I'm having to add the following just to allow samba to be started by systemd,
and I'm still missing net_admin capa, which I'm reluctant to add:
--- a/profiles/apparmor.d/usr.sbin.smbd
+++ b/profiles/apparmor.d/usr.sbin.smbd
@@ -24,12 +24,22 @@
capability sys_resource,
capability sys_tty_config,
+ # when started by systemd
+ ptrace read peer=unconfined,
+
/etc/mtab r,
/etc/netgroup r,
/etc/printcap r,
/etc/samba/* rwk,
@{PROC}/@{pid}/mounts r,
@{PROC}/sys/kernel/core_pattern r,
+
+ # https://gitlab.com/apparmor/apparmor/-/issues/203
+ # needed when smbd is started by systemd
+ @{PROC}/1/environ r,
+ @{PROC}/cmdline r,
+ @{PROC}/sys/kernel/osrelease r,
+
/usr/lib*/samba/vfs/*.so mr,
/usr/lib*/samba/auth/*.so mr,
/usr/lib*/samba/charset/*.so mr,
@@ -51,6 +61,8 @@
@{run}/samba/ncalrpc/ rw,
@{run}/samba/ncalrpc/** rw,
@{run}/samba/smbd.pid rw,
+ # when started by systemd
+ @{run}/systemd/notify w,
/var/spool/samba/** rw,
@{HOMEDIRS}/** lrwk,
With the above, I only get this alert now:
[Mon Nov 29 14:18:54 2021] audit: type=1400 audit(1638195535.664:42):
apparmor="ALLOWED" operation="capable" profile="smbd" pid=1046 comm="smbd"
capability=12 capname="net_admin"
And only when starting smbd with systemd. Looks like we will have to live with
that one, if I understood the comments in the usptream bug correctly.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1952242
Title:
[jammy] missing rules for samba profile
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1952242/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
