** Description changed:
[Impact]
- Path to samba-bgqd is wrong on 22.04.
- Changing from /usr/lib*/samba/samba-bgqd into
/usr/lib/@{multiarch}/samba/samba-bgqd to align different architectures.
- The @{multiarch} was initialized at the code before.
- Before fixing it might confuse users with ambiguity.
- This was later changed by moving the binary, but for an SRU let us just adapt
the path in apparmor.
+ Users who have:
+ a) opted in to confining samba with apparmor (by installing
apparmor-profiles); and
+ b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce
mode;
+ will experience an error in starting the smbd service in jammy:
- Obviously, the bug doesn’t affect users by default, because the samba profiles
- are only installed and activated if you install the apparmor-profiles package
and moreover it has to be in enforce mode to affect users. The profile is
applied in complain mode by default.
- After all these conditions are met, then the impact is that the samba
services will fail to start.
+ [2022/08/25 16:04:05.848067, 0]
../../lib/util/become_daemon.c:119(exit_daemon)
+ exit_daemon: daemon failed to start: Samba failed to init printing
subsystem, error code 13
- The next thing which occurred was the problem with ‘k’ flag which was
- needed in for the *.tdb files within /etc/apparmor.d/abstractions/samba.
+ This "printing subsystem" is actually a new daemon called samba-bgqd.
+ This errors prevents "smbd" from starting.
+
+ The reason it failed to start is that this binary is installed on a
+ different path than what is allowed in the samba apparmor profiles, and
+ as a result its execution is denied.
+
+ The chosen fix for this is to change the path of samba-bgqd in the samba
+ apparmor profiles to match where it is actually being installed in the
+ jammy packaging. Changing the actual path in the samba packaging would
+ be a more invasive fix.
+
+ In kinetic and later, the installation path of samba-bgqd was changed
+ instead, and requires no changes to the apparmor profiles.
+
+ However, once the path in the apparmor profiles was fixed for jammy,
+ another error comes up which also requires an apparmor change. samba-
+ bgqd is using locking when opening the *.tdb files in /run/samba, and
+ that requires an extra "k" flag to apparmor rules that cover that
+ directory and its tdb files.
+
+ This bug doesn't affect jammy samba users by default, as they have to
+ complete steps (a) and (b) from above to be impacted. Therefore, on its
+ own, this bug does not warrant an SRU, and we are using the block-
+ proposed-jammy tag to prevent its release until such time when another
+ more SRU-worthy apparmor bug is fixed for Jammy.
[Test Plan]
** Reproduction **
Make a container for testing:
-
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
-
1.First of all, install apparmor-profiles, apparmor-utils and samba.
$ apt install apparmor-profiles apparmor-utils samba
2.Perform proper command to display current running processes. (e.g. ps
fauxZ).
$ ps fauxZ
nmbd (complain) root 2129 0.0 0.0 68720 10628 ?
Ss 16:43 0:00 /usr/sbin/nmbd --foreground --no-process-group
smbd (complain) root 2141 0.0 0.1 84840 16264 ?
Ss 16:43 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) root 2143 0.0 0.0 82360 8544 ?
S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) root 2144 0.0 0.0 82352 6820 ?
S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
-
3.At the end of the output, you should be able to see smbd(complain) in
the left column.
-
4.Then check the dmesg output.
-
$ dmesg -T
[Wed Aug 24 8:24:11 2022] audit: type=1400 audit(1661883574.507:2124):
apparmor="ALLOWED" operation="exec"
namespace="root//lxd-jammy-apparmor-testMMilion1_<var-snap-lxd-common-lxd>"
profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=526045
comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.875:92):
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd"
name="/run/samba/names.tdb" pid=803 comm="samba-bgqd" requested_mask="k"
denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.887:93):
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd"
name="/run/samba/gencache.tdb" pid=803 comm="samba-bgqd" requested_mask="k"
denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.899:94):
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd"
name="/run/samba/brlock.tdb" pid=803 comm="samba-bgqd" requested_mask="k"
denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.903:95):
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd"
name="/run/samba/locking.tdb" pid=803 comm="samba-bgqd" requested_mask="k"
denied_mask="k" fsuid=0 ouid=0
-
- 5.At the end of the output, you will notice profile=”samba-bgqd”
apparmor=”ALLOWED”
-
+ 5.At the end of the output, you will notice profile=”samba-bgqd”
+ apparmor=”ALLOWED”
6.Later, check the apparmor status using the aa-status command.
$ aa-status
24 profiles are in complain mode.
