** Description changed: + [Impact] + + Path to samba-bgqd is wrong on 22.04. + Changing from /usr/lib*/samba/samba-bgqd into /usr/lib/@{multiarch}/samba/samba-bgqd to align different architectures. + The @{multiarch} was initialized at the code before. + Before fixing it might confuse users with ambiguity. + This was later changed by moving the binary, but for an SRU let us just adapt the path in apparmor. + + + Obviously, the bug doesn’t affect users by default, because the samba profiles + are only installed and activated if you install the apparmor-profiles package and moreover it has to be in enforce mode to affect users. The profile is applied in complain mode by default. + After all these conditions are met, then the impact is that the samba services will fail to start. + + The next thing which occurred was the problem with ‘k’ flag which was + needed in for the *.tdb files within /etc/apparmor.d/abstractions/samba. + + + [Test Plan] + + ** Reproduction ** + + Make a container for testing: + + + $ lxc launch ubuntu-daily:jammy jammy-test + $ lxc shell jammy-test + + + 1.First of all, install apparmor-profiles, apparmor-utils and samba. + $ apt install apparmor-profiles apparmor-utils samba + + 2.Perform proper command to display current running processes. (e.g. ps fauxZ). + $ ps fauxZ + + nmbd (complain) root 2129 0.0 0.0 68720 10628 ? Ss 16:43 0:00 /usr/sbin/nmbd --foreground --no-process-group + smbd (complain) root 2141 0.0 0.1 84840 16264 ? Ss 16:43 0:00 /usr/sbin/smbd --foreground --no-process-group + smbd (complain) root 2143 0.0 0.0 82360 8544 ? S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group + smbd (complain) root 2144 0.0 0.0 82352 6820 ? S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group + + + 3.At the end of the output, you should be able to see smbd(complain) in + the left column. + + + 4.Then check the dmesg output. + + + $ dmesg -T + + [Wed Aug 24 8:24:11 2022] audit: type=1400 audit(1661883574.507:2124): apparmor="ALLOWED" operation="exec" namespace="root//lxd-jammy-apparmor-testMMilion1_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=526045 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000 + [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.875:92): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/names.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0 + [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.887:93): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/gencache.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0 + [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.899:94): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/brlock.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0 + [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.903:95): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/locking.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0 + + + 5.At the end of the output, you will notice profile=”samba-bgqd” apparmor=”ALLOWED” + + + 6.Later, check the apparmor status using the aa-status command. + + $ aa-status + + 24 profiles are in complain mode. + avahi-daemon + dnsmasq + dnsmasq//libvirt_leaseshelper + identd + klogd + mdnsd + nmbd + nscd + php-fpm + ping + samba-bgqd + smbldap-useradd + smbldap-useradd///etc/init.d/nscd + snap.git-ubuntu.git-ubuntu + snap.git-ubuntu.import-source-packages + snap.git-ubuntu.man + snap.git-ubuntu.merge-changelogs + snap.git-ubuntu.reconstruct-changelog + snap.git-ubuntu.self-test + snap.git-ubuntu.source-package-walker + snap.git-ubuntu.update-repository-alias + syslog-ng + syslogd + traceroute + + You will notice that samba-bgqd is still in complain mode. + + + 7.Type in aa-enforce /etc/apparmor.d/samba-bgqd + /etc/apparmor.d/usr.sbin.smbd to set the paths to enforce mode. + + Setting /etc/apparmor.d/samba-bgqd to enforce mode. + Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode. + + Now when you display current running processes, you will see that smbd + is enforced. + + $ ps fauxZ + + smbd (enforce) root 2281 0.0 0.1 84840 16416 ? Ss 14:50 0:00 /usr/sbin/smbd --foreground --no-process-group + smbd (enforce) root 2283 0.0 0.0 82360 8476 ? S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group + smbd (enforce) root 2284 0.0 0.0 82352 6748 ? S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group + + Type in $ systemctl restart smbd. + Check dmesg output again and log.smbd file in /var/log/samba. + + $ tail log.smbd + + [2022/08/25 15:58:15.861776, 