** Description changed:

  [Impact]
  
  Users who have:
  a) opted in to confining samba with apparmor (by installing 
apparmor-profiles); and
  b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
  
  will experience an error in starting the smbd service in jammy:
  
  [2022/08/25 16:04:05.848067,  0] 
../../lib/util/become_daemon.c:119(exit_daemon)
    exit_daemon: daemon failed to start: Samba failed to init printing 
subsystem, error code 13
  
  This "printing subsystem" is actually a new daemon called samba-bgqd.
  This errors prevents "smbd" from starting.
  
  The reason it failed to start is that this binary is installed on a
  different path than what is allowed in the samba apparmor profiles, and
  as a result its execution is denied.
  
  The chosen fix for this is to change the path of samba-bgqd in the samba
  apparmor profiles to match where it is actually being installed in the
  jammy packaging. Changing the actual path in the samba packaging would
  be a more invasive fix.
  
  In kinetic and later, the installation path of samba-bgqd was changed
  instead, and requires no changes to the apparmor profiles.
  
  However, once the path in the apparmor profiles was fixed for jammy,
  another error comes up which also requires an apparmor change. samba-
  bgqd is using locking when opening the *.tdb files in /run/samba, and
  that requires an extra "k" flag to apparmor rules that cover that
  directory and its tdb files.
  
  This bug doesn't affect jammy samba users by default, as they have to
  complete steps (a) and (b) from above to be impacted. Therefore, on its
  own, this bug does not warrant an SRU, and we are using the block-
  proposed-jammy tag to prevent its release until such time when another
  more SRU-worthy apparmor bug is fixed for Jammy.
  
  [Test Plan]
  
  Make a container for testing:
  
  $ lxc launch ubuntu-daily:jammy jammy-test
  $ lxc shell jammy-test
  
- # First of all, install apparmor-profiles, apparmor-utils and samba.
+ Install the needed packages:
  # apt update && apt install apparmor-profiles apparmor-utils samba
  
- # Confirm that you have smbd and samba-bgqd processes confined and in 
complain mode (check first column):
+ Confirm that you have smbd and samba-bgqd processes confined and in complain 
mode (check first column):
  # ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
  
  smbd (complain)                    2432 ?        Ss     0:00 /usr/sbin/smbd 
--foreground --no-process-group
  smbd (complain)                    2434 ?        S      0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
  smbd (complain)                    2435 ?        S      0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
- smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S   
0:00  \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd 
+ smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S   
0:00  \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
  
+ Change the samba profiles to enforce mode:
+ # aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd 
+ Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
+ Setting /etc/apparmor.d/samba-bgqd to enforce mode.
  
- 4.Then check the dmesg output.
+ Restart smbd:
+ # systemctl restart smbd
  
- $ dmesg -T
+ systemctl won't complain, but smbd failed to start:
+ root@jammy-test:~# ps faxZ | grep smbd | grep -v smbd
+ root@jammy-test:~# 
  
- [Wed Aug 24 8:24:11 2022] audit: type=1400 audit(1661883574.507:2124): 
apparmor="ALLOWED" operation="exec" 
namespace="root//lxd-jammy-apparmor-testMMilion1_<var-snap-lxd-common-lxd>" 
profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=526045 
comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
- [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.875:92): 
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" 
name="/run/samba/names.tdb" pid=803 comm="samba-bgqd" requested_mask="k" 
denied_mask="k" fsuid=0 ouid=0
- [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.887:93): 
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" 
name="/run/samba/gencache.tdb" pid=803 comm="samba-bgqd" requested_mask="k" 
denied_mask="k" fsuid=0 ouid=0
- [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.899:94): 
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" 
name="/run/samba/brlock.tdb" pid=803 comm="samba-bgqd" requested_mask="k" 
denied_mask="k" fsuid=0 ouid=0
- [Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.903:95): 
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd" 
name="/run/samba/locking.tdb" pid=803 comm="samba-bgqd" requested_mask="k" 
denied_mask="k" fsuid=0 ouid=0
+ # tail -2 /var/log/samba/log.smbd
+ [2022/09/09 18:20:35.200901,  0] 
../../lib/util/become_daemon.c:119(exit_daemon)
+   exit_daemon: daemon failed to start: Samba failed to init printing 
subsystem, error code 13
  
- 5.At the end of the output, you will notice profile=”samba-bgqd”
- apparmor=”ALLOWED”
+ And dmesg on the *host* (not the container) will log a few DENIED messages 
like this:
+ [sex set  9 15:20:30 2022] audit: type=1400 audit(1662747635.194:10356): 
apparmor="DENIED" operation="exec" 
namespace="root//lxd-jammy-test_<var-snap-lxd-common-lxd>" profile="smbd" 
name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=994396 comm="smbd" 
requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
  
