** Description changed:
+ [Impact]
+
+ Path to samba-bgqd is wrong on 22.04.
+ Changing from /usr/lib*/samba/samba-bgqd into
/usr/lib/@{multiarch}/samba/samba-bgqd to align different architectures.
+ The @{multiarch} was initialized at the code before.
+ Before fixing it might confuse users with ambiguity.
+ This was later changed by moving the binary, but for an SRU let us just adapt
the path in apparmor.
+
+
+ Obviously, the bug doesn’t affect users by default, because the samba profiles
+ are only installed and activated if you install the apparmor-profiles package
and moreover it has to be in enforce mode to affect users. The profile is
applied in complain mode by default.
+ After all these conditions are met, then the impact is that the samba
services will fail to start.
+
+ The next thing which occurred was the problem with ‘k’ flag which was
+ needed in for the *.tdb files within /etc/apparmor.d/abstractions/samba.
+
+
+ [Test Plan]
+
+ ** Reproduction **
+
+ Make a container for testing:
+
+
+ $ lxc launch ubuntu-daily:jammy jammy-test
+ $ lxc shell jammy-test
+
+
+ 1.First of all, install apparmor-profiles, apparmor-utils and samba.
+ $ apt install apparmor-profiles apparmor-utils samba
+
+ 2.Perform proper command to display current running processes. (e.g. ps
fauxZ).
+ $ ps fauxZ
+
+ nmbd (complain) root 2129 0.0 0.0 68720 10628 ?
Ss 16:43 0:00 /usr/sbin/nmbd --foreground --no-process-group
+ smbd (complain) root 2141 0.0 0.1 84840 16264 ?
Ss 16:43 0:00 /usr/sbin/smbd --foreground --no-process-group
+ smbd (complain) root 2143 0.0 0.0 82360 8544 ?
S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
+ smbd (complain) root 2144 0.0 0.0 82352 6820 ?
S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
+
+
+ 3.At the end of the output, you should be able to see smbd(complain) in
+ the left column.
+
+
+ 4.Then check the dmesg output.
+
+
+ $ dmesg -T
+
+ [Wed Aug 24 8:24:11 2022] audit: type=1400 audit(1661883574.507:2124):
apparmor="ALLOWED" operation="exec"
namespace="root//lxd-jammy-apparmor-testMMilion1_<var-snap-lxd-common-lxd>"
profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=526045
comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
+ [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.875:92):
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd"
name="/run/samba/names.tdb" pid=803 comm="samba-bgqd" requested_mask="k"
denied_mask="k" fsuid=0 ouid=0
+ [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.887:93):
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd"
name="/run/samba/gencache.tdb" pid=803 comm="samba-bgqd" requested_mask="k"
denied_mask="k" fsuid=0 ouid=0
+ [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.899:94):
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd"
name="/run/samba/brlock.tdb" pid=803 comm="samba-bgqd" requested_mask="k"
denied_mask="k" fsuid=0 ouid=0
+ [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.903:95):
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd"
name="/run/samba/locking.tdb" pid=803 comm="samba-bgqd" requested_mask="k"
denied_mask="k" fsuid=0 ouid=0
+
+
+ 5.At the end of the output, you will notice profile=”samba-bgqd”
apparmor=”ALLOWED”
+
+
+ 6.Later, check the apparmor status using the aa-status command.
+
+ $ aa-status
+
+ 24 profiles are in complain mode.
+ avahi-daemon
+ dnsmasq
+ dnsmasq//libvirt_leaseshelper
+ identd
+ klogd
+ mdnsd
+ nmbd
+ nscd
+ php-fpm
+ ping
+ samba-bgqd
+ smbldap-useradd
+ smbldap-useradd///etc/init.d/nscd
+ snap.git-ubuntu.git-ubuntu
+ snap.git-ubuntu.import-source-packages
+ snap.git-ubuntu.man
+ snap.git-ubuntu.merge-changelogs
+ snap.git-ubuntu.reconstruct-changelog
+ snap.git-ubuntu.self-test
+ snap.git-ubuntu.source-package-walker
+ snap.git-ubuntu.update-repository-alias
+ syslog-ng
+ syslogd
+ traceroute
+
+ You will notice that samba-bgqd is still in complain mode.
