subject:"\[Touch\-packages\] \[Bug 1993572\] Re\: samba profile\: missing rule for mkdir \/var\/cache\/samba\/printing"

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

2023-11-22 Thread Andreas Hasenack

Kinetic is EOL.

** Changed in: apparmor (Ubuntu Kinetic)
   Status: Fix Committed => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1993572

Title:
  samba profile: missing rule for mkdir /var/cache/samba/printing

Status in apparmor package in Ubuntu:
  Fix Released
Status in apparmor source package in Kinetic:
  Won't Fix

Bug description:
  [ Impact ]

  Users who chose to:

  a) install apparmor-profiles (a package with extra optional apparmor
  profiles, including samba)

  b) change the samba related profiles from complain (the default) to
  enforce mode

  will find out that sharing a printing in samba and using it won't
  work.

  In by itself this is *definitely* not worth an SRU for apparmor, which
  impacts all users of Ubuntu (because it's installed everywhere). But,
  if apparmor is to be updated for another more important reason, then
  this fix could be bundled together with it. Therefore I'm adding the
  block-proposed-kinetic tag to this bug.

  [ Test Plan ]

  sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
  sudo apt install samba smbclient cups cups-client

  Set a password for the samba "root" user:
  printf "root\nroot\n" | sudo smbpasswd -a root

  Create a fake printer:
  sudo lpadmin -p testprinter -E -v /dev/null

  Check it's there:
  sudo lpstat -l -p testprinter

  Probe it via samba:
  rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
  (some printer related output, or even an error, doesn't matter)

  Check dmesg and look for an apparmor ALLOWED message:
  [497031.827841] audit: type=1400 audit(1669215188.733:555): 
apparmor="ALLOWED" operation="mkdir" class="file" 
namespace="root//lxd-l-samba-apparmor_" 
profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=388168 
comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=100 
ouid=100

  With the updated package, there should be no apparmor message for
  samba-rpcd-spoolss.

  NOTE: since, for this test, we are not switching the apparmor profile
  to enforce mode, this means that the mkdir attempted by rpcd_spoolss
  will succeed, and if you try the rpcclient command one more time,
  there will be no further apparmor messages about it in the logs.

  
  [ Where problems could occur ]

  This change is adding an apparmor rule to a samba-related apparmor
  profile. Without this rule (and with the apparmor profile in confine
  mode), then printing does not work, so regressing that aspect of it is
  hard.

  Maybe some exotic future security vulnerability could take advantage
  of this new apparmor rule which allows writing to (and therefore
  deleting from) /var/cache/samba/printing.

  What's more likely perhaps (but still rare) is that an apparmor
  upgrade, which triggers all apparmor profiles to be reloaded, would
  find some error in an existing profile and fail to load it, and
  perhaps stop loading all other profiles after that, perhaps leaving
  the system without confinement. But this should be caught by the
  upgrade process since postinst would exit non-zero (hopefully).

  [ Other Info ]
  Not at this time.

  [Original Description]

  After the fix for bug #1990692, one more rule is needed it seems.

  I put all samba profiles in enforce mode, and when I ran that final
  rpcclient command, got an error and an apparmor denied message:

  Prep:
  sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
  sudo apt install samba smbclient cups cups-client

  Set a password for the samba "root" user:
  printf "root\nroot\n" | sudo smbpasswd -a root

  Create a fake printer:
  sudo lpadmin -p testprinter -E -v /dev/null

  Check it's there:
  sudo lpstat -l -p testprinter

  $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error 
NT_STATUS_CONNECTION_DISCONNECTED
  do_cmd: Could not initialise spoolss. Error was 
NT_STATUS_CONNECTION_DISCONNECTED

  [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342):
  apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-
  k-samba-apparmor_" profile="samba-rpcd-
  spoolss" name="/var/cache/samba/printing/" pid=129107
  comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=100
  ouid=100

  And indeed, that directory wasn't created:
  $ l /var/cache/samba/printing
  ls: cannot access '/var/cache/samba/printing': No such file or directory
  $ l /var/cache/samba/
  total 16K
  drwxr-xr-x 1 root root   48 Oct 19 17:42 .
  drwxr-xr-x 1 root root  170 Oct 19 17:41 ..
  -rw-r--r-- 1 root root  166 Oct 19 17:42 browse.dat
  -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993572/+subscriptions


-- 
Mailing list:

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

2023-03-03 Thread Steve Langasek

Hello Andreas, or anyone else affected,

Accepted apparmor into kinetic-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/apparmor/3.0.7-1ubuntu2.1 in a few
hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
kinetic to verification-done-kinetic. If it does not fix the bug for
you, please add a comment stating that, and change the tag to
verification-failed-kinetic. In either case, without details of your
testing we will not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: apparmor (Ubuntu Kinetic)
   Status: In Progress => Fix Committed

** Tags added: verification-needed verification-needed-kinetic

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1993572

Title:
  samba profile: missing rule for mkdir /var/cache/samba/printing

Status in apparmor package in Ubuntu:
  Fix Released
Status in apparmor source package in Kinetic:
  Fix Committed

Bug description:
  [ Impact ]

  Users who chose to:

  a) install apparmor-profiles (a package with extra optional apparmor
  profiles, including samba)

  b) change the samba related profiles from complain (the default) to
  enforce mode

  will find out that sharing a printing in samba and using it won't
  work.

  In by itself this is *definitely* not worth an SRU for apparmor, which
  impacts all users of Ubuntu (because it's installed everywhere). But,
  if apparmor is to be updated for another more important reason, then
  this fix could be bundled together with it. Therefore I'm adding the
  block-proposed-kinetic tag to this bug.