- 6.Later, check the apparmor status using the aa-status command.
- 
- $ aa-status
- 
- 24 profiles are in complain mode.
-    avahi-daemon
-    dnsmasq
-    dnsmasq//libvirt_leaseshelper
-    identd
-    klogd
-    mdnsd
-    nmbd
-    nscd
-    php-fpm
-    ping
-    samba-bgqd
-    smbldap-useradd
-    smbldap-useradd///etc/init.d/nscd
-    snap.git-ubuntu.git-ubuntu
-    snap.git-ubuntu.import-source-packages
-    snap.git-ubuntu.man
-    snap.git-ubuntu.merge-changelogs
-    snap.git-ubuntu.reconstruct-changelog
-    snap.git-ubuntu.self-test
-    snap.git-ubuntu.source-package-walker
-    snap.git-ubuntu.update-repository-alias
-    syslog-ng
-    syslogd
-    traceroute
- 
- You will notice that samba-bgqd is still in complain mode.
- 
- 7.Type in aa-enforce /etc/apparmor.d/samba-bgqd
- /etc/apparmor.d/usr.sbin.smbd to set the paths to enforce mode.
- 
- Setting /etc/apparmor.d/samba-bgqd to enforce mode.
- Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
- 
- Now when you display current running processes, you will see that smbd
- is enforced.
- 
- $ ps fauxZ
- 
- smbd (enforce)                  root        2281  0.0  0.1  84840 16416 ?     
   Ss   14:50   0:00 /usr/sbin/smbd --foreground --no-process-group
- smbd (enforce)                  root        2283  0.0  0.0  82360  8476 ?     
   S    14:50   0:00  \_ /usr/sbin/smbd --foreground --no-process-group
- smbd (enforce)                  root        2284  0.0  0.0  82352  6748 ?     
   S    14:50   0:00  \_ /usr/sbin/smbd --foreground --no-process-group
- 
- Type in $ systemctl restart smbd.
- Check dmesg output again and log.smbd file in /var/log/samba.
- 
- $ tail log.smbd
- 
- [2022/08/25 15:58:15.861776,  0] ../../source3/smbd/server.c:1734(main)
-   smbd version 4.15.9-Ubuntu started.
-   Copyright Andrew Tridgell and the Samba Team 1992-2021
- [2022/08/25 16:04:05.837877,  0] ../../source3/smbd/server.c:1734(main)
-   smbd version 4.15.9-Ubuntu started.
-   Copyright Andrew Tridgell and the Samba Team 1992-2021
- [2022/08/25 16:04:05.848067,  0] 
../../lib/util/become_daemon.c:119(exit_daemon)
-   exit_daemon: daemon failed to start: Samba failed to init printing 
subsystem, error code 13
- 
- You shouldn’t notice that smbd is in complained status and you should
- notice that smbd is DENIED if you install a new package which was fixed
- with the package from proposed, smbd will start even with the profile in
- enforced mode.
  
  [Where problems could occur]
  An apparmor update will impact all ubuntu users, regardless if they are using 
samba or not. One has to weigh this carefully with the importance of the bug 
that is being fixed.
  
  This update will restart apparmor on the target system. All sorts of things 
can happen due to that:
  - all apparmor profiles will be reloaded and reapplied
  - if users have modified default profiles in /etc/apparmor.d/* (not inside 
local/*), they will get a dpkg conf prompt during this update
  - in particular, users who have changed the samba profiles to be in enforce 
mode (via aa-enforce) will definitely get a dpkg conf prompt, because the samba 
profiles coming in via the apparmor-profiles package are in complain mode. This 
is good, actually, as it will raise awareness about the change the update is 
bringing
  - if apparmor profile files have syntax mistakes, these will show up at this 
time, and might end up leaving a service that was confined before, unconfined 
after the update
  - the "k" change is being done in abstractions/samba, instead of samba-bgqd 
specifically, because it already had a rule to allow "rw" access to *.tdb files 
in there. That abstraction is only included by other samba profiles at the 
moment, so the change seems contained, but one might argue that it would be 
best to add the explicit "k" rule to the samba-bgqd profile instead.
  
  [Other information]
  
  This fix alone does not warrant an apparmor SRU, therefore we are using
  the block-proposed-jammy tag so that the fix can be bundled with another
  future apparmor SRU.
  
  Apparmor in Kinetic does not need the samba-bgqd path fix, but it might
  need the "k" locking one. We are waiting for an apparmor version update
  that will still happen in Kinetic to evaluate if some change will be
  needed there.
  
  -------------------original report-------------------
  
  See bug here:
  https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
  
  Fix was backported, but the path to samba-bgqd is wrong on 22.04.
  
  Currently apparmor profile has it like this:
  /usr/lib*/samba/samba-bgqd
  
  When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
  
  Moreover, the dmesg output failed and it has showed that the 'k' flag is
  required for the *.tdb files within /etc/apparmor.d/abstractions/samba.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1979879

Title:
  Apparmor profile in 22.04 jammy - fails to start when printing enabled

Status in apparmor package in Ubuntu:
  Invalid
Status in samba package in Ubuntu:
  Fix Released
Status in apparmor source package in Jammy:
  In Progress

Bug description:
  [Impact]

  Users who have:
  a) opted in to confining samba with apparmor (by installing 
apparmor-profiles); and
  b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;

  will experience an error in starting the smbd service in jammy:

  [2022/08/25 16:04:05.848067,  0] 
../../lib/util/become_daemon.c:119(exit_daemon)
    exit_daemon: daemon failed to start: Samba failed to init printing 
subsystem, error code 13

  This "printing subsystem" is actually a new daemon called samba-bgqd.
  This errors prevents "smbd" from starting.

