apparmor blocking smbd which is in complain mode

This is fixed in AppArmor bzr since

revno: 3437.1.4
timestamp: Wed 2016-04-13 09:24:46 -0400
  usr.sbin.smbd: new lock dir used by recent versions (4.3.8)

so you'll "just" need to backport the smbd profile to 16.04.

Mr.Christian,

Thanks, I will backport.

I have another problem too because of the same. I have installed apparmor-notify. Please just tell me how to disable notification for samba in complaining mode.

The below instance is loop for every 30 seconds.

The below is the algo which is causing disaster of samba + apparmor.

START LOOP:

1) msg.lock is used in recent version 4.3.8

2) smbd is running as root

3) samba is running as local profile user

4) any file created by smbd in msg.lock is root:root

5) when every samba try to access the file, it is an error of denial to write.

6) Apparmor logs in kernal.log the above bla bla bla log.

7) AppArmor-notify alert the same.

RE-RUN LOOP EVERY 30 SECONDS

I am using ubuntu desktop. I hope you can understand my problem. I can't found option to do the same in aa-notify.

Thanks in advance.

aa-notify doesn't have an option to silence specific events - hey, it's job is to annoy^Wnotify you, so what do you expect? ;-)

To silence the notifications, you'll have to update the profile.

The easiest solution is probably to download the latest smbd profile from
http://bazaar.launchpad.net/~apparmor-dev/apparmor/2.11/view/head:/profiles/apparmor.d/usr.sbin.smbd
Replace your /etc/apparmor.d/usr.sbin.smbd profile with this file and reload AppArmor.

Disclaimer: I can only assume that Ubuntu uses this profile (I use openSUSE ;-) so it's probably a good idea to keep a backup of the original smbd profile (move it outside of /etc/apparmor.d/ to avoid conflicts).

Status changed to 'Confirmed' because the bug affects multiple users.

I run this:

wget -O /tmp/usr.sbin.smbd https://bazaar.launchpad.net/~apparmor-dev/apparmor/2.11/download/head:/usr.sbin.smbd-20091111194200-xv2hcz910jtzeta9-12/usr.sbin.smbd
sudo mv /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/usr.sbin.smbd_OLD
sudo mv /tmp/usr.sbin.smbd /etc/apparmor.d/usr.sbin.smbd
sudo systemctl restart apparmor.service

And still have those annoying logs on dmesg.
Ubuntu 16.04
apparmor 2.10.95-0ubuntu2.9
4.12.0-041200rc3-generic

> sudo mv /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/usr.sbin.smbd_OLD

Please move that *_OLD file outside of /etc/apparmor.d/ - otherwise it will still be loaded on a "last one wins" base. Obviously you'll need to reload the profiles once more afterwards to ensure the "right" profile is loaded.

Confirmed that cosmic is fine now, but there are still issues in xenial as reported, and these two in bionic:
[ 132.722115] audit: type=1400 audit(1530560652.717:57): apparmor="DENIED" operation="capable" profile="/usr/sbin/nmbd" pid=717 comm="nmbd" capability=12 capname="net_admin"
[ 132.723745] audit: type=1400 audit(1530560652.717:58): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/nmbd" name="/run/systemd/notify" pid=717 comm="nmbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

The net_admin denial is probably caused by a bug in systemd, see https://bugzilla.opensuse.org/show_bug.cgi?id=991901 and https://github.com/systemd/systemd/pull/10085
I'd recommend not to allow that capability in the nmbd profile, and instead apply the patch to systemd.

Write permissions to /run/systemd/notify look like a valid issue, I just opened
https://gitlab.com/apparmor/apparmor/merge_requests/236 for that.

As part of our effort to fix languishing bugs, I'm revisiting this one and will drive it to conclusion.

I dropped the ball on this one, but would like another chance to work on it in the coming weeks.

Hey, I'm back. Again.

the net_admin bits only show up in apparmor's logs when nmbd is started via systemd. I suspect due to linking with systemd because of the notify mechanism. That's unfortunate. Funny though, it still happens in ubuntu jammy, even with the systemd patch applied.

Since these samba profiles are experimental, not enabled by default, and even when enabled by the user, are loaded in "complain" mode, I don't think it's worth fixing for stable releases of Ubuntu.

Furthermore, they come from the src:apparmor package, not samba, and that's a risky update for such a small reason. The risk to benefit ratio is not in favor for this update.

For Jammy (current Ubuntu development release), I filed https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1952242 and I will commit there most of the needed changes, leaving just the net_admin one out.

Xenial is EOL, so nothing to be done there.

If you want to address this in Bionic yourself, I suggest this patch for /etc/apparmor.d/usr.sbin.smbd:
--- a/usr.sbin.smbd
+++ b/usr.sbin.smbd
@@ -49,6 +50,9 @@
   /{,var/}run/samba/smbd.pid rw,
   /{,var/}run/samba/msg.lock/ rw,
   /{,var/}run/samba/msg.lock/[0-9]* rwk,
+ # when started by systemd
+ /{,var/}run/systemd/notify w,
+
   /var/spool/samba/** rw,

   @{HOMEDIRS}/** lrwk,