Merge [3.x] Update samba profiles

samba-dcerpcd requires access to `/var/cache/samba/names.tdb`. audit: type=1400 audit(1676835286.187:62): apparmor="DENIED" operation="open" profile="samba-dcerpcd" name="/var/cache/samba/names.tdb" pid=6948 comm="samba-dcerpcd" requested_mask="wrc" denied_mask="wrc" fsuid=0 ouid=0 See also https://bbs.archlinux.org/viewtopic.php?id=281411 Since `usr.sbin.winbindd` already has a rule for it, and `usr.sbin.nmbd` has similar ones, simply add `/var/cache/samba/*.tdb rwk` to `abstractions/samba`. (cherry picked from commit 763c4ecd23cb2608ad70691ea85e2107586b97fe, with cleanup of now-superfluous rules in usr.sbin.nmbd and usr.sbin.winbindd dropped) Also allow access to samba pid files directly in /run/ This is a backport of !987, with the cleanup of now-superfluous rules removed. I propose this patch for 3.x (also for 2.13 if it cleanly applies) MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/988 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
2025-08-29 05:17:59 +00:00 · 2023-02-27 11:56:47 -08:00 · 2023-02-27 11:56:47 -08:00 · 39e7c30ae4
commit 39e7c30ae4
parent a5f8b065a8 d266f7f84c
5 changed files with 5 additions and 5 deletions
--- a/profiles/apparmor.d/abstractions/samba
+++ b/profiles/apparmor.d/abstractions/samba
@ -28,6 +28,7 @@
  @{run}/{,lock/}samba/*.tdb rwk,
  @{run}/{,lock/}samba/msg.{lock,sock}/ rwk,
  @{run}/{,lock/}samba/msg.{lock,sock}/[0-9]* rwk,
+  /var/cache/samba/*.tdb rwk,
  /var/cache/samba/msg.lock/ rwk,
  /var/cache/samba/msg.lock/[0-9]* rwk,

--- a/profiles/apparmor.d/samba-bgqd
+++ b/profiles/apparmor.d/samba-bgqd
@ -14,7 +14,7 @@ profile samba-bgqd /usr/lib*/samba/{,samba/}samba-bgqd {
  @{PROC}/sys/kernel/core_pattern r,
  owner @{PROC}/@{pid}/fd/ r,

-  @{run}/samba/samba-bgqd.pid wk,
+  @{run}/{,samba/}samba-bgqd.pid rwk,

  /usr/lib*/samba/{,samba/}samba-bgqd mr,
  /var/cache/samba/printing/*.tdb rwk,
--- a/profiles/apparmor.d/samba-dcerpcd
+++ b/profiles/apparmor.d/samba-dcerpcd
@ -16,7 +16,7 @@ include <tunables/global>
 profile samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {
  include <abstractions/samba-rpcd>

-  @{run}/samba/samba-dcerpcd.pid wk,
+  @{run}/{,samba/}samba-dcerpcd.pid rwk,

  /usr/lib*/samba/{,samba/}samba-dcerpcd mr,

--- a/profiles/apparmor.d/samba-rpcd-spoolss
+++ b/profiles/apparmor.d/samba-rpcd-spoolss
@ -20,7 +20,7 @@ profile samba-rpcd-spoolss /usr/lib*/samba/{,samba/}rpcd_spoolss {
  /usr/lib*/samba/{,samba/}samba-bgqd Px -> samba-bgqd,
  /var/cache/samba/printing/ w,
  /var/cache/samba/printing/*.tdb rwk,
-  @{run}/samba/samba-bgqd.pid rk,
+  @{run}/{,samba/}samba-bgqd.pid rk,

  /dev/urandom rw,

--- a/profiles/apparmor.d/usr.sbin.smbd
+++ b/profiles/apparmor.d/usr.sbin.smbd
@ -53,11 +53,10 @@ profile smbd /usr/{bin,sbin}/smbd {
  /var/lib/samba/** rwk,
  /var/lib/sss/pubconf/kdcinfo.* r,
  @{run}/dbus/system_bus_socket rw,
-  @{run}/smbd.pid rwk,
+  @{run}/{,samba/}smbd.pid rwk,
  @{run}/samba/** rk,
  @{run}/samba/ncalrpc/ rw,
  @{run}/samba/ncalrpc/** rw,
-  @{run}/samba/smbd.pid rw,
  /var/spool/samba/** rw,

  @{HOMEDIRS}/** lrwk,