Ubuntu
apparmor package

Merge ~ahasenack/ubuntu/+source/apparmor:jammy-samba-systemd-notify into ubuntu/+source/apparmor:ubuntu/devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/apparmor
  3. jammy-samba-systemd-notify
  4. Merge into ubuntu/devel
Proposed by Andreas Hasenack
Status: Merged
Merged at revision: d9ae1bb8ace29ca3c26b1ebf2c4b7a4904e0e690
Proposed branch: ~ahasenack/ubuntu/+source/apparmor:jammy-samba-systemd-notify
Merge into: ubuntu/+source/apparmor:ubuntu/devel
Diff against target: 83 lines (+61/-0)
3 files modified
debian/changelog (+10/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu/samba-systemd-interaction.patch (+50/-0)
Reviewer Review Type Date Requested Status
John Johansen (community) Approve
Canonical Server Core Reviewers Pending
Canonical Server Pending
Review via email: mp+412582@code.launchpad.net

Description of the change

samba links with libsystemd, and when started by systemd, a few more apparmor rules are needed.

The ptrace one is probably the weirdest one. Needed when poking around some /proc files. From https://man7.org/linux/man-pages/man2/ptrace.2.html#NOTES:
PTRACE_MODE_READ
              For "read" operations or other operations that are less
              dangerous, such as: get_robust_list(2); kcmp(2); reading
              /proc/[pid]/auxv, /proc/[pid]/environ, or
              /proc/[pid]/stat; or readlink(2) of a /proc/[pid]/ns/*
              file.

About the other /proc rules, the upstream apparmor bug was at first just about avahi, but then they realized other packages also need similar rules. Once they reach a consensus and create an abstraction for it, then we can drop this bit of the patch here specifically for smbd.

To test, install apparmor-profiles and restart smbd. You should only see an ALLOWED message for net_admin, which we won't grant.

To post a comment you must log in.
Revision history for this message
John Johansen (jjohansen) wrote :

I am really not thrilled with some of the new rules. With that said I don't see a way to avoid them so ...

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks, uploaded

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 104f7e5..eca1b3e 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,13 @@
6+apparmor (3.0.3-0ubuntu4) jammy; urgency=medium
7+
8+ * d/p/u/samba-systemd-interaction.patch: allow smbd to interact with
9+ systemd (LP: #1952242):
10+ - allow notify access
11+ - allow specific /proc access
12+ - allow ptrace read
13+
14+ -- Andreas Hasenack <andreas@canonical.com> Mon, 29 Nov 2021 14:43:28 +0000
15+
16 apparmor (3.0.3-0ubuntu3) jammy; urgency=medium
17
18 * No-change rebuild with fixed py3versions
19diff --git a/debian/patches/series b/debian/patches/series
20index 0fc2ba7..de214a6 100644
21--- a/debian/patches/series
22+++ b/debian/patches/series
23@@ -16,3 +16,4 @@ ubuntu/libnss-systemd.patch
24 ubuntu/enable-pinning-of-pre-AppArmor-3.x-poli.patch
25 ubuntu/adjust-for-ibus-1.5.22.patch
26 ubuntu/regression-tests-fix-aa_policy_cache-when-using-syst.patch
27+ubuntu/samba-systemd-interaction.patch
28diff --git a/debian/patches/ubuntu/samba-systemd-interaction.patch b/debian/patches/ubuntu/samba-systemd-interaction.patch
29new file mode 100644
30index 0000000..f42eaa3
31--- /dev/null
32+++ b/debian/patches/ubuntu/samba-systemd-interaction.patch
33@@ -0,0 +1,50 @@
34+Description: Allow systemd interaction
35+ When started by systemd, we need to allow notify access, and access to
36+ certain /proc areas.
37+Origin: upstream, https://gitlab.com/apparmor/apparmor/-/merge_requests/236,
38+ https://gitlab.com/apparmor/apparmor/-/merge_requests/811
39+Bug: https://gitlab.com/apparmor/apparmor/-/issues/203
40+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1952242
41+Applied-Upstream: https://gitlab.com/apparmor/apparmor/-/commit/924d4e87adbf02cafa169b3eed7892d0d35a2088,
42+ https://gitlab.com/apparmor/apparmor/-/commit/ee9e61aad284f4edbebbd7cd0e8d9ac452455958
43+Last-Update: 2021-11-26
44+---
45+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
46+Ubuntu notes:
47+ - upstream missed the smbd profile wrt access the systemd notify socket
48+ - upstream merged the fix for #203 just in the avahi profile and left the bug
49+ open pending discussion of adding a more generic fix as an abstraction
50+--- a/profiles/apparmor.d/usr.sbin.smbd
51++++ b/profiles/apparmor.d/usr.sbin.smbd
52+@@ -24,12 +24,22 @@
53+ capability sys_resource,
54+ capability sys_tty_config,
55+
56++ # when started by systemd
57++ ptrace read peer=unconfined,
58++
59+ /etc/mtab r,
60+ /etc/netgroup r,
61+ /etc/printcap r,
62+ /etc/samba/* rwk,
63+ @{PROC}/@{pid}/mounts r,
64+ @{PROC}/sys/kernel/core_pattern r,
65++
66++ # https://gitlab.com/apparmor/apparmor/-/issues/203
67++ # needed when smbd is started by systemd
68++ @{PROC}/1/environ r,
69++ @{PROC}/cmdline r,
70++ @{PROC}/sys/kernel/osrelease r,
71++
72+ /usr/lib*/samba/vfs/*.so mr,
73+ /usr/lib*/samba/auth/*.so mr,
74+ /usr/lib*/samba/charset/*.so mr,
75+@@ -51,6 +61,8 @@
76+ @{run}/samba/ncalrpc/ rw,
77+ @{run}/samba/ncalrpc/** rw,
78+ @{run}/samba/smbd.pid rw,
79++ # when started by systemd
80++ @{run}/systemd/notify w,
81+ /var/spool/samba/** rw,
82+
83+ @{HOMEDIRS}/** lrwk,

Subscribers

People subscribed via source and target branches