apparmor blocking smbd which is in complain mode

Bug #1719354 reported by Aravind R on 2017-09-25
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Undecided
Unassigned
Xenial
Medium
Andreas Hasenack
Bionic
Medium
Andreas Hasenack

Bug Description

This error is occurring because samba is working in user profile and folder '/run/samba/msg.log' has owner as root. Any log created will be as root. Hence, samba not able to log anything.

aravind@comp:~$ tail -f /var/log/syslog | grep -i apparmor
Sep 25 21:25:36 comp kernel: [ 4535.034713] audit: type=1400 audit(1506354936.898:275): apparmor="ALLOWED" operation="open" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/4470" pid=5690 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Sep 25 21:25:36 comp kernel: [ 4535.034719] audit: type=1400 audit(1506354936.898:276): apparmor="ALLOWED" operation="file_lock" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/4470" pid=5690 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Sep 25 21:27:39 comp kernel: [ 4657.984668] audit: type=1400 audit(1506355059.847:290): apparmor="ALLOWED" operation="mknod" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/6056" pid=6056 comm="smbd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Sep 25 21:27:39 comp kernel: [ 4657.984675] audit: type=1400 audit(1506355059.847:291): apparmor="ALLOWED" operation="open" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/6056" pid=6056 comm="smbd" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
Sep 25 21:27:39 comp kernel: [ 4657.984679] audit: type=1400 audit(1506355059.847:292): apparmor="ALLOWED" operation="file_lock" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/6056" pid=6056 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Sep 25 21:27:39 comp kernel: [ 4657.984684] audit: type=1400 audit(1506355059.847:293): apparmor="ALLOWED" operation="truncate" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/6056" pid=6056 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Sep 25 21:27:39 comp kernel: [ 4657.991838] audit: type=1400 audit(1506355059.855:294): apparmor="ALLOWED" operation="unlink" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/6056" pid=6056 comm="smbd" requested_mask="d" denied_mask="d" fsuid=0 ouid=0
^C

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: apparmor 2.10.95-0ubuntu2.7
ProcVersionSignature: Ubuntu 4.10.0-35.39~16.04.1-generic 4.10.17
Uname: Linux 4.10.0-35-generic x86_64
NonfreeKernelModules: nvidia_uvm nvidia_drm nvidia_modeset nvidia
ApportVersion: 2.20.1-0ubuntu2.10
Architecture: amd64
CurrentDesktop: Unity
Date: Mon Sep 25 21:27:07 2017
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.10.0-35-generic root=UUID=3bdb5792-d2a2-4f98-97bd-f274c3d0dde1 ro quiet splash crashkernel=384M-:128M vt.handoff=7
SourcePackage: apparmor
Syslog:
 Sep 25 10:34:40 comp dbus[1174]: [system] AppArmor D-Bus mediation is enabled
 Sep 25 18:34:05 comp dbus[1083]: [system] AppArmor D-Bus mediation is enabled
 Sep 25 20:10:24 comp dbus[1066]: [system] AppArmor D-Bus mediation is enabled
UpgradeStatus: No upgrade log present (probably fresh install)

Aravind R (araviaravi) wrote :
Aravind R (araviaravi) on 2017-09-26
affects: apparmor (Ubuntu) → samba (Ubuntu)
description: updated
Christian Boltz (cboltz) wrote :

This is fixed in AppArmor bzr since

revno: 3437.1.4
timestamp: Wed 2016-04-13 09:24:46 -0400
  usr.sbin.smbd: new lock dir used by recent versions (4.3.8)

so you'll "just" need to backport the smbd profile to 16.04.

Aravind R (araviaravi) wrote :

Mr.Christian,

Thanks, I will backport.

I have another problem too because of the same. I have installed apparmor-notify. Please just tell me how to disable notification for samba in complaining mode.

The below instance is loop for every 30 seconds.

The below is the algo which is causing disaster of samba + apparmor.