- avahi-daemon
- dnsmasq
- dnsmasq//libvirt_leaseshelper
- identd
- klogd
- mdnsd
- nmbd
- nscd
- php-fpm
- ping
- samba-bgqd
- smbldap-useradd
- smbldap-useradd///etc/init.d/nscd
- snap.git-ubuntu.git-ubuntu
- snap.git-ubuntu.import-source-packages
- snap.git-ubuntu.man
- snap.git-ubuntu.merge-changelogs
- snap.git-ubuntu.reconstruct-changelog
- snap.git-ubuntu.self-test
- snap.git-ubuntu.source-package-walker
- snap.git-ubuntu.update-repository-alias
- syslog-ng
- syslogd
- traceroute
+ avahi-daemon
+ dnsmasq
+ dnsmasq//libvirt_leaseshelper
+ identd
+ klogd
+ mdnsd
+ nmbd
+ nscd
+ php-fpm
+ ping
+ samba-bgqd
+ smbldap-useradd
+ smbldap-useradd///etc/init.d/nscd
+ snap.git-ubuntu.git-ubuntu
+ snap.git-ubuntu.import-source-packages
+ snap.git-ubuntu.man
+ snap.git-ubuntu.merge-changelogs
+ snap.git-ubuntu.reconstruct-changelog
+ snap.git-ubuntu.self-test
+ snap.git-ubuntu.source-package-walker
+ snap.git-ubuntu.update-repository-alias
+ syslog-ng
+ syslogd
+ traceroute
You will notice that samba-bgqd is still in complain mode.
-
7.Type in aa-enforce /etc/apparmor.d/samba-bgqd
/etc/apparmor.d/usr.sbin.smbd to set the paths to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Now when you display current running processes, you will see that smbd
is enforced.
$ ps fauxZ
smbd (enforce) root 2281 0.0 0.1 84840 16416 ?
Ss 14:50 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) root 2283 0.0 0.0 82360 8476 ?
S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) root 2284 0.0 0.0 82352 6748 ?
S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
Type in $ systemctl restart smbd.
Check dmesg output again and log.smbd file in /var/log/samba.
$ tail log.smbd
[2022/08/25 15:58:15.861776, 0] ../../source3/smbd/server.c:1734(main)
- smbd version 4.15.9-Ubuntu started.
- Copyright Andrew Tridgell and the Samba Team 1992-2021
+ smbd version 4.15.9-Ubuntu started.
+ Copyright Andrew Tridgell and the Samba Team 1992-2021
[2022/08/25 16:04:05.837877, 0] ../../source3/smbd/server.c:1734(main)
- smbd version 4.15.9-Ubuntu started.
- Copyright Andrew Tridgell and the Samba Team 1992-2021
+ smbd version 4.15.9-Ubuntu started.
+ Copyright Andrew Tridgell and the Samba Team 1992-2021
[2022/08/25 16:04:05.848067, 0]
../../lib/util/become_daemon.c:119(exit_daemon)
- exit_daemon: daemon failed to start: Samba failed to init printing
subsystem, error code 13
+ exit_daemon: daemon failed to start: Samba failed to init printing
subsystem, error code 13
-
- You shouldn’t notice that smbd is in complained status and you should notice
that smbd is DENIED if you install a new package which was fixed with the
package from proposed, smbd will start even with the profile in enforced mode.
-
+ You shouldn’t notice that smbd is in complained status and you should
+ notice that smbd is DENIED if you install a new package which was fixed
+ with the package from proposed, smbd will start even with the profile in
+ enforced mode.
[Where problems could occur]
Any code change might change the behavior of the package in a specific
situation and cause other errors.
The old path is disallowed because the rule has been changed. The risk of
regression becomes real when people move around the binary and replace the
path, then it would fail after the update.
Moreover, for instance the user can install only apparmor-utils without the
apparmor-profiles and the update will not be visible.
- It is highly recommended to select the ubuntu-daily image while creating a
VM, otherwise it might cause a regression and later use will not be able to set
the enforce mode and Apparmor will not prevent applications from taking
restricted actions.
+ It is highly recommended to select the ubuntu-daily image while creating a
VM, otherwise it might cause a regression and later use will not be able to set
the enforce mode and Apparmor will not prevent applications from taking
restricted actions.
Another possible regression source is the fact that the apparmor will be
rebuilt against newer versions of its build dependencies, on Jammy and there
are 2 profiles affected by the changes.
- There are similar possibilities of regression for that ‘k’ flag which was
added.
