Merge ~ahasenack/ubuntu/+source/apparmor:jammy-samba-systemd-notify into ubuntu/+source/apparmor:ubuntu/devel
Status: | Merged | ||||
---|---|---|---|---|---|
Merged at revision: | d9ae1bb8ace29ca3c26b1ebf2c4b7a4904e0e690 | ||||
Proposed branch: | ~ahasenack/ubuntu/+source/apparmor:jammy-samba-systemd-notify | ||||
Merge into: | ubuntu/+source/apparmor:ubuntu/devel | ||||
Diff against target: |
83 lines (+61/-0) 3 files modified
debian/changelog (+10/-0) debian/patches/series (+1/-0) debian/patches/ubuntu/samba-systemd-interaction.patch (+50/-0) |
||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
John Johansen (community) | Approve | ||
Canonical Server Core Reviewers | Pending | ||
Canonical Server | Pending | ||
Review via email: mp+412582@code.launchpad.net |
Description of the change
samba links with libsystemd, and when started by systemd, a few more apparmor rules are needed.
The ptrace one is probably the weirdest one. Needed when poking around some /proc files. From https:/
PTRACE_MODE_READ
For "read" operations or other operations that are less
file.
About the other /proc rules, the upstream apparmor bug was at first just about avahi, but then they realized other packages also need similar rules. Once they reach a consensus and create an abstraction for it, then we can drop this bit of the patch here specifically for smbd.
To test, install apparmor-profiles and restart smbd. You should only see an ALLOWED message for net_admin, which we won't grant.
I am really not thrilled with some of the new rules. With that said I don't see a way to avoid them so ...