  [ Test Plan ]

  sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
  sudo apt install samba smbclient cups cups-client

  Set a password for the samba "root" user:
  printf "root\nroot\n" | sudo smbpasswd -a root

  Create a fake printer:
  sudo lpadmin -p testprinter -E -v /dev/null

  Check it's there:
  sudo lpstat -l -p testprinter

  Probe it via samba:
  rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
  (some printer related output, or even an error, doesn't matter)

  Check dmesg and look for an apparmor ALLOWED message:
  [497031.827841] audit: type=1400 audit(1669215188.733:555): 
apparmor="ALLOWED" operation="mkdir" class="file" 
namespace="root//lxd-l-samba-apparmor_" 
profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=388168 
comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=100 
ouid=100

  With the updated package, there should be no apparmor message for
  samba-rpcd-spoolss.

  NOTE: since, for this test, we are not switching the apparmor profile
  to enforce mode, this means that the mkdir attempted by rpcd_spoolss
  will succeed, and if you try the rpcclient command one more time,
  there will be no further apparmor messages about it in the logs.

  
  [ Where problems could occur ]

  This change is adding an apparmor rule to a samba-related apparmor
  profile. Without this rule (and with the apparmor profile in confine
  mode), then printing does not work, so regressing that aspect of it is
  hard.

  Maybe some exotic future security vulnerability could take advantage
  of this new apparmor rule which allows writing to (and therefore
  deleting from) /var/cache/samba/printing.

  What's more likely perhaps (but still rare) is that an apparmor
  upgrade, which triggers all apparmor profiles to be reloaded, would
  find some error in an existing profile and fail to load it, and
  perhaps stop loading all other profiles after that, perhaps leaving
  the system without confinement. But this should be caught by the
  upgrade process since postinst would exit non-zero (hopefully).

  [ Other Info ]
  Not at this time.

  [Original Description]

  After the fix for bug #1990692, one more rule is needed it seems.

  I put all samba profiles in enforce mode, and when I ran that final
  rpcclient command, got an error and an apparmor denied message:

  Prep:
  sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
  sudo apt install samba smbclient cups cups-client

  Set a password for the samba "root" user:

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

2022-12-04 Thread Launchpad Bug Tracker

This bug was fixed in the package apparmor - 3.0.7-1ubuntu4

---
apparmor (3.0.7-1ubuntu4) lunar; urgency=medium

  * d/p/u/samba-rpcd-spoolss.patch: fix samba-rpcd-spoolss apparmor
profile (LP: #1993572)

 -- Andreas Hasenack   Wed, 23 Nov 2022 14:47:14
-0300

** Changed in: apparmor (Ubuntu)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1993572

Title:
  samba profile: missing rule for mkdir /var/cache/samba/printing

Status in apparmor package in Ubuntu:
  Fix Released
Status in apparmor source package in Kinetic:
  In Progress

Bug description:
  [ Impact ]

  Users who chose to:

  a) install apparmor-profiles (a package with extra optional apparmor
  profiles, including samba)

  b) change the samba related profiles from complain (the default) to
  enforce mode

  will find out that sharing a printing in samba and using it won't
  work.

  In by itself this is *definitely* not worth an SRU for apparmor, which
  impacts all users of Ubuntu (because it's installed everywhere). But,
  if apparmor is to be updated for another more important reason, then
  this fix could be bundled together with it. Therefore I'm adding the
  block-proposed-kinetic tag to this bug.

  [ Test Plan ]

  sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
  sudo apt install samba smbclient cups cups-client

  Set a password for the samba "root" user:
  printf "root\nroot\n" | sudo smbpasswd -a root

  Create a fake printer:
  sudo lpadmin -p testprinter -E -v /dev/null

  Check it's there:
  sudo lpstat -l -p testprinter

  Probe it via samba:
  rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
  (some printer related output, or even an error, doesn't matter)

  Check dmesg and look for an apparmor ALLOWED message:
  [497031.827841] audit: type=1400 audit(1669215188.733:555): 
apparmor="ALLOWED" operation="mkdir" class="file" 
namespace="root//lxd-l-samba-apparmor_" 
profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=388168 
comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=100 
ouid=100

  With the updated package, there should be no apparmor message for
  samba-rpcd-spoolss.

  NOTE: since, for this test, we are not switching the apparmor profile
  to enforce mode, this means that the mkdir attempted by rpcd_spoolss
  will succeed, and if you try the rpcclient command one more time,
  there will be no further apparmor messages about it in the logs.

  
  [ Where problems could occur ]

  This change is adding an apparmor rule to a samba-related apparmor
  profile. Without this rule (and with the apparmor profile in confine
  mode), then printing does not work, so regressing that aspect of it is
  hard.

  Maybe some exotic future security vulnerability could take advantage
  of this new apparmor rule which allows writing to (and therefore
  deleting from) /var/cache/samba/printing.

  What's more likely perhaps (but still rare) is that an apparmor
  upgrade, which triggers all apparmor profiles to be reloaded, would
  find some error in an existing profile and fail to load it, and
  perhaps stop loading all other profiles after that, perhaps leaving
  the system without confinement. But this should be caught by the
  upgrade process since postinst would exit non-zero (hopefully).

  [ Other Info ]
  Not at this time.

  [Original Description]

  After the fix for bug #1990692, one more rule is needed it seems.