-
+ There are similar possibilities of regression for that ‘k’ flag which was
added.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are using
the block-proposed tag so that the fix can be bundled with another
future apparmor SRU.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is
required for the *.tdb files within /etc/apparmor.d/abstractions/samba.
** Tags added: block-proposed-jammy
** Description changed:
[Impact]
Users who have:
a) opted in to confining samba with apparmor (by installing
apparmor-profiles); and
- b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce
mode;
+ b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
will experience an error in starting the smbd service in jammy:
[2022/08/25 16:04:05.848067, 0]
../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing
subsystem, error code 13
This "printing subsystem" is actually a new daemon called samba-bgqd.
This errors prevents "smbd" from starting.
The reason it failed to start is that this binary is installed on a
different path than what is allowed in the samba apparmor profiles, and
as a result its execution is denied.
The chosen fix for this is to change the path of samba-bgqd in the samba
apparmor profiles to match where it is actually being installed in the
jammy packaging. Changing the actual path in the samba packaging would
be a more invasive fix.
In kinetic and later, the installation path of samba-bgqd was changed
instead, and requires no changes to the apparmor profiles.
However, once the path in the apparmor profiles was fixed for jammy,
another error comes up which also requires an apparmor change. samba-
bgqd is using locking when opening the *.tdb files in /run/samba, and
that requires an extra "k" flag to apparmor rules that cover that
directory and its tdb files.
This bug doesn't affect jammy samba users by default, as they have to
complete steps (a) and (b) from above to be impacted. Therefore, on its
own, this bug does not warrant an SRU, and we are using the block-
proposed-jammy tag to prevent its release until such time when another
more SRU-worthy apparmor bug is fixed for Jammy.
-
[Test Plan]
** Reproduction **
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
1.First of all, install apparmor-profiles, apparmor-utils and samba.
$ apt install apparmor-profiles apparmor-utils samba
2.Perform proper command to display current running processes. (e.g. ps
fauxZ).
$ ps fauxZ
nmbd (complain) root 2129 0.0 0.0 68720 10628 ?
Ss 16:43 0:00 /usr/sbin/nmbd --foreground --no-process-group
smbd (complain) root 2141 0.0 0.1 84840 16264 ?
Ss 16:43 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) root 2143 0.0 0.0 82360 8544 ?
S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) root 2144 0.0 0.0 82352 6820 ?
S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
3.At the end of the output, you should be able to see smbd(complain) in
the left column.
4.Then check the dmesg output.
$ dmesg -T
[Wed Aug 24 8:24:11 2022] audit: type=1400 audit(1661883574.507:2124):
apparmor="ALLOWED" operation="exec"
namespace="root//lxd-jammy-apparmor-testMMilion1_<var-snap-lxd-common-lxd>"
profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=526045
comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.875:92):
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd"
name="/run/samba/names.tdb" pid=803 comm="samba-bgqd" requested_mask="k"
denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.887:93):
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd"
name="/run/samba/gencache.tdb" pid=803 comm="samba-bgqd" requested_mask="k"
denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.899:94):
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd"
name="/run/samba/brlock.tdb" pid=803 comm="samba-bgqd" requested_mask="k"
denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.903:95):
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd"
name="/run/samba/locking.tdb" pid=803 comm="samba-bgqd" requested_mask="k"
denied_mask="k" fsuid=0 ouid=0
5.At the end of the output, you will notice profile=”samba-bgqd”
apparmor=”ALLOWED”
6.Later, check the apparmor status using the aa-status command.
$ aa-status
24 profiles are in complain mode.
avahi-daemon
dnsmasq
dnsmasq//libvirt_leaseshelper
identd
klogd
mdnsd
nmbd
nscd
php-fpm
ping
samba-bgqd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
snap.git-ubuntu.git-ubuntu
snap.git-ubuntu.import-source-packages
snap.git-ubuntu.man
snap.git-ubuntu.merge-changelogs
snap.git-ubuntu.reconstruct-changelog
snap.git-ubuntu.self-test
snap.git-ubuntu.source-package-walker
snap.git-ubuntu.update-repository-alias
syslog-ng
syslogd
traceroute
You will notice that samba-bgqd is still in complain mode.
7.Type in aa-enforce /etc/apparmor.d/samba-bgqd
/etc/apparmor.d/usr.sbin.smbd to set the paths to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Now when you display current running processes, you will see that smbd
is enforced.
$ ps fauxZ
smbd (enforce) root 2281 0.0 0.1 84840 16416 ?