+
+
+ 7.Type in aa-enforce /etc/apparmor.d/samba-bgqd
+ /etc/apparmor.d/usr.sbin.smbd to set the paths to enforce mode.
+
+ Setting /etc/apparmor.d/samba-bgqd to enforce mode.
+ Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
+
+ Now when you display current running processes, you will see that smbd
+ is enforced.
+
+ $ ps fauxZ
+
+ smbd (enforce) root 2281 0.0 0.1 84840 16416 ?
Ss 14:50 0:00 /usr/sbin/smbd --foreground --no-process-group
+ smbd (enforce) root 2283 0.0 0.0 82360 8476 ?
S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
+ smbd (enforce) root 2284 0.0 0.0 82352 6748 ?
S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
+
+ Type in $ systemctl restart smbd.
+ Check dmesg output again and log.smbd file in /var/log/samba.
+
+ $ tail log.smbd
+
+ [2022/08/25 15:58:15.861776, 0] ../../source3/smbd/server.c:1734(main)
+ smbd version 4.15.9-Ubuntu started.
+ Copyright Andrew Tridgell and the Samba Team 1992-2021
+ [2022/08/25 16:04:05.837877, 0] ../../source3/smbd/server.c:1734(main)
+ smbd version 4.15.9-Ubuntu started.
+ Copyright Andrew Tridgell and the Samba Team 1992-2021
+ [2022/08/25 16:04:05.848067, 0]
../../lib/util/become_daemon.c:119(exit_daemon)
+ exit_daemon: daemon failed to start: Samba failed to init printing
subsystem, error code 13
+
+
+ You shouldn’t notice that smbd is in complained status and you should notice
that smbd is DENIED if you install a new package which was fixed with the
package from proposed, smbd will start even with the profile in enforced mode.
+
+
+ [Where problems could occur]
+
+ Any code change might change the behavior of the package in a specific
situation and cause other errors.
+ The old path is disallowed because the rule has been changed. The risk of
regression becomes real when people move around the binary and replace the
path, then it would fail after the update.
+ Moreover, for instance the user can install only apparmor-utils without the
apparmor-profiles and the update will not be visible.
+ It is highly recommended to select the ubuntu-daily image while creating a
VM, otherwise it might cause a regression and later use will not be able to set
the enforce mode and Apparmor will not prevent applications from taking
restricted actions.
+ Another possible regression source is the fact that the apparmor will be
rebuilt against newer versions of its build dependencies, on Jammy and there
are 2 profiles affected by the changes.
+ There are similar possibilities of regression for that ‘k’ flag which was
added.
+
+
+ [Other information]
+
+ This fix alone does not warrant an apparmor SRU, therefore we are using
+ the block-proposed tag so that the fix can be bundled with another
+ future apparmor SRU.
+
+ -------------------original report-------------------
+
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is
required for the *.tdb files within /etc/apparmor.d/abstractions/samba.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1979879
Title:
Apparmor profile in 22.04 jammy - fails to start when printing enabled
Status in apparmor package in Ubuntu:
Invalid
Status in samba package in Ubuntu:
Fix Released
Status in apparmor source package in Jammy:
In Progress
Status in samba source package in Jammy:
Triaged
Bug description:
[Impact]
Path to samba-bgqd is wrong on 22.04.
Changing from /usr/lib*/samba/samba-bgqd into
/usr/lib/@{multiarch}/samba/samba-bgqd to align different architectures.
The @{multiarch} was initialized at the code before.
Before fixing it might confuse users with ambiguity.
This was later changed by moving the binary, but for an SRU let us just adapt
the path in apparmor.
Obviously, the bug doesn’t affect users by default, because the samba profiles
are only installed and activated if you install the apparmor-profiles package
and moreover it has to be in enforce mode to affect users. The profile is
applied in complain mode by default.
After all these conditions are met, then the impact is that the samba
services will fail to start.
The next thing which occurred was the problem with ‘k’ flag which was
needed in for the *.tdb files within
/etc/apparmor.d/abstractions/samba.
[Test Plan]
** Reproduction **
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
1.First of all, install apparmor-profiles, apparmor-utils and samba.
$ apt install apparmor-profiles apparmor-utils samba
2.Perform proper command to display current running processes. (e.g. ps
fauxZ).
$ ps fauxZ
nmbd (complain) root 2129 0.0 0.0 68720 10628 ?