0] ../../source3/smbd/server.c:1734(main) + smbd version 4.15.9-Ubuntu started. + Copyright Andrew Tridgell and the Samba Team 1992-2021 + [2022/08/25 16:04:05.837877, 0] ../../source3/smbd/server.c:1734(main) + smbd version 4.15.9-Ubuntu started. + Copyright Andrew Tridgell and the Samba Team 1992-2021 + [2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon) + exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13 + + + You shouldn’t notice that smbd is in complained status and you should notice that smbd is DENIED if you install a new package which was fixed with the package from proposed, smbd will start even with the profile in enforced mode. + + + [Where problems could occur] + + Any code change might change the behavior of the package in a specific situation and cause other errors. + The old path is disallowed because the rule has been changed. The risk of regression becomes real when people move around the binary and replace the path, then it would fail after the update. + Moreover, for instance the user can install only apparmor-utils without the apparmor-profiles and the update will not be visible. + It is highly recommended to select the ubuntu-daily image while creating a VM, otherwise it might cause a regression and later use will not be able to set the enforce mode and Apparmor will not prevent applications from taking restricted actions. + Another possible regression source is the fact that the apparmor will be rebuilt against newer versions of its build dependencies, on Jammy and there are 2 profiles affected by the changes. + There are similar possibilities of regression for that ‘k’ flag which was added. + + + [Other information] + + This fix alone does not warrant an apparmor SRU, therefore we are using + the block-proposed tag so that the fix can be bundled with another + future apparmor SRU. + + -------------------original report------------------- + See bug here: https://bugzilla.opensuse.org/show_bug.cgi?id=1191532 Fix was backported, but the path to samba-bgqd is wrong on 22.04. Currently apparmor profile has it like this: /usr/lib*/samba/samba-bgqd When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1979879 Title: Apparmor profile in 22.04 jammy - fails to start when printing enabled Status in apparmor package in Ubuntu: Invalid Status in samba package in Ubuntu: Fix Released Status in apparmor source package in Jammy: In Progress Status in samba source package in Jammy: Triaged Bug description: [Impact] Path to samba-bgqd is wrong on 22.04. Changing from /usr/lib*/samba/samba-bgqd into /usr/lib/@{multiarch}/samba/samba-bgqd to align different architectures. The @{multiarch} was initialized at the code before. Before fixing it might confuse users with ambiguity. This was later changed by moving the binary, but for an SRU let us just adapt the path in apparmor. Obviously, the bug doesn’t affect users by default, because the samba profiles are only installed and activated if you install the apparmor-profiles package and moreover it has to be in enforce mode to affect users. The profile is applied in complain mode by default. After all these conditions are met, then the impact is that the samba services will fail to start. The next thing which occurred was the problem with ‘k’ flag which was needed in for the *.tdb files within /etc/apparmor.d/abstractions/samba. [Test Plan] ** Reproduction ** Make a container for testing: $ lxc launch ubuntu-daily:jammy jammy-test $ lxc shell jammy-test 1.First of all, install apparmor-profiles, apparmor-utils and samba. $ apt install apparmor-profiles apparmor-utils samba 2.Perform proper command to display current running processes. (e.g. ps fauxZ). $ ps fauxZ nmbd (complain) root 2129 0.0 0.0 68720 10628 ? Ss 16:43 0:00 /usr/sbin/nmbd --foreground --no-process-group smbd (complain) root 2141 0.0 0.1 84840 16264 ? Ss 16:43 0:00 /usr/sbin/smbd --foreground --no-process-group smbd (complain) root 2143 0.0 0.0 82360 8544 ? S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group smbd (complain) root 2144 0.0 0.0 82352 6820 ? S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group 3.At the end of the output, you should be able to see smbd(complain) in the left column. 4.Then check the dmesg output. $ dmesg -T [Wed Aug 24 8:24:11 2022] audit: type=1400 audit(1661883574.507:2124): apparmor="ALLOWED" operation="exec" namespace="root//lxd-jammy-apparmor-testMMilion1_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=526045 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000 [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.875:92): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/names.