Ss 14:50 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) root 2283 0.0 0.0 82360 8476 ?
S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) root 2284 0.0 0.0 82352 6748 ?
S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
Type in $ systemctl restart smbd.
Check dmesg output again and log.smbd file in /var/log/samba.
$ tail log.smbd
[2022/08/25 15:58:15.861776, 0] ../../source3/smbd/server.c:1734(main)
smbd version 4.15.9-Ubuntu started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
[2022/08/25 16:04:05.837877, 0] ../../source3/smbd/server.c:1734(main)
smbd version 4.15.9-Ubuntu started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
[2022/08/25 16:04:05.848067, 0]
../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing
subsystem, error code 13
You shouldn’t notice that smbd is in complained status and you should
notice that smbd is DENIED if you install a new package which was fixed
with the package from proposed, smbd will start even with the profile in
enforced mode.
[Where problems could occur]
Any code change might change the behavior of the package in a specific
situation and cause other errors.
The old path is disallowed because the rule has been changed. The risk of
regression becomes real when people move around the binary and replace the
path, then it would fail after the update.
Moreover, for instance the user can install only apparmor-utils without the
apparmor-profiles and the update will not be visible.
It is highly recommended to select the ubuntu-daily image while creating a
VM, otherwise it might cause a regression and later use will not be able to set
the enforce mode and Apparmor will not prevent applications from taking
restricted actions.
Another possible regression source is the fact that the apparmor will be
rebuilt against newer versions of its build dependencies, on Jammy and there
are 2 profiles affected by the changes.
There are similar possibilities of regression for that ‘k’ flag which was
added.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are using
- the block-proposed tag so that the fix can be bundled with another
+ the block-proposed-jammy tag so that the fix can be bundled with another
future apparmor SRU.
+
+ Apparmor in Kinetic does not need the samba-bgqd path fix, but it might
+ need the "k" locking one. We are waiting for an apparmor version update
+ that will still happen in Kinetic to evaluate what is needed there.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag is
required for the *.tdb files within /etc/apparmor.d/abstractions/samba.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1979879
Title:
Apparmor profile in 22.04 jammy - fails to start when printing enabled
Status in apparmor package in Ubuntu:
Invalid
Status in samba package in Ubuntu:
Fix Released
Status in apparmor source package in Jammy:
In Progress
Bug description:
[Impact]
Users who have:
a) opted in to confining samba with apparmor (by installing
apparmor-profiles); and
b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;
will experience an error in starting the smbd service in jammy:
[2022/08/25 16:04:05.848067, 0]
../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing
subsystem, error code 13
This "printing subsystem" is actually a new daemon called samba-bgqd.
This errors prevents "smbd" from starting.
The reason it failed to start is that this binary is installed on a
different path than what is allowed in the samba apparmor profiles,
and as a result its execution is denied.
The chosen fix for this is to change the path of samba-bgqd in the
samba apparmor profiles to match where it is actually being installed
in the jammy packaging. Changing the actual path in the samba
packaging would be a more invasive fix.
In kinetic and later, the installation path of samba-bgqd was changed
instead, and requires no changes to the apparmor profiles.
However, once the path in the apparmor profiles was fixed for jammy,
another error comes up which also requires an apparmor change. samba-
bgqd is using locking when opening the *.tdb files in /run/samba, and
that requires an extra "k" flag to apparmor rules that cover that
directory and its tdb files.
This bug doesn't affect jammy samba users by default, as they have to
complete steps (a) and (b) from above to be impacted. Therefore, on
its own, this bug does not warrant an SRU, and we are using the block-
proposed-jammy tag to prevent its release until such time when another
more SRU-worthy apparmor bug is fixed for Jammy.
[Test Plan]
** Reproduction **
Make a container for testing:
$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test
1.First of all, install apparmor-profiles, apparmor-utils and samba.
$ apt install apparmor-profiles apparmor-utils samba
2.Perform proper command to display current running processes. (e.g. ps
fauxZ).
$ ps fauxZ
nmbd (complain) root 2129 0.0 0.0 68720 10628 ?
Ss 16:43 0:00 /usr/sbin/nmbd --foreground --no-process-group
smbd (complain) root 2141 0.0 0.1 84840 16264 ?
Ss 16:43 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) root 2143 0.0 0.0 82360 8544 ?
S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) root 2144 0.0 0.0 82352 6820 ?
S 16:43 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
3.At the end of the output, you should be able to see smbd(complain)
in the left column.
4.Then check the dmesg output.
