samba-4.16 has a completely new dcerpc subsystem, services that
used to be built into the smbd daemon itself (and deployed in forked
instances) are now hosted in standalone binaries. The following new
binaries now need new profiles
rpcd_classic
rpcd_epmapper
rpcd_fsrvp
rpcd_lsad
rpcd_mdssvc
rpcd_rpcecho
rpcd_spoolss
rpcd_winreg
samba-dcerpcd
Mostly these are captured in a single common profile 'samba-rpcd'
Additionally smbd & winbindd need new entries because they exec
samba-dcerpcd
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1198309
Signed-off-by: Noel Power <noel.power@suse.com>
... and some rules in the smbd profile to execute it and send it a term
signal.
samba-bgqd is (quoting its manpage) "an internal helper program
performing asynchronous printing-related jobs."
samba-bgqd was added in Samba 4.15.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Tag profiles and abstractions with abi information.
Tagging abstractions is not strictly necessary but allows the parser
to detect when their is a mismatch and that policy will need an
update for abi.
We do not currently tag the tunables because variable declarations
are not currently affected by abi.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/491
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Winbind requires access to /var/cache/samba/msg.lock/*.
Move msg.lock/ to abstractions/samba.
On Arch Linux Winbind's pid is set to /run/winbindd.pid.
Signed-off-by: nl6720 <nl6720@gmail.com>
Also adjust the signal rules in the dovecot-common and apache2-common
abstractions to match the profile names, and to really do that
(peer=...{bin,sbin}... didn't work, the correct syntax would have been
peer=...\{bin,sbin\}...)
This fixes the regression introduced by !149 / commit
4200932d8f
- allow smbd to load new shared libraries
- allow winbindd to read and write new kerberos cache location
Based on a patch by "Samuel Cabrero" <scabrero@suse.com>
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1092099
The smbd profile contains /{,var/}run/cups/cups.sock rw, which is
covered by abstractions/cups-client and therefore superfluous.
Acked-by: Steve Beattie <steve@nxnw.org>
openSUSE now compiles samba --with-cachedir=/var/lib/samba (instead of
the default /var/cache/samba). This patch updates the smbd profile to
match this change.
Acked by: Seth Arnold <seth.arnold@canonical.com>
Author: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This was originally patch 0018-lp1056391.patch in the Ubuntu apparmor
packaging; Steve noticed the now-redundant line for /var/lib/sss/mc/passwd
so I removed that at the same time.
From: Kshitij Gupta <kgupta8592@gmail.com>
This patch removes:-
2 rules covered by abstractions in smbd profile:
- /var/log/samba/cores/smbd/ rw and /var/log/samba/cores/smbd/** rw
are in abstractions/samba covered by /var/log/samba/cores/** rw
1 superfluous rule:
- /var/lib/samba/printers/** rw is covered by /var/lib/samba/** rwk
Acked-by: Steve Beattie <steve@nxnw.org>
This patch adds the kernelvars tunable to the global set that is usually
included by default in apparmor policies. It then converts the rules
that are intended to match /proc/pid to use this tunable.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Seth Arnold <seth.arnold@canonical.com>
This patch finishes the conversion from /proc to the @{PROC}
tunable within profiles and abstractions. It also adjusts some of
the /proc/*/something usages to @{PROC}/[0-9]*/something to restrict
things to just the /proc/pid directories. (A followup patch will
convert these to use @{pid} from the kernelvars tunable.)
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
add machine script = /usr/sbin/smbldap-useradd -t 5 -w "%u"
smbd obviously needs x permissions for smbldap-useradd.
The commit also adds a new profile for usr.sbin.smbldap-useradd (based on
the audit.log from Alexis Pellicier).
Additionally, I moved the "/etc/samba/* rwk" rule next to the other
/etc-related rules in the smbd profile.
References: https://bugzilla.novell.com/show_bug.cgi?id=738041
Subject: apparmor-profiles: Add samba config files
References: bnc#679182 bnc#666450
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
- updated to match trunk
- added changed path to nmbd profile (/var/cache/samba has moved to
/var/lib/samba on (at least) openSUSE 11.4), bnc#679182#c8
For backward compability, it also allows /var/spool/samba.
- Note: The smbd profile already contains both locations.
by Christian Boltz <apparmor@cboltz.de>
updated according to the comments from Steve Beattie
by Christian Boltz <apparmor@cboltz.de>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
- add profiles/local/README
- adjust profiles/apparmor.d/{bin,sbin,usr}* to include a file from local/
- adjust profiles/apparmor.d/{bin,sbin,usr}* for for copyright, some whitespace
and svn conventions