Ss 16:43 0:00 /usr/sbin/nmbd --foreground --no-process-group
smbd (complain) root 2141 0.0 0.1 84840 16264 ?
Ss 16:43 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) root 2143 0.0 0.0 82360 8544 ?
S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) root 2144 0.0 0.0 82352 6820 ?
S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
3.At the end of the output, you should be able to see smbd(complain)
in the left column.
4.Then check the dmesg output.
$ dmesg -T
[Wed Aug 24 8:24:11 2022] audit: type=1400 audit(1661883574.507:2124):
apparmor="ALLOWED" operation="exec"
namespace="root//lxd-jammy-apparmor-testMMilion1_<var-snap-lxd-common-lxd>"
profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=526045
comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.875:92):
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd"
name="/run/samba/names.tdb" pid=803 comm="samba-bgqd" requested_mask="k"
denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.887:93):
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd"
name="/run/samba/gencache.tdb" pid=803 comm="samba-bgqd" requested_mask="k"
denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.899:94):
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd"
name="/run/samba/brlock.tdb" pid=803 comm="samba-bgqd" requested_mask="k"
denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.903:95):
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd"
name="/run/samba/locking.tdb" pid=803 comm="samba-bgqd" requested_mask="k"
denied_mask="k" fsuid=0 ouid=0
5.At the end of the output, you will notice profile=”samba-bgqd”
apparmor=”ALLOWED”
6.Later, check the apparmor status using the aa-status command.
$ aa-status
24 profiles are in complain mode.
avahi-daemon
dnsmasq
dnsmasq//libvirt_leaseshelper
identd
klogd
mdnsd
nmbd
nscd
php-fpm
ping
samba-bgqd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
snap.git-ubuntu.git-ubuntu
snap.git-ubuntu.import-source-packages
snap.git-ubuntu.man
snap.git-ubuntu.merge-changelogs
snap.git-ubuntu.reconstruct-changelog
snap.git-ubuntu.self-test
snap.git-ubuntu.source-package-walker
snap.git-ubuntu.update-repository-alias
syslog-ng
syslogd
traceroute
You will notice that samba-bgqd is still in complain mode.
7.Type in aa-enforce /etc/apparmor.d/samba-bgqd
/etc/apparmor.d/usr.sbin.smbd to set the paths to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Now when you display current running processes, you will see that smbd
is enforced.
$ ps fauxZ
smbd (enforce) root 2281 0.0 0.1 84840 16416 ?
Ss 14:50 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) root 2283 0.0 0.0 82360 8476 ?
S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) root 2284 0.0 0.0 82352 6748 ?
S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
Type in $ systemctl restart smbd.
Check dmesg output again and log.smbd file in /var/log/samba.
$ tail log.smbd
[2022/08/25 15:58:15.861776, 0] ../../source3/smbd/server.c:1734(main)
smbd version 4.15.9-Ubuntu started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
[2022/08/25 16:04:05.837877, 0] ../../source3/smbd/server.c:1734(main)
smbd version 4.15.9-Ubuntu started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
[2022/08/25 16:04:05.848067, 0]
../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing
subsystem, error code 13
You shouldn’t notice that smbd is in complained status and you should notice
that smbd is DENIED if you install a new package which was fixed with the
package from proposed, smbd will start even with the profile in enforced mode.
[Where problems could occur]
Any code change might change the behavior of the package in a specific
situation and cause other errors.
The old path is disallowed because the rule has been changed. The risk of
regression becomes real when people move around the binary and replace the
path, then it would fail after the update.
Moreover, for instance the user can install only apparmor-utils without the
apparmor-profiles and the update will not be visible.
It is highly recommended to select the ubuntu-daily image while creating a
VM, otherwise it might cause a regression and later use will not be able to set
the enforce mode and Apparmor will not prevent applications from taking
restricted actions.
Another possible regression source is the fact that the apparmor will be
rebuilt against newer versions of its build dependencies, on Jammy and there
are 2 profiles affected by the changes.
There are similar possibilities of regression for that ‘k’ flag which was
added.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are
using the block-proposed tag so that the fix can be bundled with
another future apparmor SRU.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-
bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag
is required for the *.tdb files within
/etc/apparmor.d/abstractions/samba.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1979879/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
