Public bug reported:
kinetic
apparmor 3.0.7-1ubuntu1
sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
sudo apt install samba smbclient cups cups-client
Create a fake printer:
sudo lpadmin -p testprinter -E -v /dev/null
Set a password for the samba "root" user:
printf "root\nroot\n" | sudo smbpasswd -a root
Just to be sure, restart things:
sudo systemctl restart smbd nmbd
Check it's there:
sudo lpstat -l -p testprinter
This command (using the password you chose in smbpasswd earlier) will trigger a
bunch of apparmor ALLOWED messages regarding the samba profiles:
rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.870:99):
apparmor="ALLOWED" operation="mknod" profile="smbd"
name="/run/samba/msg.sock/1002" pid=1002 comm="smbd" requested_mask="c"
denied_mask="c" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.886:100):
apparmor="ALLOWED" operation="file_mmap" profile="samba-dcerpcd"
name="/usr/libexec/samba/samba-dcerpcd" pid=1003 comm="samba-dcerpcd"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.906:101):
apparmor="ALLOWED" operation="open" profile="samba-dcerpcd"
name="/usr/libexec/samba/" pid=1003 comm="samba-dcerpcd" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.910:102):
apparmor="ALLOWED" operation="mknod" profile="samba-dcerpcd"
name="/run/samba/msg.sock/1003" pid=1003 comm="samba-dcerpcd"
requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.910:103):
apparmor="ALLOWED" operation="file_lock" profile="samba-dcerpcd"
name="/run/samba/names.tdb" pid=1003 comm="samba-dcerpcd" requested_mask="k"
denied_mask="k" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.910:104):
apparmor="ALLOWED" operation="mknod" profile="samba-dcerpcd"
name="/run/samba/msg.sock/1004" pid=1004 comm="samba-dcerpcd"
requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.914:105):
apparmor="ALLOWED" operation="file_lock" profile="samba-dcerpcd"
name="/run/samba/gencache.tdb" pid=1004 comm="samba-dcerpcd" requested_mask="k"
denied_mask="k" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.918:106):
apparmor="ALLOWED" operation="file_lock" profile="samba-dcerpcd"
name="/run/samba/epmdb.tdb" pid=1004 comm="samba-dcerpcd" requested_mask="k"
denied_mask="k" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.926:107):
apparmor="ALLOWED" operation="file_mmap" profile="samba-rpcd"
name="/usr/libexec/samba/rpcd_epmapper" pid=1007 comm="rpcd_epmapper"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.926:108):
apparmor="ALLOWED" operation="file_mmap" profile="samba-rpcd"
name="/usr/libexec/samba/rpcd_fsrvp" pid=1008 comm="rpcd_fsrvp"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
We have the following classes:
a) /run/samba/msg.sock/<number>
This msg.sock/ stuff used to live in /var/lib/samba/private, and was covered by
other apparmor rules, but in 2:4.16.1+dfsg-1 was moved[1] to /run/samba. I
suggest this change in abstractions/samba:
- @{run}/{,lock/}samba/msg.lock/ rwk,
- @{run}/{,lock/}samba/msg.lock/[0-9]* rwk,
+ @{run}/{,lock/}samba/msg.{lock,sock}/ rwk,
+ @{run}/{,lock/}samba/msg.{lock,sock}/[0-9]* rwk,
b) "k" on /run/samba/*.tdb
I suggest this on abstractions/samba:
- @{run}/{,lock/}samba/*.tdb rw,
+ @{run}/{,lock/}samba/*.tdb rwk,
c) libexec
Since [2], many binary helpers were moved to /usr/libexec/samba
Unsure where this is best allowed. Not all profiles include abstractions/samba
or abstractions/samba-rpcd
d) ncalrpc
Seems fixed already in upstream apparmor:
$ grep ncalrpc -r .
