FS#76992 - [apparmor] Default profiles for samba do not work properly

Attached to Project: Arch Linux
Opened by UrbenLegend (UrbenLegend) - Monday, 02 January 2023, 22:54 GMT
Last edited by David Runge (dvzrv) - Saturday, 02 September 2023, 14:44 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To David Runge (dvzrv)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:
The default apparmor profiles for Samba do not appear to be working properly, preventing clients from accessing Samba shares (I tested with usershares).
Here are all the denial issues I encountered:

1. samba-dcerpcd complains about being denied access to /var/cache/samba/names.tdb.
Workaround: Add "/var/cache/samba/** rwk," to:
* /etc/apparmor.d/local/samba-dcerpcd
* /etc/apparmor.d/local/samba-rpcd
* /etc/apparmor.d/local/samba-rpcd-classic

2. After adding an exception for that, it then started to complain about not being able to access /run/samba-dcerpcd.pid
Workaround: Add "@{run}/samba-dcerpcd.pid wk," to /etc/apparmor.d/local/samba-dcerpcd

3. There's also denials when Samba attempts to log to /var/log/samba/log.rpcd_classic. This happens whenever a share is browsed.


I believe these 3 issues are bugs with the AppArmor profile. They should not happen out of the box with the default samba profiles IMHO.


Doing the workarounds for the first 2 items seems to allow clients to connect. However, I ran into another issue where shares were not visible unless I added those directories as exceptions in:
* /etc/apparmor.d/local/samba-rpcd-classic
* /etc/apparmor.d/local/usr.sbin.smbd

ArchWiki only mentions to add exceptions to the latter though, so I am confused whether I am doing this properly. Are we expected to now add exceptions in both these files instead of just one?


Additional info:
* apparmor 3.1.2-1, samba 4.17.4-2

   logs.txt (5.2 KiB)
   smb.conf (0.6 KiB)
This task depends upon

Closed by  David Runge (dvzrv)
Saturday, 02 September 2023, 14:44 GMT
Reason for closing:  Upstream
Additional comments about closing:  Upstream needs to fix these issues in the default files.
Relevant upstream ticket: https://gitlab.com/apparmor/apparmor/-/i ssues/278
Comment by Toolybird (Toolybird) - Tuesday, 03 January 2023, 06:04 GMT
Related  FS#74614 
Comment by UrbenLegend (UrbenLegend) - Tuesday, 03 January 2023, 09:16 GMT
There's an upstream bug regarding the same issue: https://gitlab.com/apparmor/apparmor/-/issues/278
Comment by UrbenLegend (UrbenLegend) - Tuesday, 03 January 2023, 09:34 GMT
Uploading my workaround /etc/apparmor.d/local configs as reference here in case anyone else is encountering similar issues.
   samba-dcerpcd (0.2 KiB)
   samba-rpcd (0.1 KiB)
   samba-rpcd-classic (0.3 KiB)
   usr.sbin.smbd-shares (0.1 KiB)
Comment by David Runge (dvzrv) - Saturday, 02 September 2023, 13:47 GMT
@UrbenLegend: Thanks for the ticket and the examples!

I don't think there is anything on Arch Linux's side to be done here, as this is (AFAICT) not a packaging bug.
Upstream needs to fix these files. If you have fixes that work, please provide them as merge request to upstream! :)

Loading...