profiles/apparmor.d: Update samba profile

Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1990692 Signed-off-by: Spyros Seimenis <spyros.seimenis@canonical.com>
2025-08-31 22:35:35 +00:00 · 2022-09-28 17:16:55 +03:00
parent c038682745
commit 96aff5a5c5
6 changed files with 20 additions and 8 deletions
--- a/profiles/apparmor.d/abstractions/samba
+++ b/profiles/apparmor.d/abstractions/samba
@@ -25,9 +25,9 @@
  /var/log/samba/cores/** rw,
  /var/log/samba/* w,
  @{run}/{,lock/}samba/ w,
-  @{run}/{,lock/}samba/*.tdb rw,
-  @{run}/{,lock/}samba/msg.lock/ rwk,
-  @{run}/{,lock/}samba/msg.lock/[0-9]* rwk,
+  @{run}/{,lock/}samba/*.tdb rwk,
+  @{run}/{,lock/}samba/msg.{lock,sock}/ rwk,
+  @{run}/{,lock/}samba/msg.{lock,sock}/[0-9]* rwk,
  /var/cache/samba/msg.lock/ rwk,
  /var/cache/samba/msg.lock/[0-9]* rwk,

--- a/profiles/apparmor.d/samba-bgqd
+++ b/profiles/apparmor.d/samba-bgqd
@@ -16,7 +16,8 @@ profile samba-bgqd /usr/lib*/samba/{,samba/}samba-bgqd {

  @{run}/samba/samba-bgqd.pid wk,

-  /usr/lib*/samba/{,samba/}samba-bgqd m,
+  /usr/lib*/samba/{,samba/}samba-bgqd mr,
+  /var/cache/samba/printing/*.tdb rwk,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/samba-bgqd>
--- a/profiles/apparmor.d/samba-dcerpcd
+++ b/profiles/apparmor.d/samba-dcerpcd
@@ -18,8 +18,9 @@ profile samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {

  @{run}/samba/samba-dcerpcd.pid wk,

-  /usr/lib*/samba/{,samba/}samba-dcerpcd m,
+  /usr/lib*/samba/{,samba/}samba-dcerpcd mr,

+  /usr/lib*/samba/ r,
  /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} Px -> samba-rpcd,
  /usr/lib*/samba/{,samba/}rpcd_classic Px -> samba-rpcd-classic,
  /usr/lib*/samba/{,samba/}rpcd_spoolss Px -> samba-rpcd-spoolss,
--- a/profiles/apparmor.d/samba-rpcd
+++ b/profiles/apparmor.d/samba-rpcd
@@ -15,7 +15,10 @@ include <tunables/global>

 profile samba-rpcd /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} {
  include <abstractions/samba-rpcd>
-  /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} m,
+  /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} mr,
+
+  @{run}/samba/ncalrpc/np/winreg wr,
+
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/samba-rpcd>
 }
--- a/profiles/apparmor.d/samba-rpcd-classic
+++ b/profiles/apparmor.d/samba-rpcd-classic
@@ -17,7 +17,7 @@ profile samba-rpcd-classic /usr/lib*/samba/{,samba/}rpcd_classic {
  include <abstractions/samba-rpcd>
  include <abstractions/wutmp>

-  /usr/lib*/samba/{,samba/}rpcd_classic m,
+  /usr/lib*/samba/{,samba/}rpcd_classic mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/samba-rpcd-classic>
--- a/profiles/apparmor.d/samba-rpcd-spoolss
+++ b/profiles/apparmor.d/samba-rpcd-spoolss
@@ -16,8 +16,15 @@ include <tunables/global>
 profile samba-rpcd-spoolss /usr/lib*/samba/{,samba/}rpcd_spoolss {
  include <abstractions/samba-rpcd>

-  /usr/lib*/samba/{,samba/}rpcd_spoolss m,
+  /usr/lib*/samba/{,samba/}rpcd_spoolss mr,
  /usr/lib*/samba/{,samba/}samba-bgqd Px -> samba-bgqd,
+  /var/cache/samba/printing/*.tdb rwk,
+  @{run}/samba/samba-bgqd.pid rk,
+
+  /dev/urandom rw,
+
+  @{run}/samba/ncalrpc/ rw,
+  @{run}/samba/ncalrpc/** rw,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/samba-rpcd-spoolss>