Ubuntu
apparmor package

[jammy] missing rules for samba profile

Bug #1952242 reported by Andreas Hasenack
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Andreas Hasenack

Bug Description

ubuntu jammy

apparmor-profiles 3.0.3-0ubuntu3
samba 2:4.13.5+dfsg-2ubuntu3

smbd:
Nov 25 14:59:56 jammy-samba-apparmor systemd[1]: Starting Samba SMB Daemon...
Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.586080] audit: type=1400 audit(1637852396.969:77): apparmor="ALLOWED" operation="capable" profile="smbd" pid=1094 comm="smbd" capability=12 capname="net_admin"
Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.586241] audit: type=1400 audit(1637852396.969:78): apparmor="ALLOWED" operation="sendmsg" profile="smbd" name="/run/systemd/notify" pid=1094 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.592258] audit: type=1400 audit(1637852396.977:79): apparmor="ALLOWED" operation="open" profile="smbd" name="/proc/sys/kernel/osrelease" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.592460] audit: type=1400 audit(1637852396.977:80): apparmor="ALLOWED" operation="open" profile="smbd" name="/proc/1/environ" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.592532] audit: type=1400 audit(1637852396.977:81): apparmor="ALLOWED" operation="ptrace" profile="smbd" pid=1094 comm="smbd" requested_mask="read" denied_mask="read" peer="unconfined"
Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.592683] audit: type=1400 audit(1637852396.977:82): apparmor="ALLOWED" operation="open" profile="smbd" name="/proc/cmdline" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.600378] audit: type=1400 audit(1637852396.985:83): apparmor="ALLOWED" operation="sendmsg" profile="smbd" name="/run/systemd/notify" pid=1094 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

nmbd:
Nov 25 14:59:26 jammy-samba-apparmor systemd[1]: Starting Samba NMB Daemon...
Nov 25 14:59:26 jammy-samba-apparmor kernel: [ 196.718721] audit: type=1400 audit(1637852366.105:76): apparmor="ALLOWED" operation="capable" profile="nmbd" pid=1067 comm="nmbd" capability=1
2 capname="net_admin"

The systemd notify one for smbd was first fixed for nmbd in https://gitlab.com/apparmor/apparmor/-/merge_requests/236 for nmbd, but smbd was missed.

net_admin might be https://github.com/systemd/systemd/pull/10085, I didn't check if jammy's systemd has that patch (it should, since it's old)

Related branches

~ahasenack/ubuntu/+source/apparmor:jammy-samba-systemd-notify
John Johansen (community): Approve
Canonical Server Core Reviewers: Pending requested
Canonical Server: Pending requested
Diff: 83 lines (+61/-0)
3 files modified
debian/changelog (+10/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu/samba-systemd-interaction.patch (+50/-0)
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Related: https://gitlab.com/apparmor/apparmor/-/issues/203

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'm having to add the following just to allow samba to be started by systemd, and I'm still missing net_admin capa, which I'm reluctant to add:
--- a/profiles/apparmor.d/usr.sbin.smbd
+++ b/profiles/apparmor.d/usr.sbin.smbd
@@ -24,12 +24,22 @@
   capability sys_resource,
   capability sys_tty_config,

+ # when started by systemd
+ ptrace read peer=unconfined,
+
   /etc/mtab r,
   /etc/netgroup r,
   /etc/printcap r,
   /etc/samba/* rwk,
   @{PROC}/@{pid}/mounts r,
   @{PROC}/sys/kernel/core_pattern r,
+
+ # https://gitlab.com/apparmor/apparmor/-/issues/203
+ # needed when smbd is started by systemd
+ @{PROC}/1/environ r,
+ @{PROC}/cmdline r,
+ @{PROC}/sys/kernel/osrelease r,
+
   /usr/lib*/samba/vfs/*.so mr,
   /usr/lib*/samba/auth/*.so mr,
   /usr/lib*/samba/charset/*.so mr,
@@ -51,6 +61,8 @@
   @{run}/samba/ncalrpc/ rw,
   @{run}/samba/ncalrpc/** rw,
   @{run}/samba/smbd.pid rw,
+ # when started by systemd
+ @{run}/systemd/notify w,
   /var/spool/samba/** rw,

   @{HOMEDIRS}/** lrwk,

With the above, I only get this alert now:
[Mon Nov 29 14:18:54 2021] audit: type=1400 audit(1638195535.664:42): apparmor="ALLOWED" operation="capable" profile="smbd" pid=1046 comm="smbd" capability=12 capname="net_admin"

And only when starting smbd with systemd. Looks like we will have to live with that one, if I understood the comments in the usptream bug correctly.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

While working on this bug, I noticed that not all built profiles are being installed, and dh_missing is complaining. I filed https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1952632 for that, as I'm way too deep in this rabbit hole already.

Changed in apparmor (Ubuntu):
status: New → In Progress
assignee: nobody → Andreas Hasenack (ahasenack)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 3.0.3-0ubuntu4

---------------
apparmor (3.0.3-0ubuntu4) jammy; urgency=medium

  * d/p/u/samba-systemd-interaction.patch: allow smbd to interact with
    systemd (LP: #1952242):
    - allow notify access
    - allow specific /proc access
    - allow ptrace read

 -- Andreas Hasenack <email address hidden> Mon, 29 Nov 2021 14:43:28 +0000

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.