profiles/apparmor.d: Add new profiles needed for samba-4.16

samba-4.16 has a completely new dcerpc subsystem, services that
used to be built into the smbd daemon itself (and deployed in forked
instances) are now hosted in standalone binaries. The following new
binaries now need new profiles

  rpcd_classic
  rpcd_epmapper
  rpcd_fsrvp
  rpcd_lsad
  rpcd_mdssvc
  rpcd_rpcecho
  rpcd_spoolss
  rpcd_winreg
  samba-dcerpcd

Mostly these are captured in a single common profile 'samba-rpcd'

Additionally smbd & winbindd need new entries because they exec
samba-dcerpcd

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1198309

Signed-off-by: Noel Power <noel.power@suse.com>

profiles/apparmor.d/abstractions/samba-rpcd

@@ -0,0 +1,30 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2022 SUSE LLC
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+
+# This file contains basic permissions for samba rpcd_xyz services
+
+  abi <abi/3.0>,
+
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/samba>
+
+  capability setgid,
+  capability setuid,
+
+  signal receive set=term peer=smbd,
+
+  @{PROC}/sys/kernel/core_pattern r,
+  owner @{PROC}/@{pid}/fd/ r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/samba-rpcd.d>
+

profiles/apparmor.d/samba-dcerpcd

@@ -0,0 +1,29 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2022 SUSE LLC
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile samba-dcerpcd /usr/lib*/samba/samba-dcerpcd {
+  include <abstractions/samba-rpcd>
+
+  @{run}/samba/samba-dcerpcd.pid wk,
+
+  /usr/lib*/samba/rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} Px -> samba-rpcd,
+  /usr/lib*/samba/rpcd_classic Px -> samba-rpcd-classic,
+  /usr/lib*/samba/rpcd_spoolss Px -> samba-rpcd-spoolss,
+
+  @{run}/samba/ncalrpc/ rw,
+  @{run}/samba/ncalrpc/** rw,
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/samba-dcerpcd>
+}

profiles/apparmor.d/samba-rpcd

@@ -0,0 +1,20 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2022 SUSE LLC
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile samba-rpcd /usr/lib*/samba/rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} {
+  include <abstractions/samba-rpcd>
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/samba-rpcd>
+}

profiles/apparmor.d/samba-rpcd-classic

@@ -0,0 +1,22 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2022 SUSE LLC
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile samba-rpcd-classic /usr/lib*/samba/rpcd_classic {
+  include <abstractions/samba-rpcd>
+  include <abstractions/wutmp>
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/samba-rpcd-classic>
+}

profiles/apparmor.d/samba-rpcd-spoolss

@@ -0,0 +1,23 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2022 SUSE LLC
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile samba-rpcd-spoolss /usr/lib*/samba/rpcd_spoolss {
+  include <abstractions/samba-rpcd>
+
+  /usr/lib*/samba/samba-bgqd Px -> samba-bgqd,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/samba-rpcd-spoolss>
+}

profiles/apparmor.d/usr.sbin.smbd

@@ -39,6 +39,7 @@ profile smbd /usr/{bin,sbin}/smbd {
   /usr/lib*/samba/gensec/*.so mr,
   /usr/lib*/samba/pdb/*.so mr,
   /usr/lib*/samba/samba-bgqd Px -> samba-bgqd,
+  /usr/lib*/samba/samba-dcerpcd Px -> samba-dcerpcd,
   /usr/lib*/samba/{lowcase,upcase,valid}.dat r,
   /usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr,
   /usr/lib/@{multiarch}/samba/**/ r,

profiles/apparmor.d/usr.sbin.winbindd

@@ -26,6 +26,7 @@ profile winbindd /usr/{bin,sbin}/winbindd {
   /usr/lib*/samba/idmap/*.so mr,
   /usr/lib*/samba/nss_info/*.so mr,
   /usr/lib*/samba/pdb/*.so mr,
+  /usr/lib*/samba/samba-dcerpcd Px -> samba-dcerpcd,
   /usr/{bin,sbin}/winbindd mr,
   /var/cache/krb5rcache/* rwk,
   /var/cache/samba/*.tdb rwk,