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0 [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.887:93): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/gencache.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0 [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.899:94): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/brlock.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0 [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.903:95): apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" name="/run/samba/locking.tdb" pid=803 comm="samba-bgqd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0 5.At the end of the output, you will notice profile=”samba-bgqd” apparmor=”ALLOWED” 6.Later, check the apparmor status using the aa-status command. $ aa-status 24 profiles are in complain mode. avahi-daemon dnsmasq dnsmasq//libvirt_leaseshelper identd klogd mdnsd nmbd nscd php-fpm ping samba-bgqd smbldap-useradd smbldap-useradd///etc/init.d/nscd snap.git-ubuntu.git-ubuntu snap.git-ubuntu.import-source-packages snap.git-ubuntu.man snap.git-ubuntu.merge-changelogs snap.git-ubuntu.reconstruct-changelog snap.git-ubuntu.self-test snap.git-ubuntu.source-package-walker snap.git-ubuntu.update-repository-alias syslog-ng syslogd traceroute You will notice that samba-bgqd is still in complain mode. 7.Type in aa-enforce /etc/apparmor.d/samba-bgqd /etc/apparmor.d/usr.sbin.smbd to set the paths to enforce mode. Setting /etc/apparmor.d/samba-bgqd to enforce mode. Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode. Now when you display current running processes, you will see that smbd is enforced. $ ps fauxZ smbd (enforce) root 2281 0.0 0.1 84840 16416 ? Ss 14:50 0:00 /usr/sbin/smbd --foreground --no-process-group smbd (enforce) root 2283 0.0 0.0 82360 8476 ? S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group smbd (enforce) root 2284 0.0 0.0 82352 6748 ? S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group Type in $ systemctl restart smbd. Check dmesg output again and log.smbd file in /var/log/samba. $ tail log.smbd [2022/08/25 15:58:15.861776, 0] ../../source3/smbd/server.c:1734(main) smbd version 4.15.9-Ubuntu started. Copyright Andrew Tridgell and the Samba Team 1992-2021 [2022/08/25 16:04:05.837877, 0] ../../source3/smbd/server.c:1734(main) smbd version 4.15.9-Ubuntu started. Copyright Andrew Tridgell and the Samba Team 1992-2021 [2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon) exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13 You shouldn’t notice that smbd is in complained status and you should notice that smbd is DENIED if you install a new package which was fixed with the package from proposed, smbd will start even with the profile in enforced mode. [Where problems could occur] Any code change might change the behavior of the package in a specific situation and cause other errors. The old path is disallowed because the rule has been changed. The risk of regression becomes real when people move around the binary and replace the path, then it would fail after the update. Moreover, for instance the user can install only apparmor-utils without the apparmor-profiles and the update will not be visible. It is highly recommended to select the ubuntu-daily image while creating a VM, otherwise it might cause a regression and later use will not be able to set the enforce mode and Apparmor will not prevent applications from taking restricted actions. Another possible regression source is the fact that the apparmor will be rebuilt against newer versions of its build dependencies, on Jammy and there are 2 profiles affected by the changes. There are similar possibilities of regression for that ‘k’ flag which was added. [Other information] This fix alone does not warrant an apparmor SRU, therefore we are using the block-proposed tag so that the fix can be bundled with another future apparmor SRU. -------------------original report------------------- See bug here: https://bugzilla.opensuse.org/show_bug.cgi?id=1191532 Fix was backported, but the path to samba-bgqd is wrong on 22.04. Currently apparmor profile has it like this: /usr/lib*/samba/samba-bgqd When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba- bgqd Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1979879/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp