[pkg-apparmor] Bug#920530: AppArmor breaks bind/named DLZ with samba

[intrigeri]

Control: reassign -1 bind9
Control: user pkg-apparmor-team at lists.alioth.debian.org
Control: usertag -1 + modify-profile
Control: tag -1 + moreinfo

Hi,

Vroomfondel:
> […] However in its currently shipping 
> form this broke the bind DLZ that's used with samba (to host DNS for active 
> directory). For those unfamiliar, DLZ = Dynamically Loadable Zone and the way it 
> works is samba populates a zone file which bind is then pointed at to load.
> […]
> I've since discovered samba have official info on apparmour here 
> https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration - 
> following on from that and what I've seen in kern.log I believe the debian 
> configuration in /etc/apparmor.d/usr.sbin.named should contain something like:

Thanks for your report.

I'm reassigning to the package that ships this profile, because that's
where the problem can be fixed.

>      /usr/lib/x86_64-linux-gnu/samba/** rm,
>      /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** rm,
>      /var/lib/samba/private/dns.keytab r,
>      /var/lib/samba/private/named.conf r,
>      /var/lib/samba/private/dns/** rwk,
>      /etc/smb.conf r,

> ...but obviously I'd like someone who knows what they're doing to have a look 
> first as it's possible those permissions are too loose (like I say, I'm still 
> a-learnin'). If and when I get an opportunity to test this I'll report back as 
> to whether it works.

I'm not familiar with the BIND/Samba integration and I've never
touched the usr.sbin.named profile myself, and I'm not sure who's
upstream for it (surely the maintainers of BIND will know), so just my
2 cts:

 - Regarding the 2 lines about /usr/lib/..., they are probably already
   covered by these lines from /etc/apparmor.d/abstractions/base,
   which usr.sbin.named includes:

    /{usr/,}lib/@{multiarch}/**            r,
    /{usr/,}lib/@{multiarch}/lib*.so*      mr,
    /{usr/,}lib/@{multiarch}/**/lib*.so*   mr,

   It would be nice to actually test whether they're needed.
   The above sample rules don't feel crazy so I say go ahead,
   experiment with them and find out if which ones are needed
   and if they're enough :)

 - Regarding the 3 paths under /var/lib/samba/private: are they common
   practice, well documented, or something you happened to come up
   with locally?

   If the former, and assuming they don't break a security boundary
   that could be expected by users of BIND and Samba that do *not*
   wish to integrate them with each other, then it would probably make
   sense to add them to the profile.

   If the latter, then I'm not sure what we can do except add
   documentation and recommend users adapt the example rules
   and add them to /etc/apparmor.d/local/usr.sbin.named.

 - Regarding smb.conf, I would hope that DAC permissions would
   prevent BIND from reading it if it was too crazy, right?
   (I mean, BIND does not run as root, does it?)

So all in all, if these rules work for you, I think the main
issue is about the possible security boundary violations.

Cheers,
-- 
intrigeri