$ dmesg -T
[Wed Aug 24 8:24:11 2022] audit: type=1400 audit(1661883574.507:2124):
apparmor="ALLOWED" operation="exec"
namespace="root//lxd-jammy-apparmor-testMMilion1_<var-snap-lxd-common-lxd>"
profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=526045
comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.875:92):
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd"
name="/run/samba/names.tdb" pid=803 comm="samba-bgqd" requested_mask="k"
denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.887:93):
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd"
name="/run/samba/gencache.tdb" pid=803 comm="samba-bgqd" requested_mask="k"
denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.899:94):
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd"
name="/run/samba/brlock.tdb" pid=803 comm="samba-bgqd" requested_mask="k"
denied_mask="k" fsuid=0 ouid=0
[Wed Aug 24 08:24:11 2022] audit: type=1400 audit(1661329451.903:95):
apparmor="ALLOWED" operation="file_lock" profile="samba-bgqd"
name="/run/samba/locking.tdb" pid=803 comm="samba-bgqd" requested_mask="k"
denied_mask="k" fsuid=0 ouid=0
5.At the end of the output, you will notice profile=”samba-bgqd”
apparmor=”ALLOWED”
6.Later, check the apparmor status using the aa-status command.
$ aa-status
24 profiles are in complain mode.
avahi-daemon
dnsmasq
dnsmasq//libvirt_leaseshelper
identd
klogd
mdnsd
nmbd
nscd
php-fpm
ping
samba-bgqd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
snap.git-ubuntu.git-ubuntu
snap.git-ubuntu.import-source-packages
snap.git-ubuntu.man
snap.git-ubuntu.merge-changelogs
snap.git-ubuntu.reconstruct-changelog
snap.git-ubuntu.self-test
snap.git-ubuntu.source-package-walker
snap.git-ubuntu.update-repository-alias
syslog-ng
syslogd
traceroute
You will notice that samba-bgqd is still in complain mode.
7.Type in aa-enforce /etc/apparmor.d/samba-bgqd
/etc/apparmor.d/usr.sbin.smbd to set the paths to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Now when you display current running processes, you will see that smbd
is enforced.
$ ps fauxZ
smbd (enforce) root 2281 0.0 0.1 84840 16416 ?
Ss 14:50 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) root 2283 0.0 0.0 82360 8476 ?
S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) root 2284 0.0 0.0 82352 6748 ?
S 14:50 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
Type in $ systemctl restart smbd.
Check dmesg output again and log.smbd file in /var/log/samba.
$ tail log.smbd
[2022/08/25 15:58:15.861776, 0] ../../source3/smbd/server.c:1734(main)
smbd version 4.15.9-Ubuntu started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
[2022/08/25 16:04:05.837877, 0] ../../source3/smbd/server.c:1734(main)
smbd version 4.15.9-Ubuntu started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
[2022/08/25 16:04:05.848067, 0]
../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Samba failed to init printing
subsystem, error code 13
You shouldn’t notice that smbd is in complained status and you should
notice that smbd is DENIED if you install a new package which was
fixed with the package from proposed, smbd will start even with the
profile in enforced mode.
[Where problems could occur]
Any code change might change the behavior of the package in a specific
situation and cause other errors.
The old path is disallowed because the rule has been changed. The risk of
regression becomes real when people move around the binary and replace the
path, then it would fail after the update.
Moreover, for instance the user can install only apparmor-utils without the
apparmor-profiles and the update will not be visible.
It is highly recommended to select the ubuntu-daily image while creating a
VM, otherwise it might cause a regression and later use will not be able to set
the enforce mode and Apparmor will not prevent applications from taking
restricted actions.
Another possible regression source is the fact that the apparmor will be
rebuilt against newer versions of its build dependencies, on Jammy and there
are 2 profiles affected by the changes.
There are similar possibilities of regression for that ‘k’ flag which was
added.
[Other information]
This fix alone does not warrant an apparmor SRU, therefore we are
using the block-proposed-jammy tag so that the fix can be bundled with
another future apparmor SRU.
Apparmor in Kinetic does not need the samba-bgqd path fix, but it
might need the "k" locking one. We are waiting for an apparmor version
update that will still happen in Kinetic to evaluate what is needed
there.
-------------------original report-------------------
See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Fix was backported, but the path to samba-bgqd is wrong on 22.04.
Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd
When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-
bgqd
Moreover, the dmesg output failed and it has showed that the 'k' flag
is required for the *.tdb files within
/etc/apparmor.d/abstractions/samba.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1979879/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
