo smbpasswd -a root
Create a fake printer:
# lpadmin -p testprinter -E -v /dev/null
Check it's there:
# lpstat -l -p testprinter
Add this section to the end of /etc/samba/smb.conf:
[testprinter]
browseable = No
comment = All Printers
create mask = 0700
path = /var/spool/samba
printable = Yes
Restart samba so we don't have to wait for it to pick up the changes:
systemctl restart smbd nmbd
Probe the printer via samba:
# rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
(some printer related output)
This is the test: confirm dmesg on the *host* has no apparmor DENIED events related to the rpcclient command above.
[Where problems could occur]
An apparmor update will impact all ubuntu users, regardless if they are using samba or not. One has to weigh this carefully with the importance of the bug that is being fixed.
This update will restart apparmor on the target system. All sorts of things can happen due to that:
- all apparmor profiles will be reloaded and reapplied
- if users have modified default profiles in /etc/apparmor.d/* (not inside local/*), they will get a dpkg conf prompt during this update
- in particular, users who have changed the samba profiles to be in enforce mode (via aa-enforce) will definitely get a dpkg conf prompt, because the samba profiles coming in via the apparmor-profiles package are in complain mode. This is good, actually, as it will raise awareness about the change the update is bringing
- if apparmor profile files have syntax mistakes, these will show up at this time, and might end up leaving a service that was confined before, unconfined after the update
- the "k" change is being done in abstractions/samba, instead of samba-bgqd specifically, because it already had a rule to allow "rw" access to *.tdb files in there. That abstraction is only included by other samba profiles at the moment, so the change seems contained, but one might argue that it would be best to add the explicit "k" rule to the samba-bgqd profile instead.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are using the block-proposed-jammy tag so that the fix can be bundled with another future apparmor SRU.
Apparmor in Kinetic does not need the samba-bgqd path fix, but it might need the "k" locking one. We are waiting for an apparmor version update that will still happen in Kinetic to evaluate if some change will be needed there.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. |
|
2024-03-12 07:13:56 |
Christian Fetzer |
bug |
|
|
added subscriber Christian Fetzer |