  I put all samba profiles in enforce mode, and when I ran that final
  rpcclient command, got an error and an apparmor denied message:

  Prep:
  sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
  sudo apt install samba smbclient cups cups-client

  Set a password for the samba "root" user:
  printf "root\nroot\n" | sudo smbpasswd -a root

  Create a fake printer:
  sudo lpadmin -p testprinter -E -v /dev/null

  Check it's there:
  sudo lpstat -l -p testprinter

  $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error 
NT_STATUS_CONNECTION_DISCONNECTED
  do_cmd: Could not initialise spoolss. Error was 
NT_STATUS_CONNECTION_DISCONNECTED

  [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342):
  apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-
  k-samba-apparmor_" profile="samba-rpcd-
  spoolss" name="/var/cache/samba/printing/" pid=129107
  comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=100
  ouid=100

  And indeed, that directory wasn't created:
  $ l /var/cache/samba/printing
  ls: cannot access '/var/cache/samba/printing': No such file or directory
  $ l /var/cache/samba/
  total 16K
  drwxr-xr-x 1 root root   48 Oct 19 17:42 .
  drwxr-xr-x 1 root root  170 Oct 19 17:41 ..
  -rw-r--r-- 1 root

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

2022-11-23 Thread Launchpad Bug Tracker

** Merge proposal linked:
   
https://code.launchpad.net/~ahasenack/ubuntu/+source/apparmor/+git/apparmor/+merge/433541

** Merge proposal linked:
   
https://code.launchpad.net/~ahasenack/ubuntu/+source/apparmor/+git/apparmor/+merge/433542

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1993572

Title:
  samba profile: missing rule for mkdir /var/cache/samba/printing

Status in apparmor package in Ubuntu:
  In Progress
Status in apparmor source package in Kinetic:
  In Progress

Bug description:
  [ Impact ]

  Users who chose to:

  a) install apparmor-profiles (a package with extra optional apparmor
  profiles, including samba)

  b) change the samba related profiles from complain (the default) to
  enforce mode

  will find out that sharing a printing in samba and using it won't
  work.

  In by itself this is *definitely* not worth an SRU for apparmor, which
  impacts all users of Ubuntu (because it's installed everywhere). But,
  if apparmor is to be updated for another more important reason, then
  this fix could be bundled together with it. Therefore I'm adding the
  block-proposed-kinetic tag to this bug.

  [ Test Plan ]

  sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
  sudo apt install samba smbclient cups cups-client

  Set a password for the samba "root" user:
  printf "root\nroot\n" | sudo smbpasswd -a root

  Create a fake printer:
  sudo lpadmin -p testprinter -E -v /dev/null

  Check it's there:
  sudo lpstat -l -p testprinter

  Probe it via samba:
  rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
  (some printer related output, or even an error, doesn't matter)

  Check dmesg and look for an apparmor ALLOWED message:
  [497031.827841] audit: type=1400 audit(1669215188.733:555): 
apparmor="ALLOWED" operation="mkdir" class="file" 
namespace="root//lxd-l-samba-apparmor_" 
profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=388168 
comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=100 
ouid=100

  With the updated package, there should be no apparmor message for
  samba-rpcd-spoolss.

  NOTE: since, for this test, we are not switching the apparmor profile
  to enforce mode, this means that the mkdir attempted by rpcd_spoolss
  will succeed, and if you try the rpcclient command one more time,
  there will be no further apparmor messages about it in the logs.

  
  [ Where problems could occur ]

  This change is adding an apparmor rule to a samba-related apparmor
  profile. Without this rule (and with the apparmor profile in confine
  mode), then printing does not work, so regressing that aspect of it is
  hard.

  Maybe some exotic future security vulnerability could take advantage
  of this new apparmor rule which allows writing to (and therefore
  deleting from) /var/cache/samba/printing.

  What's more likely perhaps (but still rare) is that an apparmor
  upgrade, which triggers all apparmor profiles to be reloaded, would
  find some error in an existing profile and fail to load it, and
  perhaps stop loading all other profiles after that, perhaps leaving
  the system without confinement. But this should be caught by the
  upgrade process since postinst would exit non-zero (hopefully).

  [ Other Info ]
  Not at this time.

  [Original Description]

  After the fix for bug #1990692, one more rule is needed it seems.

  I put all samba profiles in enforce mode, and when I ran that final
  rpcclient command, got an error and an apparmor denied message:

  Prep:
  sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
  sudo apt install samba smbclient cups cups-client

  Set a password for the samba "root" user:
  printf "root\nroot\n" | sudo smbpasswd -a root

  Create a fake printer:
  sudo lpadmin -p testprinter -E -v /dev/null

  Check it's there:
  sudo lpstat -l -p testprinter

  $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error 
NT_STATUS_CONNECTION_DISCONNECTED
  do_cmd: Could not initialise spoolss. Error was 
NT_STATUS_CONNECTION_DISCONNECTED

  [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342):
  apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-
  k-samba-apparmor_" profile="samba-rpcd-
  spoolss" name="/var/cache/samba/printing/" pid=129107
  comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=100
  ouid=100

  And indeed, that directory wasn't created:
  $ l /var/cache/samba/printing
  ls: cannot access '/var/cache/samba/printing': No such file or directory
  $ l /var/cache/samba/
  total 16K
  drwxr-xr-x 1 root root   48 Oct 19 17:42 .
  drwxr-xr-x 1 root root  170 Oct 19 17:41 ..
  -rw-r--r-- 1 root root  166 Oct 19 17:42 browse.dat
  -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb

To manage

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

2022-11-23 Thread Andreas Hasenack

** Description changed:

  [ Impact ]
  
  Users who chose to:
  
  a) install apparmor-profiles (a package with extra optional apparmor
  profiles, including samba)
  
  b) change the samba related profiles from complain (the default) to
  enforce mode
  
  will find out that sharing a printing in samba and using it won't work.
  
  In by itself this is *definitely* not worth an SRU for apparmor, which
  impacts all users of Ubuntu (because it's installed everywhere). But, if
  apparmor is to be updated for another more important reason, then this
  fix could be bundled together with it. Therefore I'm adding the block-
  proposed-kinetic tag to this bug.
  
- 
  [ Test Plan ]
  
  sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
  sudo apt install samba smbclient cups cups-client
  
  Set a password for the samba "root" user:
  printf "root\nroot\n" | sudo smbpasswd -a root
  
  Create a fake printer:
  sudo lpadmin -p testprinter -E -v /dev/null
  
  Check it's there:
  sudo lpstat -l -p testprinter
  
- $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
+ Probe it via samba:
+ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
  (some printer related output)
  
  Check dmesg and look for an apparmor ALLOWED message:
  [497031.827841] audit: type=1400 audit(1669215188.733:555): 
apparmor="ALLOWED" operation="mkdir" class="file" 
namespace="root//lxd-l-samba-apparmor_" 
profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=388168 
comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=100 
ouid=100
  
- 
- With the updated package, there should be no apparmor message for 
samba-rpcd-spoolss.
- 
+ With the updated package, there should be no apparmor message for samba-
+ rpcd-spoolss.
  
  [ Where problems could occur ]
  
  This change is adding an apparmor rule to a samba-related apparmor
  profile. Without this rule (and with the apparmor profile in confine
  mode), then printing does not work, so regressing that aspect of it is
  hard.
  
  Maybe some exotic future security vulnerability could take advantage of
  this new apparmor rule which allows writing to (and therefore deleting
  from) /var/cache/samba/printing.
  
  What's more likely perhaps (but still rare) is that an apparmor upgrade,
  which triggers all apparmor profiles to be reloaded, would find some
  error in an existing profile and fail to load it, and perhaps stop
  loading all other profiles after that, perhaps leaving the system
  without confinement. But this should be caught by the upgrade process
  since postinst would exit non-zero (hopefully).
- 
  
  [ Other Info ]
  Not at this time.
  
  [Original Description]
  
  After the fix for bug #1990692, one more rule is needed it seems.
  
  I put all samba profiles in enforce mode, and when I ran that final
  rpcclient command, got an error and an apparmor denied message:
  
  Prep:
  sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
  sudo apt install samba smbclient cups cups-client
  
  Set a password for the samba "root" user:
  printf "root\nroot\n" | sudo smbpasswd -a root
  
  Create a fake printer:
  sudo lpadmin -p testprinter -E -v /dev/null
  
  Check it's there:
  sudo lpstat -l -p testprinter
  
  $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error 
NT_STATUS_CONNECTION_DISCONNECTED
  do_cmd: Could not initialise spoolss. Error was 
NT_STATUS_CONNECTION_DISCONNECTED
  
  [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342):
  apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-k-
  samba-apparmor_" profile="samba-rpcd-spoolss"
  name="/var/cache/samba/printing/" pid=129107 comm="rpcd_spoolss"
  requested_mask="c" denied_mask="c" fsuid=100 ouid=100
  
  And indeed, that directory wasn't created:
  $ l /var/cache/samba/printing
  ls: cannot access '/var/cache/samba/printing': No such file or directory
  $ l /var/cache/samba/
  total 16K
  drwxr-xr-x 1 root root   48 Oct 19 17:42 .
  drwxr-xr-x 1 root root  170 Oct 19 17:41 ..
  -rw-r--r-- 1 root root  166 Oct 19 17:42 browse.dat
  -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb

** Description changed:

  [ Impact ]
  
  Users who chose to:
  
  a) install apparmor-profiles (a package with extra optional apparmor
  profiles, including samba)
  
  b) change the samba related profiles from complain (the default) to
  enforce mode
  
  will find out that sharing a printing in samba and using it won't work.
  
  In by itself this is *definitely* not worth an SRU for apparmor, which
  impacts all users of Ubuntu (because it's installed everywhere). But, if
  apparmor is to be updated for another more important reason, then this
  fix could be bundled together with it. Therefore I'm adding the block-
  proposed-kinetic tag to this bug.
  
  [ Test Plan ]
  
  sudo apt install

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

2022-11-23 Thread Andreas Hasenack

** Description changed:

+ [ Impact ]
+ 
+ Users who chose to:
+ 
+ a) install apparmor-profiles (a package with extra optional apparmor
+ profiles, including samba)
+ 
+ b) change the samba related profiles from complain (the default) to
+ enforce mode
+ 
+ will find out that sharing a printing in samba and using it won't work.
+ 
+ In by itself this is *definitely* not worth an SRU for apparmor, which
+ impacts all users of Ubuntu (because it's installed everywhere). But, if
+ apparmor is to be updated for another more important reason, then this
+ fix could be bundled together with it. Therefore I'm adding the block-
+ proposed-kinetic tag to this bug.
+ 
+ 
+ [ Test Plan ]
+ 
+ sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
+ sudo apt install samba smbclient cups cups-client
+ 
+ Set a password for the samba "root" user:
+ printf "root\nroot\n" | sudo smbpasswd -a root
+ 
+ Create a fake printer:
+ sudo lpadmin -p testprinter -E -v /dev/null
+ 
+ Check it's there:
+ sudo lpstat -l -p testprinter
+ 
+ $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
+ (some printer related output)
+ 
+ Check dmesg and look for an apparmor ALLOWED message:
+ [497031.827841] audit: type=1400 audit(1669215188.733:555): 
apparmor="ALLOWED" operation="mkdir" class="file" 
namespace="root//lxd-l-samba-apparmor_" 
profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=388168 
comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=100 
ouid=100
+ 
+ 
+ With the updated package, there should be no apparmor message for 
samba-rpcd-spoolss.
+ 
+ 
+ [ Where problems could occur ]
+ 
+ This change is adding an apparmor rule to a samba-related apparmor
+ profile. Without this rule (and with the apparmor profile in confine
+ mode), then printing does not work, so regressing that aspect of it is
+ hard.
+ 
+ Maybe some exotic future security vulnerability could take advantage of
+ this new apparmor rule which allows writing to (and therefore deleting
+ from) /var/cache/samba/printing.
+ 
+ What's more likely perhaps (but still rare) is that an apparmor upgrade,
+ which triggers all apparmor profiles to be reloaded, would find some
+ error in an existing profile and fail to load it, and perhaps stop
+ loading all other profiles after that, perhaps leaving the system
+ without confinement. But this should be caught by the upgrade process
+ since postinst would exit non-zero (hopefully).
+ 
+ 
+ [ Other Info ]
+ Not at this time.
+ 
+ [Original Description]
+ 
  After the fix for bug #1990692, one more rule is needed it seems.
  
