profiles: add fixes for samba from issue #386

squash 2nd patch addressing issue in original patch in MR to have a clean MR.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/386

profiles/apparmor.d/samba-dcerpcd

@@ -16,6 +16,8 @@ include <tunables/global>
 profile samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {
   include <abstractions/samba-rpcd>
 
+  capability sys_resource,
+
   @{run}/{,samba/}samba-dcerpcd.pid rwk,
 
   /usr/lib*/samba/{,samba/}samba-dcerpcd mr,

profiles/apparmor.d/samba-rpcd

@@ -15,8 +15,13 @@ include <tunables/global>
 
 profile samba-rpcd /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} {
   include <abstractions/samba-rpcd>
+
+  capability sys_resource,
+
   /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} mr,
 
+  @{run}/samba/ncalrpc/np/lsarpc wr,
+  @{run}/samba/ncalrpc/np/mdssvc wr,
   @{run}/samba/ncalrpc/np/winreg wr,
 
   # Site-specific additions and overrides. See local/README for details.

profiles/apparmor.d/samba-rpcd-classic

@@ -17,8 +17,16 @@ profile samba-rpcd-classic /usr/lib*/samba/{,samba/}rpcd_classic {
   include <abstractions/samba-rpcd>
   include <abstractions/wutmp>
 
+  capability sys_resource,
+
   /usr/lib*/samba/{,samba/}rpcd_classic mr,
 
+  @{run}/samba/ncalrpc/np/srvsvc wr,
+  @{run}/samba/ncalrpc/np/winreg wr,
+  /dev/urandom rw,
+
+  /usr/lib*/samba/{,samba/}samba-dcerpcd Px -> samba-dcerpcd,
+
   @{HOMEDIRS}/** lrwk,
 
   # Site-specific additions and overrides. See local/README for details.

profiles/apparmor.d/usr.sbin.nmbd

@@ -8,6 +8,7 @@ profile nmbd /usr/{bin,sbin}/nmbd {
   include <abstractions/samba>
 
   capability net_bind_service,
+  capability sys_resource,
 
   @{PROC}/sys/kernel/core_pattern r,