  The reason it failed to start is that this binary is installed on a
  different path than what is allowed in the samba apparmor profiles,
  and as a result its execution is denied.

  The chosen fix for this is to change the path of samba-bgqd in the
  samba apparmor profiles to match where it is actually being installed
  in the jammy packaging. Changing the actual path in the samba
  packaging would be a more invasive fix.

  In kinetic and later, the installation path of samba-bgqd was changed
  instead, and requires no changes to the apparmor profiles.

  However, once the path in the apparmor profiles was fixed for jammy,
  another error comes up which also requires an apparmor change. samba-
  bgqd is using locking when opening the *.tdb files in /run/samba, and
  that requires an extra "k" flag to apparmor rules that cover that
  directory and its tdb files.

  This bug doesn't affect jammy samba users by default, as they have to
  complete steps (a) and (b) from above to be impacted. Therefore, on
  its own, this bug does not warrant an SRU, and we are using the block-
  proposed-jammy tag to prevent its release until such time when another
  more SRU-worthy apparmor bug is fixed for Jammy.

  [Test Plan]

  Make a container for testing:

  $ lxc launch ubuntu-daily:jammy jammy-test
  $ lxc shell jammy-test

  Install the needed packages:
  # apt update && apt install apparmor-profiles apparmor-utils samba

  Confirm that you have smbd and samba-bgqd processes confined and in complain 
mode (check first column):
  # ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep

  smbd (complain)                    2432 ?        Ss     0:00 /usr/sbin/smbd 
--foreground --no-process-group
  smbd (complain)                    2434 ?        S      0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
  smbd (complain)                    2435 ?        S      0:00  \_ 
/usr/sbin/smbd --foreground --no-process-group
  smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S   
0:00  \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd

  Change the samba profiles to enforce mode:
  # aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd 
  Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
  Setting /etc/apparmor.d/samba-bgqd to enforce mode.

  Restart smbd:
  # systemctl restart smbd

  systemctl won't complain, but smbd failed to start:
  root@jammy-test:~# ps faxZ | grep smbd | grep -v smbd
  root@jammy-test:~# 

  # tail -2 /var/log/samba/log.smbd
  [2022/09/09 18:20:35.200901,  0] 
../../lib/util/become_daemon.c:119(exit_daemon)
    exit_daemon: daemon failed to start: Samba failed to init printing 
subsystem, error code 13

  And dmesg on the *host* (not the container) will log a few DENIED messages 
like this:
  [sex set  9 15:20:30 2022] audit: type=1400 audit(1662747635.194:10356): 
apparmor="DENIED" operation="exec" 
namespace="root//lxd-jammy-test_<var-snap-lxd-common-lxd>" profile="smbd" 
name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=994396 comm="smbd" 
requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000

  
  [Where problems could occur]
  An apparmor update will impact all ubuntu users, regardless if they are using 
samba or not. One has to weigh this carefully with the importance of the bug 
that is being fixed.

  This update will restart apparmor on the target system. All sorts of things 
can happen due to that:
  - all apparmor profiles will be reloaded and reapplied
  - if users have modified default profiles in /etc/apparmor.d/* (not inside 
local/*), they will get a dpkg conf prompt during this update
  - in particular, users who have changed the samba profiles to be in enforce 
mode (via aa-enforce) will definitely get a dpkg conf prompt, because the samba 
profiles coming in via the apparmor-profiles package are in complain mode. This 
is good, actually, as it will raise awareness about the change the update is 
bringing
  - if apparmor profile files have syntax mistakes, these will show up at this 
time, and might end up leaving a service that was confined before, unconfined 
after the update
  - the "k" change is being done in abstractions/samba, instead of samba-bgqd 
specifically, because it already had a rule to allow "rw" access to *.tdb files 
in there. That abstraction is only included by other samba profiles at the 
moment, so the change seems contained, but one might argue that it would be 
best to add the explicit "k" rule to the samba-bgqd profile instead.

  [Other information]

  This fix alone does not warrant an apparmor SRU, therefore we are
  using the block-proposed-jammy tag so that the fix can be bundled with
  another future apparmor SRU.

  Apparmor in Kinetic does not need the samba-bgqd path fix, but it
  might need the "k" locking one. We are waiting for an apparmor version
  update that will still happen in Kinetic to evaluate if some change
  will be needed there.

  -------------------original report-------------------

  See bug here:
  https://bugzilla.opensuse.org/show_bug.cgi?id=1191532

  Fix was backported, but the path to samba-bgqd is wrong on 22.04.

  Currently apparmor profile has it like this:
  /usr/lib*/samba/samba-bgqd

  When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-
  bgqd

  Moreover, the dmesg output failed and it has showed that the 'k' flag
  is required for the *.tdb files within
  /etc/apparmor.d/abstractions/samba.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1979879/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to