  I put all samba profiles in enforce mode, and when I ran that final
  rpcclient command, got an error and an apparmor denied message:
  
  Prep:
  sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
  sudo apt install samba smbclient cups cups-client
  
  Set a password for the samba "root" user:
  printf "root\nroot\n" | sudo smbpasswd -a root
  
  Create a fake printer:
  sudo lpadmin -p testprinter -E -v /dev/null
  
  Check it's there:
  sudo lpstat -l -p testprinter
  
  $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error 
NT_STATUS_CONNECTION_DISCONNECTED
  do_cmd: Could not initialise spoolss. Error was 
NT_STATUS_CONNECTION_DISCONNECTED
  
  [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342):
  apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-k-
  samba-apparmor_" profile="samba-rpcd-spoolss"
  name="/var/cache/samba/printing/" pid=129107 comm="rpcd_spoolss"
  requested_mask="c" denied_mask="c" fsuid=100 ouid=100
  
  And indeed, that directory wasn't created:
  $ l /var/cache/samba/printing
  ls: cannot access '/var/cache/samba/printing': No such file or directory
  $ l /var/cache/samba/
  total 16K
  drwxr-xr-x 1 root root   48 Oct 19 17:42 .
  drwxr-xr-x 1 root root  170 Oct 19 17:41 ..
  -rw-r--r-- 1 root root  166 Oct 19 17:42 browse.dat
  -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1993572

Title:
  samba profile: missing rule for mkdir /var/cache/samba/printing

Status in apparmor package in Ubuntu:
  In Progress
Status in apparmor source package in Kinetic:
  In Progress

Bug description:
  [ Impact ]

  Users who chose to:

  a) install apparmor-profiles (a package with extra optional apparmor
  profiles, including samba)

  b) change the samba related profiles from complain (the default) to
  enforce mode

  will find out that sharing a printing in samba and using it won't
  work.

  In by itself this is *definitely* not worth an SRU for apparmor, which
  impacts all users of Ubuntu (because it's installed everywhere). But,
  if apparmor is to be updated for another more important reason,

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

2022-11-23 Thread Andreas Hasenack

** Changed in: apparmor (Ubuntu Kinetic)
   Importance: Undecided => Critical

** Changed in: apparmor (Ubuntu Kinetic)
   Importance: Critical => Undecided

** Changed in: apparmor (Ubuntu Kinetic)
   Status: New => In Progress

** Changed in: apparmor (Ubuntu Kinetic)
   Importance: Undecided => Wishlist

** Changed in: apparmor (Ubuntu Kinetic)
   Importance: Wishlist => Low

** Changed in: apparmor (Ubuntu)
   Importance: Undecided => Low

** Changed in: apparmor (Ubuntu Kinetic)
 Assignee: (unassigned) => Andreas Hasenack (ahasenack)

** Tags added: block-proposed-kinetic

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1993572

Title:
  samba profile: missing rule for mkdir /var/cache/samba/printing

Status in apparmor package in Ubuntu:
  In Progress
Status in apparmor source package in Kinetic:
  In Progress

Bug description:
  After the fix for bug #1990692, one more rule is needed it seems.

  I put all samba profiles in enforce mode, and when I ran that final
  rpcclient command, got an error and an apparmor denied message:

  Prep:
  sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
  sudo apt install samba smbclient cups cups-client

  Set a password for the samba "root" user:
  printf "root\nroot\n" | sudo smbpasswd -a root

  Create a fake printer:
  sudo lpadmin -p testprinter -E -v /dev/null

  Check it's there:
  sudo lpstat -l -p testprinter

  $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error 
NT_STATUS_CONNECTION_DISCONNECTED
  do_cmd: Could not initialise spoolss. Error was 
NT_STATUS_CONNECTION_DISCONNECTED

  [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342):
  apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-
  k-samba-apparmor_" profile="samba-rpcd-
  spoolss" name="/var/cache/samba/printing/" pid=129107
  comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=100
  ouid=100

  And indeed, that directory wasn't created:
  $ l /var/cache/samba/printing
  ls: cannot access '/var/cache/samba/printing': No such file or directory
  $ l /var/cache/samba/
  total 16K
  drwxr-xr-x 1 root root   48 Oct 19 17:42 .
  drwxr-xr-x 1 root root  170 Oct 19 17:41 ..
  -rw-r--r-- 1 root root  166 Oct 19 17:42 browse.dat
  -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993572/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

2022-11-23 Thread Andreas Hasenack

** Changed in: apparmor (Ubuntu)
 Assignee: (unassigned) => Andreas Hasenack (ahasenack)

** Changed in: apparmor (Ubuntu)
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1993572

Title:
  samba profile: missing rule for mkdir /var/cache/samba/printing

Status in apparmor package in Ubuntu:
  In Progress
Status in apparmor source package in Kinetic:
  New

Bug description:
  After the fix for bug #1990692, one more rule is needed it seems.

  I put all samba profiles in enforce mode, and when I ran that final
  rpcclient command, got an error and an apparmor denied message:

  Prep:
  sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
  sudo apt install samba smbclient cups cups-client

  Set a password for the samba "root" user:
  printf "root\nroot\n" | sudo smbpasswd -a root

  Create a fake printer:
  sudo lpadmin -p testprinter -E -v /dev/null

  Check it's there:
  sudo lpstat -l -p testprinter

  $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error 
NT_STATUS_CONNECTION_DISCONNECTED
  do_cmd: Could not initialise spoolss. Error was 
NT_STATUS_CONNECTION_DISCONNECTED

  [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342):
  apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-
  k-samba-apparmor_" profile="samba-rpcd-
  spoolss" name="/var/cache/samba/printing/" pid=129107
  comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=100
  ouid=100

  And indeed, that directory wasn't created:
  $ l /var/cache/samba/printing
  ls: cannot access '/var/cache/samba/printing': No such file or directory
  $ l /var/cache/samba/
  total 16K
  drwxr-xr-x 1 root root   48 Oct 19 17:42 .
  drwxr-xr-x 1 root root  170 Oct 19 17:41 ..
  -rw-r--r-- 1 root root  166 Oct 19 17:42 browse.dat
  -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993572/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

2022-11-23 Thread Andreas Hasenack

** Also affects: apparmor (Ubuntu Kinetic)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1993572

Title:
  samba profile: missing rule for mkdir /var/cache/samba/printing

Status in apparmor package in Ubuntu:
  New
Status in apparmor source package in Kinetic:
  New

Bug description:
  After the fix for bug #1990692, one more rule is needed it seems.

  I put all samba profiles in enforce mode, and when I ran that final
  rpcclient command, got an error and an apparmor denied message:

  Prep:
  sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
  sudo apt install samba smbclient cups cups-client

  Set a password for the samba "root" user:
  printf "root\nroot\n" | sudo smbpasswd -a root

  Create a fake printer:
  sudo lpadmin -p testprinter -E -v /dev/null

  Check it's there:
  sudo lpstat -l -p testprinter

  $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error 
NT_STATUS_CONNECTION_DISCONNECTED
  do_cmd: Could not initialise spoolss. Error was 
NT_STATUS_CONNECTION_DISCONNECTED

  [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342):
  apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-
  k-samba-apparmor_" profile="samba-rpcd-
  spoolss" name="/var/cache/samba/printing/" pid=129107
  comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=100
  ouid=100

  And indeed, that directory wasn't created:
  $ l /var/cache/samba/printing
  ls: cannot access '/var/cache/samba/printing': No such file or directory
  $ l /var/cache/samba/
  total 16K
  drwxr-xr-x 1 root root   48 Oct 19 17:42 .
  drwxr-xr-x 1 root root  170 Oct 19 17:41 ..
  -rw-r--r-- 1 root root  166 Oct 19 17:42 browse.dat
  -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993572/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

2022-10-27 Thread Christian Boltz

Submitted as https://gitlab.com/apparmor/apparmor/-/merge_requests/937

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1993572

Title:
  samba profile: missing rule for mkdir /var/cache/samba/printing

Status in apparmor package in Ubuntu:
  New

Bug description:
  After the fix for bug #1990692, one more rule is needed it seems.

  I put all samba profiles in enforce mode, and when I ran that final
  rpcclient command, got an error and an apparmor denied message:

  Prep:
  sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
  sudo apt install samba smbclient cups cups-client

  Set a password for the samba "root" user:
  printf "root\nroot\n" | sudo smbpasswd -a root

  Create a fake printer:
  sudo lpadmin -p testprinter -E -v /dev/null

  Check it's there:
  sudo lpstat -l -p testprinter

  $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error 
NT_STATUS_CONNECTION_DISCONNECTED
  do_cmd: Could not initialise spoolss. Error was 
NT_STATUS_CONNECTION_DISCONNECTED

  [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342):
  apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-
  k-samba-apparmor_" profile="samba-rpcd-
  spoolss" name="/var/cache/samba/printing/" pid=129107
  comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=100
  ouid=100

  And indeed, that directory wasn't created:
  $ l /var/cache/samba/printing
  ls: cannot access '/var/cache/samba/printing': No such file or directory
  $ l /var/cache/samba/
  total 16K
  drwxr-xr-x 1 root root   48 Oct 19 17:42 .
  drwxr-xr-x 1 root root  170 Oct 19 17:41 ..
  -rw-r--r-- 1 root root  166 Oct 19 17:42 browse.dat
  -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993572/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

2022-10-27 Thread Andreas Hasenack

Er, correct, just "w" is enough :)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1993572

Title:
  samba profile: missing rule for mkdir /var/cache/samba/printing

Status in apparmor package in Ubuntu:
  New

Bug description:
  After the fix for bug #1990692, one more rule is needed it seems.

  I put all samba profiles in enforce mode, and when I ran that final
  rpcclient command, got an error and an apparmor denied message:

  Prep:
  sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
  sudo apt install samba smbclient cups cups-client

  Set a password for the samba "root" user:
  printf "root\nroot\n" | sudo smbpasswd -a root

  Create a fake printer:
  sudo lpadmin -p testprinter -E -v /dev/null

  Check it's there:
  sudo lpstat -l -p testprinter

  $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error 
NT_STATUS_CONNECTION_DISCONNECTED
  do_cmd: Could not initialise spoolss. Error was 
NT_STATUS_CONNECTION_DISCONNECTED

  [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342):
  apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-
  k-samba-apparmor_" profile="samba-rpcd-
  spoolss" name="/var/cache/samba/printing/" pid=129107
  comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=100
  ouid=100

  And indeed, that directory wasn't created:
  $ l /var/cache/samba/printing
  ls: cannot access '/var/cache/samba/printing': No such file or directory
  $ l /var/cache/samba/
  total 16K
  drwxr-xr-x 1 root root   48 Oct 19 17:42 .
  drwxr-xr-x 1 root root  170 Oct 19 17:41 ..
  -rw-r--r-- 1 root root  166 Oct 19 17:42 browse.dat
  -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993572/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

2022-10-26 Thread Christian Boltz

Typo? I'd expect 'Just "w" is enough' ;-)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1993572

Title:
  samba profile: missing rule for mkdir /var/cache/samba/printing

Status in apparmor package in Ubuntu:
  New

Bug description:
  After the fix for bug #1990692, one more rule is needed it seems.

  I put all samba profiles in enforce mode, and when I ran that final
  rpcclient command, got an error and an apparmor denied message:

  Prep:
  sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
  sudo apt install samba smbclient cups cups-client

  Set a password for the samba "root" user:
  printf "root\nroot\n" | sudo smbpasswd -a root

  Create a fake printer:
  sudo lpadmin -p testprinter -E -v /dev/null

  Check it's there:
  sudo lpstat -l -p testprinter

  $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error 
NT_STATUS_CONNECTION_DISCONNECTED
  do_cmd: Could not initialise spoolss. Error was 
NT_STATUS_CONNECTION_DISCONNECTED

  [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342):
  apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-
  k-samba-apparmor_" profile="samba-rpcd-
  spoolss" name="/var/cache/samba/printing/" pid=129107
  comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=100
  ouid=100

  And indeed, that directory wasn't created:
  $ l /var/cache/samba/printing
  ls: cannot access '/var/cache/samba/printing': No such file or directory
  $ l /var/cache/samba/
  total 16K
  drwxr-xr-x 1 root root   48 Oct 19 17:42 .
  drwxr-xr-x 1 root root  170 Oct 19 17:41 ..
  -rw-r--r-- 1 root root  166 Oct 19 17:42 browse.dat
  -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993572/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

2022-10-26 Thread Andreas Hasenack

/var/cache/samba/printing/ w, # without r,


Just "r" was enough indeed!

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1993572

Title:
  samba profile: missing rule for mkdir /var/cache/samba/printing

Status in apparmor package in Ubuntu:
  New

Bug description:
  After the fix for bug #1990692, one more rule is needed it seems.

  I put all samba profiles in enforce mode, and when I ran that final
  rpcclient command, got an error and an apparmor denied message:

  Prep:
  sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
  sudo apt install samba smbclient cups cups-client

  Set a password for the samba "root" user:
  printf "root\nroot\n" | sudo smbpasswd -a root

  Create a fake printer:
  sudo lpadmin -p testprinter -E -v /dev/null

  Check it's there:
  sudo lpstat -l -p testprinter

  $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error 
NT_STATUS_CONNECTION_DISCONNECTED
  do_cmd: Could not initialise spoolss. Error was 
NT_STATUS_CONNECTION_DISCONNECTED

  [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342):
  apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-
  k-samba-apparmor_" profile="samba-rpcd-
  spoolss" name="/var/cache/samba/printing/" pid=129107
  comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=100
  ouid=100

  And indeed, that directory wasn't created:
  $ l /var/cache/samba/printing
  ls: cannot access '/var/cache/samba/printing': No such file or directory
  $ l /var/cache/samba/
  total 16K
  drwxr-xr-x 1 root root   48 Oct 19 17:42 .
  drwxr-xr-x 1 root root  170 Oct 19 17:41 ..
  -rw-r--r-- 1 root root  166 Oct 19 17:42 browse.dat
  -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993572/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

2022-10-26 Thread Andreas Hasenack

** Description changed:

  After the fix for bug #1990692, one more rule is needed it seems.
  
  I put all samba profiles in enforce mode, and when I ran that final
- command, got an error and an apparmor denied message:
+ rpcclient command, got an error and an apparmor denied message:
+ 
+ Prep:
+ sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
+ sudo apt install samba smbclient cups cups-client
+ 
+ Set a password for the samba "root" user:
+ printf "root\nroot\n" | sudo smbpasswd -a root
+ 
+ Create a fake printer:
+ sudo lpadmin -p testprinter -E -v /dev/null
+ 
+ Check it's there:
+ sudo lpstat -l -p testprinter
  
  $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error 
NT_STATUS_CONNECTION_DISCONNECTED
  do_cmd: Could not initialise spoolss. Error was 
NT_STATUS_CONNECTION_DISCONNECTED
  
  [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342):
  apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-k-
  samba-apparmor_" profile="samba-rpcd-spoolss"
  name="/var/cache/samba/printing/" pid=129107 comm="rpcd_spoolss"
  requested_mask="c" denied_mask="c" fsuid=100 ouid=100
  
  And indeed, that directory wasn't created:
  $ l /var/cache/samba/printing
  ls: cannot access '/var/cache/samba/printing': No such file or directory
  $ l /var/cache/samba/
  total 16K
  drwxr-xr-x 1 root root   48 Oct 19 17:42 .
  drwxr-xr-x 1 root root  170 Oct 19 17:41 ..
  -rw-r--r-- 1 root root  166 Oct 19 17:42 browse.dat
  -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1993572

Title:
  samba profile: missing rule for mkdir /var/cache/samba/printing

Status in apparmor package in Ubuntu:
  New

Bug description:
  After the fix for bug #1990692, one more rule is needed it seems.

  I put all samba profiles in enforce mode, and when I ran that final
  rpcclient command, got an error and an apparmor denied message:

  Prep:
  sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
  sudo apt install samba smbclient cups cups-client

  Set a password for the samba "root" user:
  printf "root\nroot\n" | sudo smbpasswd -a root

  Create a fake printer:
  sudo lpadmin -p testprinter -E -v /dev/null

  Check it's there:
  sudo lpstat -l -p testprinter

  $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error 
NT_STATUS_CONNECTION_DISCONNECTED
  do_cmd: Could not initialise spoolss. Error was 
NT_STATUS_CONNECTION_DISCONNECTED

  [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342):
  apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-
  k-samba-apparmor_" profile="samba-rpcd-
  spoolss" name="/var/cache/samba/printing/" pid=129107
  comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=100
  ouid=100

  And indeed, that directory wasn't created:
  $ l /var/cache/samba/printing
  ls: cannot access '/var/cache/samba/printing': No such file or directory
  $ l /var/cache/samba/
  total 16K
  drwxr-xr-x 1 root root   48 Oct 19 17:42 .
  drwxr-xr-x 1 root root  170 Oct 19 17:41 ..
  -rw-r--r-- 1 root root  166 Oct 19 17:42 browse.dat
  -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993572/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

2022-10-26 Thread Christian Boltz

Based on your DENIED message, I wonder if read (= directory listing)
permissions are really needed, or if

/var/cache/samba/printing/ w,   # without r

would be enough. Can you please test and report back?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1993572

Title:
  samba profile: missing rule for mkdir /var/cache/samba/printing

Status in apparmor package in Ubuntu:
  New

Bug description:
  After the fix for bug #1990692, one more rule is needed it seems.

  I put all samba profiles in enforce mode, and when I ran that final
  command, got an error and an apparmor denied message:

  $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error 
NT_STATUS_CONNECTION_DISCONNECTED
  do_cmd: Could not initialise spoolss. Error was 
NT_STATUS_CONNECTION_DISCONNECTED

  [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342):
  apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-
  k-samba-apparmor_" profile="samba-rpcd-
  spoolss" name="/var/cache/samba/printing/" pid=129107
  comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=100
  ouid=100

  And indeed, that directory wasn't created:
  $ l /var/cache/samba/printing
  ls: cannot access '/var/cache/samba/printing': No such file or directory
  $ l /var/cache/samba/
  total 16K
  drwxr-xr-x 1 root root   48 Oct 19 17:42 .
  drwxr-xr-x 1 root root  170 Oct 19 17:41 ..
  -rw-r--r-- 1 root root  166 Oct 19 17:42 browse.dat
  -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993572/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

2022-10-21 Thread Andreas Hasenack

** Description changed:

- After the fix for #1990692, one more rule is needed it seems.
+ After the fix for bug #1990692, one more rule is needed it seems.
  
  I put all samba profiles in enforce mode, and when I ran that final
  command, got an error and an apparmor denied message:
  
  $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error 
NT_STATUS_CONNECTION_DISCONNECTED
  do_cmd: Could not initialise spoolss. Error was 
NT_STATUS_CONNECTION_DISCONNECTED
  
  [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342):
  apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-k-
  samba-apparmor_" profile="samba-rpcd-spoolss"
  name="/var/cache/samba/printing/" pid=129107 comm="rpcd_spoolss"
  requested_mask="c" denied_mask="c" fsuid=100 ouid=100
  
- 
  And indeed, that directory wasn't created:
  $ l /var/cache/samba/printing
  ls: cannot access '/var/cache/samba/printing': No such file or directory
  $ l /var/cache/samba/
  total 16K
  drwxr-xr-x 1 root root   48 Oct 19 17:42 .
  drwxr-xr-x 1 root root  170 Oct 19 17:41 ..
  -rw-r--r-- 1 root root  166 Oct 19 17:42 browse.dat
  -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1993572

Title:
  samba profile: missing rule for mkdir /var/cache/samba/printing

Status in apparmor package in Ubuntu:
  New

Bug description:
  After the fix for bug #1990692, one more rule is needed it seems.

  I put all samba profiles in enforce mode, and when I ran that final
  command, got an error and an apparmor denied message:

  $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error 
NT_STATUS_CONNECTION_DISCONNECTED
  do_cmd: Could not initialise spoolss. Error was 
NT_STATUS_CONNECTION_DISCONNECTED

  [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342):
  apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-
  k-samba-apparmor_" profile="samba-rpcd-
  spoolss" name="/var/cache/samba/printing/" pid=129107
  comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=100
  ouid=100

  And indeed, that directory wasn't created:
  $ l /var/cache/samba/printing
  ls: cannot access '/var/cache/samba/printing': No such file or directory
  $ l /var/cache/samba/
  total 16K
  drwxr-xr-x 1 root root   48 Oct 19 17:42 .
  drwxr-xr-x 1 root root  170 Oct 19 17:41 ..
  -rw-r--r-- 1 root root  166 Oct 19 17:42 browse.dat
  -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993572/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

2022-10-19 Thread Andreas Hasenack

This looks like is enough to address it:

--- samba-rpcd-spoolss.orig 2022-10-19 17:48:42.767775584 +
+++ samba-rpcd-spoolss  2022-10-19 17:47:50.527693050 +
@@ -18,6 +18,7 @@
 
   /usr/lib*/samba/{,samba/}rpcd_spoolss mr,
   /usr/lib*/samba/{,samba/}samba-bgqd Px -> samba-bgqd,
+  /var/cache/samba/printing/ rw,
   /var/cache/samba/printing/*.tdb rwk,
   @{run}/samba/samba-bgqd.pid rk,

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1993572

Title:
  samba profile: missing rule for mkdir /var/cache/samba/printing

Status in apparmor package in Ubuntu:
  New

Bug description:
  After the fix for #1990692, one more rule is needed it seems.

  I put all samba profiles in enforce mode, and when I ran that final
  command, got an error and an apparmor denied message:

  $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
  cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error 
NT_STATUS_CONNECTION_DISCONNECTED
  do_cmd: Could not initialise spoolss. Error was 
NT_STATUS_CONNECTION_DISCONNECTED

  [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342):
  apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-
  k-samba-apparmor_" profile="samba-rpcd-
  spoolss" name="/var/cache/samba/printing/" pid=129107
  comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=100
  ouid=100

  
  And indeed, that directory wasn't created:
  $ l /var/cache/samba/printing
  ls: cannot access '/var/cache/samba/printing': No such file or directory
  $ l /var/cache/samba/
  total 16K
  drwxr-xr-x 1 root root   48 Oct 19 17:42 .
  drwxr-xr-x 1 root root  170 Oct 19 17:41 ..
  -rw-r--r-- 1 root root  166 Oct 19 17:42 browse.dat
  -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993572/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing

17 matches

Site Navigation

Mail list logo

Footer information