./profiles/apparmor.d/samba-dcerpcd: @{run}/samba/ncalrpc/ rw,
./profiles/apparmor.d/samba-dcerpcd: @{run}/samba/ncalrpc/** rw,
./profiles/apparmor.d/usr.sbin.smbd: @{run}/samba/ncalrpc/ rw,
./profiles/apparmor.d/usr.sbin.smbd: @{run}/samba/ncalrpc/** rw,
e) urandom access by samba-rpcd-spoolss
I guess just allow it in that profile, or have it include abstractions/base
which allows /dev/urandom
f) samba-rpcd-spoolss access to /var/cache/samba/printing/ seems new, I
didn't fine a rule for it in upstream apparmor
1. https://salsa.debian.org/samba-team/samba/-/blob/master/debian/changelog#L169
2. https://salsa.debian.org/samba-team/samba/-/blob/master/debian/changelog#L348
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1990692
Title:
samba profile needs updating
Status in apparmor package in Ubuntu:
New
Bug description:
kinetic
apparmor 3.0.7-1ubuntu1
sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
sudo apt install samba smbclient cups cups-client
Create a fake printer:
sudo lpadmin -p testprinter -E -v /dev/null
Set a password for the samba "root" user:
printf "root\nroot\n" | sudo smbpasswd -a root
Just to be sure, restart things:
sudo systemctl restart smbd nmbd
Check it's there:
sudo lpstat -l -p testprinter
This command (using the password you chose in smbpasswd earlier) will trigger
a bunch of apparmor ALLOWED messages regarding the samba profiles:
rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.870:99):
apparmor="ALLOWED" operation="mknod" profile="smbd"
name="/run/samba/msg.sock/1002" pid=1002 comm="smbd" requested_mask="c"
denied_mask="c" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.886:100):
apparmor="ALLOWED" operation="file_mmap" profile="samba-dcerpcd"
name="/usr/libexec/samba/samba-dcerpcd" pid=1003 comm="samba-dcerpcd"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.906:101):
apparmor="ALLOWED" operation="open" profile="samba-dcerpcd"
name="/usr/libexec/samba/" pid=1003 comm="samba-dcerpcd" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.910:102):
apparmor="ALLOWED" operation="mknod" profile="samba-dcerpcd"
name="/run/samba/msg.sock/1003" pid=1003 comm="samba-dcerpcd"
requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.910:103):
apparmor="ALLOWED" operation="file_lock" profile="samba-dcerpcd"
name="/run/samba/names.tdb" pid=1003 comm="samba-dcerpcd" requested_mask="k"
denied_mask="k" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.910:104):
apparmor="ALLOWED" operation="mknod" profile="samba-dcerpcd"
name="/run/samba/msg.sock/1004" pid=1004 comm="samba-dcerpcd"
requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.914:105):
apparmor="ALLOWED" operation="file_lock" profile="samba-dcerpcd"
name="/run/samba/gencache.tdb" pid=1004 comm="samba-dcerpcd" requested_mask="k"
denied_mask="k" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.918:106):
apparmor="ALLOWED" operation="file_lock" profile="samba-dcerpcd"
name="/run/samba/epmdb.tdb" pid=1004 comm="samba-dcerpcd" requested_mask="k"
denied_mask="k" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.926:107):
apparmor="ALLOWED" operation="file_mmap" profile="samba-rpcd"
name="/usr/libexec/samba/rpcd_epmapper" pid=1007 comm="rpcd_epmapper"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[Fri Sep 23 18:37:42 2022] audit: type=1400 audit(1663958262.926:108):
apparmor="ALLOWED" operation="file_mmap" profile="samba-rpcd"
name="/usr/libexec/samba/rpcd_fsrvp" pid=1008 comm="rpcd_fsrvp"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
We have the following classes:
a) /run/samba/msg.sock/<number>
This msg.sock/ stuff used to live in /var/lib/samba/private, and was covered
by other apparmor rules, but in 2:4.16.1+dfsg-1 was moved[1] to /run/samba. I
suggest this change in abstractions/samba:
- @{run}/{,lock/}samba/msg.lock/ rwk,
- @{run}/{,lock/}samba/msg.lock/[0-9]* rwk,
+ @{run}/{,lock/}samba/msg.{lock,sock}/ rwk,
+ @{run}/{,lock/}samba/msg.{lock,sock}/[0-9]* rwk,
b) "k" on /run/samba/*.tdb
I suggest this on abstractions/samba:
- @{run}/{,lock/}samba/*.tdb rw,
+ @{run}/{,lock/}samba/*.tdb rwk,
c) libexec
Since [2], many binary helpers were moved to /usr/libexec/samba
Unsure where this is best allowed. Not all profiles include
abstractions/samba or abstractions/samba-rpcd
d) ncalrpc
Seems fixed already in upstream apparmor:
$ grep ncalrpc -r .
./profiles/apparmor.d/samba-dcerpcd: @{run}/samba/ncalrpc/ rw,
./profiles/apparmor.d/samba-dcerpcd: @{run}/samba/ncalrpc/** rw,
./profiles/apparmor.d/usr.sbin.smbd: @{run}/samba/ncalrpc/ rw,
./profiles/apparmor.d/usr.sbin.smbd: @{run}/samba/ncalrpc/** rw,
e) urandom access by samba-rpcd-spoolss
I guess just allow it in that profile, or have it include abstractions/base
which allows /dev/urandom
f) samba-rpcd-spoolss access to /var/cache/samba/printing/ seems new,
I didn't fine a rule for it in upstream apparmor
1.
https://salsa.debian.org/samba-team/samba/-/blob/master/debian/changelog#L169
2.
https://salsa.debian.org/samba-team/samba/-/blob/master/debian/changelog#L348
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1990692/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
