mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-30 13:58:22 +00:00
Code Issues Releases Wiki Activity

Merge Update samba profiles

Browse Source 
# profiles/apparmor.d/samba*: allow access to pid files directly in /run/

On Arch Linux, `samba-dcerpcd.pid` is in `/run/`, not `/run/samba/`.

	apparmor="DENIED" operation="mknod" profile="samba-dcerpcd" name="/run/samba-dcerpcd.pid" pid=80920 comm="samba-dcerpcd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

The same is true for `nmbd.pid`, `smbd.pid` and probably others too.

# samba-dcerpcd requires access to `/var/cache/samba/names.tdb`.

    audit: type=1400 audit(1676835286.187:62): apparmor="DENIED" operation="open" profile="samba-dcerpcd" name="/var/cache/samba/names.tdb" pid=6948 comm="samba-dcerpcd" requested_mask="wrc" denied_mask="wrc" fsuid=0 ouid=0

See also https://bbs.archlinux.org/viewtopic.php?id=281411

Since `usr.sbin.winbindd` already has a rule for it, and `usr.sbin.nmbd`
has similar ones, simply add `/var/cache/samba/*.tdb rwk` to
`abstractions/samba`.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/987
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
This commit is contained in:
Christian Boltz 2023-02-27 19:31:59 +00:00
commit d420a7ee3e
7 changed files with 5 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
profiles/apparmor.d/abstractions/samba
View File

@ -28,6 +28,7 @@
@{run}/{,lock/}samba/*.tdb rwk,
@{run}/{,lock/}samba/msg.{lock,sock}/ rwk,
@{run}/{,lock/}samba/msg.{lock,sock}/[0-9]* rwk,
/var/cache/samba/*.tdb rwk,
/var/cache/samba/msg.lock/ rwk,
/var/cache/samba/msg.lock/[0-9]* rwk,

2
profiles/apparmor.d/samba-bgqd
View File

@ -14,7 +14,7 @@ profile samba-bgqd /usr/lib*/samba/{,samba/}samba-bgqd {
@{PROC}/sys/kernel/core_pattern r,
owner @{PROC}/@{pid}/fd/ r,
@{run}/samba/samba-bgqd.pid wk,
@{run}/{,samba/}samba-bgqd.pid rwk,
/usr/lib*/samba/{,samba/}samba-bgqd mr,
/var/cache/samba/printing/*.tdb rwk,

2
profiles/apparmor.d/samba-dcerpcd
View File

@ -16,7 +16,7 @@ include <tunables/global>
profile samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {
include <abstractions/samba-rpcd>
@{run}/samba/samba-dcerpcd.pid wk,
@{run}/{,samba/}samba-dcerpcd.pid rwk,
/usr/lib*/samba/{,samba/}samba-dcerpcd mr,

2
profiles/apparmor.d/samba-rpcd-spoolss
View File

@ -20,7 +20,7 @@ profile samba-rpcd-spoolss /usr/lib*/samba/{,samba/}rpcd_spoolss {
/usr/lib*/samba/{,samba/}samba-bgqd Px -> samba-bgqd,
/var/cache/samba/printing/ w,
/var/cache/samba/printing/*.tdb rwk,
@{run}/samba/samba-bgqd.pid rk,
@{run}/{,samba/}samba-bgqd.pid rk,
/dev/urandom rw,

3
profiles/apparmor.d/usr.sbin.nmbd
View File

@ -13,9 +13,6 @@ profile nmbd /usr/{bin,sbin}/nmbd {
/usr/{bin,sbin}/nmbd mr,
/var/cache/samba/gencache.tdb rwk,
/var/cache/samba/gencache_notrans.tdb rwk,
/var/cache/samba/names.tdb rwk,
/var/{cache,lib}/samba/browse.dat* rw,
/var/{cache,lib}/samba/gencache.dat rw,
/var/{cache,lib}/samba/wins.dat* rw,

3
profiles/apparmor.d/usr.sbin.smbd
View File

@ -53,11 +53,10 @@ profile smbd /usr/{bin,sbin}/smbd {
/var/lib/samba/** rwk,
/var/lib/sss/pubconf/kdcinfo.* r,
@{run}/dbus/system_bus_socket rw,
@{run}/smbd.pid rwk,
@{run}/{,samba/}smbd.pid rwk,
@{run}/samba/** rk,
@{run}/samba/ncalrpc/ rw,
@{run}/samba/ncalrpc/** rw,
@{run}/samba/smbd.pid rw,
/var/spool/samba/** rw,
@{HOMEDIRS}/** lrwk,

1
profiles/apparmor.d/usr.sbin.winbindd
View File

@ -29,7 +29,6 @@ profile winbindd /usr/{bin,sbin}/winbindd {
/usr/lib*/samba/{,samba/}samba-dcerpcd Px -> samba-dcerpcd,
/usr/{bin,sbin}/winbindd mr,
/var/cache/krb5rcache/* rwk,
/var/cache/samba/*.tdb rwk,
/var/log/samba/log.winbindd rw,
@{run}/{samba/,}winbindd.pid rwk,
@{run}/samba/winbindd/ rw,