From f6bba7bccce9ba5d3f25ac32f9aeb33fc1288206 Mon Sep 17 00:00:00 2001
From: Alex Murray <alex.murray@canonical.com>
Date: Mon, 22 Apr 2024 23:46:44 +0000
Subject: [PATCH] profiles: add fixes for samba from issue #386

squash 2nd patch addressing issue in original patch in MR to have a clean MR.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/386
---
 profiles/apparmor.d/samba-dcerpcd      | 2 ++
 profiles/apparmor.d/samba-rpcd         | 5 +++++
 profiles/apparmor.d/samba-rpcd-classic | 8 ++++++++
 profiles/apparmor.d/usr.sbin.nmbd      | 1 +
 4 files changed, 16 insertions(+)

diff --git a/profiles/apparmor.d/samba-dcerpcd b/profiles/apparmor.d/samba-dcerpcd
index a455e2c5b..c9fa7b1b5 100644
--- a/profiles/apparmor.d/samba-dcerpcd
+++ b/profiles/apparmor.d/samba-dcerpcd
@@ -16,6 +16,8 @@ include <tunables/global>
 profile samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {
   include <abstractions/samba-rpcd>
 
+  capability sys_resource,
+
   @{run}/{,samba/}samba-dcerpcd.pid rwk,
 
   /usr/lib*/samba/{,samba/}samba-dcerpcd mr,
diff --git a/profiles/apparmor.d/samba-rpcd b/profiles/apparmor.d/samba-rpcd
index ec0ed1d7b..ee90f968b 100644
--- a/profiles/apparmor.d/samba-rpcd
+++ b/profiles/apparmor.d/samba-rpcd
@@ -15,8 +15,13 @@ include <tunables/global>
 
 profile samba-rpcd /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} {
   include <abstractions/samba-rpcd>
+
+  capability sys_resource,
+
   /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} mr,
 
+  @{run}/samba/ncalrpc/np/lsarpc wr,
+  @{run}/samba/ncalrpc/np/mdssvc wr,
   @{run}/samba/ncalrpc/np/winreg wr,
 
   # Site-specific additions and overrides. See local/README for details.
diff --git a/profiles/apparmor.d/samba-rpcd-classic b/profiles/apparmor.d/samba-rpcd-classic
index 3066a7894..eb1a64281 100644
--- a/profiles/apparmor.d/samba-rpcd-classic
+++ b/profiles/apparmor.d/samba-rpcd-classic
@@ -17,8 +17,16 @@ profile samba-rpcd-classic /usr/lib*/samba/{,samba/}rpcd_classic {
   include <abstractions/samba-rpcd>
   include <abstractions/wutmp>
 
+  capability sys_resource,
+
   /usr/lib*/samba/{,samba/}rpcd_classic mr,
 
+  @{run}/samba/ncalrpc/np/srvsvc wr,
+  @{run}/samba/ncalrpc/np/winreg wr,
+  /dev/urandom rw,
+
+  /usr/lib*/samba/{,samba/}samba-dcerpcd Px -> samba-dcerpcd,
+
   @{HOMEDIRS}/** lrwk,
 
   # Site-specific additions and overrides. See local/README for details.
diff --git a/profiles/apparmor.d/usr.sbin.nmbd b/profiles/apparmor.d/usr.sbin.nmbd
index 754c37b63..cee04e7e2 100644
--- a/profiles/apparmor.d/usr.sbin.nmbd
+++ b/profiles/apparmor.d/usr.sbin.nmbd
@@ -8,6 +8,7 @@ profile nmbd /usr/{bin,sbin}/nmbd {
   include <abstractions/samba>
 
   capability net_bind_service,
+  capability sys_resource,
 
   @{PROC}/sys/kernel/core_pattern r,