FS#74614 - [apparmor] new profiles needed for samba-4.16

Attached to Project: Arch Linux
Opened by David Farmer (farmerdave) - Monday, 02 May 2022, 09:25 GMT
Last edited by Toolybird (Toolybird) - Thursday, 04 August 2022, 06:05 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To David Runge (dvzrv)
Architecture x86_64
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

Description:
AppArmor profiles needs updating for samba 4.16. See https://gitlab.com/apparmor/apparmor/-/merge_requests/871

Whitelisting shares in /etc/apparmor.d/local/usr.sbin.smbd
no longer sufficient, still receive
"audit[332302]: AVC apparmor="DENIED" operation="exec" profile="smbd" name="/usr/lib/samba/samba/samba-dcerpcd" pid=332302 comm="smbd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0"

Additional info:
apparmor 3.0.4-1
samba 4.16.0-6
https://bbs.archlinux.org/viewtopic.php?id=276044
"But even after pathing in https://gitlab.com/apparmor/apparmor/-/commit/2b6eada0195cd1ef9d3194d1302dda2461f275e0, https://gitlab.com/apparmor/apparmor/-/commit/ecf8abab98f3579f0d38f7f6909978230cfbead0 and https://gitlab.com/apparmor/apparmor/-/commit/9099b7ed41b6b9da8bc1e9b5e936bf49d249a493, it will not work because the paths in the samba package (https://archlinux.org/packages/extra/x86_64/samba/files/) differ from the ones in the profiles. It has e.g. /usr/lib/samba/samba/samba-dcerpcd instead of /usr/lib/samba/samba-dcerpcd."

Steps to reproduce:
Create a public samba share, whitelist in /etc/apparmor.d/local/usr.sbin.smbd and then attempt to lists public shares on server with
$ smbclient -L hostname -U%
No public shares are visible
This task depends upon

Closed by  Toolybird (Toolybird)
Thursday, 04 August 2022, 06:05 GMT
Reason for closing:  Fixed
Additional comments about closing:  @nl6720 says "Fixed in apparmor 3.0.6-1"
Comment by nl6720 (nl6720) - Tuesday, 03 May 2022, 13:02 GMT
Looks like the weird /usr/lib/samba/samba/ path is because of https://git.samba.org/?p=samba.git;a=commitdiff;h=4e174b5a0f42b042f363640d6b02ef6ba4e9883a. That could be adjusted by building samba with `--libexecdir=/usr/lib`.
Comment by Tolga Cakir (tolga9009) - Wednesday, 25 May 2022, 22:33 GMT
I can confirm the bug for a Windows 10 Pro 21H1 Client trying to access \\nas.example.com, which leads to a "Permission denied" error on the client-side and the mentioned audit logs in the bug report on the server-side. The client is still able to access shares directly via \\nas.example.com\Data. The same behavior can be observed under GNOME using gvfs-smb 1.50.1-1 and nautilus 42.1.1-1, where the client will repeatedly ask for the username / password, when trying to access smb://nas.example.com.

Disabling apparmor e.g. via aa-teardown solves the issue for both clients. So, I can confirm this seems to be an AppArmor issue. //Edit: putting smbd into complain mode, without completely disabling AppArmor system-wide, also fixes the issues.

Besides the audit entry about samba-dcerpcd's path, I'm also getting another related entry:
Mai 26 00:15:36 ragnarok kernel: audit: type=1400 audit(1653516936.711:405): apparmor="DENIED" operation="rename_src" profile="smbd" name="/var/log/samba/log.smbd" pid=1617 comm="smbd" requested_mask="r" denied_mask="r" fsuid=724828160 ouid=724828160
Comment by nl6720 (nl6720) - Monday, 06 June 2022, 11:25 GMT
AppArmor merged https://gitlab.com/apparmor/apparmor/-/merge_requests/883 to support the /usr/lib/samba/samba/ paths. Applying all the necessary patches on top of apparmor 3.0.4 is non-trivial, though.
Comment by nl6720 (nl6720) - Monday, 06 June 2022, 11:40 GMT
The following patches need to be applied:

* https://gitlab.com/apparmor/apparmor/-/commit/74e074a21374851b562e3caae930c09d03d5c25c
* https://gitlab.com/apparmor/apparmor/-/commit/2b6eada0195cd1ef9d3194d1302dda2461f275e0
* https://gitlab.com/apparmor/apparmor/-/commit/ecf8abab98f3579f0d38f7f6909978230cfbead0
* https://gitlab.com/apparmor/apparmor/-/commit/f1c6defb4a81373a80d2bc342a6ce5cf7aa62864
* https://gitlab.com/apparmor/apparmor/-/commit/6bb342380cbaf16aa614f25a0d1f577b0ab902ed
* https://gitlab.com/apparmor/apparmor/-/commit/9099b7ed41b6b9da8bc1e9b5e936bf49d249a493
* https://gitlab.com/apparmor/apparmor/-/commit/ec19c34795f9840579550daf57125f7345770a2f
* https://gitlab.com/apparmor/apparmor/-/commit/8cf3ec75fc4ced3b2ffe270f9a27ad33b98dbbcc

See attached diff.
   apparmor.diff (4.2 KiB)
Comment by nl6720 (nl6720) - Tuesday, 05 July 2022, 05:20 GMT
There's no new apparmor release in sight :(
Perhaps it would be best to patch 3.0.4.
Comment by nl6720 (nl6720) - Thursday, 04 August 2022, 05:48 GMT
This is fixed in apparmor 3.0.6-1.

Loading...