START LOOP:

1) msg.lock is used in recent version 4.3.8

2) smbd is running as root

3) samba is running as local profile user

4) any file created by smbd in msg.lock is root:root

5) when every samba try to access the file, it is an error of denial to write.

6) Apparmor logs in kernal.log the above bla bla bla log.

7) AppArmor-notify alert the same.

RE-RUN LOOP EVERY 30 SECONDS

I am using ubuntu desktop. I hope you can understand my problem. I can't found option to do the same in aa-notify.

Thanks in advance.

Christian Boltz (cboltz) wrote :

aa-notify doesn't have an option to silence specific events - hey, it's job is to annoy^Wnotify you, so what do you expect? ;-)

To silence the notifications, you'll have to update the profile.

The easiest solution is probably to download the latest smbd profile from
http://bazaar.launchpad.net/~apparmor-dev/apparmor/2.11/view/head:/profiles/apparmor.d/usr.sbin.smbd
Replace your /etc/apparmor.d/usr.sbin.smbd profile with this file and reload AppArmor.

Disclaimer: I can only assume that Ubuntu uses this profile (I use openSUSE ;-) so it's probably a good idea to keep a backup of the original smbd profile (move it outside of /etc/apparmor.d/ to avoid conflicts).

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in samba (Ubuntu):
status: New → Confirmed
PabloAB (pabloab777) wrote :

I run this:

wget -O /tmp/usr.sbin.smbd https://bazaar.launchpad.net/~apparmor-dev/apparmor/2.11/download/head:/usr.sbin.smbd-20091111194200-xv2hcz910jtzeta9-12/usr.sbin.smbd
sudo mv /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/usr.sbin.smbd_OLD
sudo mv /tmp/usr.sbin.smbd /etc/apparmor.d/usr.sbin.smbd
sudo systemctl restart apparmor.service

And still have those annoying logs on dmesg.
Ubuntu 16.04
apparmor 2.10.95-0ubuntu2.9
4.12.0-041200rc3-generic

Christian Boltz (cboltz) wrote :

> sudo mv /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/usr.sbin.smbd_OLD

Please move that *_OLD file outside of /etc/apparmor.d/ - otherwise it will still be loaded on a "last one wins" base. Obviously you'll need to reload the profiles once more afterwards to ensure the "right" profile is loaded.

tags: added: server-next
Andreas Hasenack (ahasenack) wrote :

Confirmed that cosmic is fine now, but there are still issues in xenial as reported, and these two in bionic:
[ 132.722115] audit: type=1400 audit(1530560652.717:57): apparmor="DENIED" operation="capable" profile="/usr/sbin/nmbd" pid=717 comm="nmbd" capability=12 capname="net_admin"
[ 132.723745] audit: type=1400 audit(1530560652.717:58): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/nmbd" name="/run/systemd/notify" pid=717 comm="nmbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

Changed in samba (Ubuntu):
status: Confirmed → Fix Released
Changed in samba (Ubuntu Xenial):
status: New → Triaged
Changed in samba (Ubuntu Bionic):
status: New → Triaged
importance: Undecided → Medium
Changed in samba (Ubuntu Xenial):
importance: Undecided → Medium
Christian Boltz (cboltz) wrote :

The net_admin denial is probably caused by a bug in systemd, see https://bugzilla.opensuse.org/show_bug.cgi?id=991901 and https://github.com/systemd/systemd/pull/10085
I'd recommend not to allow that capability in the nmbd profile, and instead apply the patch to systemd.

Write permissions to /run/systemd/notify look like a valid issue, I just opened
https://gitlab.com/apparmor/apparmor/merge_requests/236 for that.

Andreas Hasenack (ahasenack) wrote :

As part of our effort to fix languishing bugs, I'm revisiting this one and will drive it to conclusion.

Changed in samba (Ubuntu Xenial):
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in samba (Ubuntu Bionic):
assignee: nobody → Andreas Hasenack (ahasenack)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.