[Pkg-samba-maint] [Git][samba-team/samba][master] 6 commits: samba-libs: Add Breaks+Replaces: libndr-standard0 (<< 4) (Closes: #910242)

Mathieu Parent gitlab at salsa.debian.org
Thu Feb 21 20:14:12 GMT 2019 

Mathieu Parent pushed to branch master at Debian Samba Team / samba


Commits:
874f9270 by Mathieu Parent at 2019-02-18T12:32:33Z
samba-libs: Add Breaks+Replaces: libndr-standard0 (<< 4) (Closes: #910242)

- - - - -
bb8971a5 by Mathieu Parent at 2019-02-20T21:47:46Z
Install update-apparmor-samba-profile from Christian Boltz (SUSE)

- - - - -
28a2c5e9 by Mathieu Parent at 2019-02-21T20:01:08Z
smbd.init: Run update-apparmor-samba-profile before start

- - - - -
0ecd28ff by Mathieu Parent at 2019-02-21T20:04:30Z
smbd.service: Run update-apparmor-samba-profile before start

Bug-Debian: https://bugs.debian.org/896080

- - - - -
93e91e0a by Mathieu Parent at 2019-02-21T20:05:27Z
Patch for "smbd.service: Run update-apparmor-samba-profile before start"

- - - - -
bd4c1577 by Mathieu Parent at 2019-02-21T20:13:48Z
Changelog for previous commits

- - - - -


9 changed files:

- debian/changelog
- debian/control
- debian/patches/series
- + debian/patches/smbd.service-Run-update-apparmor-samba-profile-befor.patch
- debian/rules
- debian/samba.install
- debian/samba.smbd.init
- + debian/update-apparmor-samba-profile
- packaging/systemd/smb.service.in


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,13 @@
+samba (2:4.9.4+dfsg-4) UNRELEASED; urgency=medium
+
+  * samba-libs: Add Breaks+Replaces: libndr-standard0 (<< 4) (Closes: #910242)
+  * Improve AppArmor integration (Closes: #896080)
+    - Install update-apparmor-samba-profile from Christian Boltz (SUSE)
+    - smbd.init: Run update-apparmor-samba-profile before start
+    - smbd.service: Run update-apparmor-samba-profile before start
+
+ -- Mathieu Parent <sathieu at debian.org>  Thu, 21 Feb 2019 21:13:26 +0100
+
 samba (2:4.9.4+dfsg-3) unstable; urgency=medium
 
   [ Ivo De Decker ]


=====================================
debian/control
=====================================
@@ -109,7 +109,8 @@ Multi-Arch: same
 Architecture: any
 Section: libs
 Depends: ${misc:Depends}, ${shlibs:Depends}
-Replaces: samba (<< 2:4.3.3+dfsg-1)
+Breaks: libndr-standard0 (<< 4)
+Replaces: samba (<< 2:4.3.3+dfsg-1), libndr-standard0 (<< 4)
 Description: Samba core libraries
  Samba is an implementation of the SMB/CIFS protocol for Unix systems,
  providing support for cross-platform file sharing with Microsoft Windows, OS X,


=====================================
debian/patches/series
=====================================
@@ -9,3 +9,4 @@ heimdal-rfc3454.txt
 nsswitch-Add-try_authtok-option-to-pam_winbind.patch
 s3-auth-ignore-create_builtin_guests-failing-without.patch
 python-gpg.patch
+smbd.service-Run-update-apparmor-samba-profile-befor.patch


=====================================
debian/patches/smbd.service-Run-update-apparmor-samba-profile-befor.patch
=====================================
@@ -0,0 +1,25 @@
+From 0ecd28ff3fd7f3d5c20705a2b8233fc8648cbf9c Mon Sep 17 00:00:00 2001
+From: Mathieu Parent <math.parent at gmail.com>
+Date: Thu, 21 Feb 2019 21:04:30 +0100
+Subject: [PATCH] smbd.service: Run update-apparmor-samba-profile before start
+
+Bug-Debian: https://bugs.debian.org/896080
+---
+ packaging/systemd/smb.service.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/packaging/systemd/smb.service.in b/packaging/systemd/smb.service.in
+index 18912ef0e98..6bb24861682 100644
+--- a/packaging/systemd/smb.service.in
++++ b/packaging/systemd/smb.service.in
+@@ -10,6 +10,7 @@ NotifyAccess=all
+ PIDFile=@PIDDIR@/smbd.pid
+ LimitNOFILE=16384
+ EnvironmentFile=- at SYSCONFDIR@/sysconfig/samba
++ExecStartPre=/usr/share/samba/update-apparmor-samba-profile
+ ExecStart=@SBINDIR@/smbd --foreground --no-process-group $SMBDOPTIONS
+ ExecReload=/bin/kill -HUP $MAINPID
+ LimitCORE=infinity
+-- 
+2.20.1
+


=====================================
debian/rules
=====================================
@@ -124,6 +124,7 @@ override_dh_auto_install:
 	# Debian goodies
 	cp debian/smb.conf* $(DESTDIR)/usr/share/samba/
 	install -m755 debian/panic-action $(DESTDIR)/usr/share/samba/panic-action
+	install -m755 debian/update-apparmor-samba-profile $(DESTDIR)/usr/share/samba/update-apparmor-samba-profile
 	cp debian/gdbcommands $(DESTDIR)/etc/samba/
 	mkdir -p $(DESTDIR)/etc/dhcp/dhclient-enter-hooks.d
 	install -m755 debian/samba-common.dhcp $(DESTDIR)/etc/dhcp/dhclient-enter-hooks.d/samba


=====================================
debian/samba.install
=====================================
@@ -42,3 +42,4 @@ usr/share/man/man8/samba-gpupdate.8
 usr/share/man/man8/samba.8
 usr/share/man/man8/smbd.8
 usr/share/samba/setup
+usr/share/samba/update-apparmor-samba-profile


=====================================
debian/samba.smbd.init
=====================================
@@ -31,6 +31,11 @@ case $1 in
 		    exit 0
 		fi
 
+		# Update /etc/apparmor.d/local/usr.sbin.smbd-shares
+		if [ -x /usr/share/samba/update-apparmor-samba-profile ]; then
+			/usr/share/samba/update-apparmor-samba-profile || exit $?
+		fi
+
 		log_daemon_msg "Starting SMB/CIFS daemon" smbd
 		# Make sure we have our PIDDIR, even if it's on a tmpfs
 		install -o root -g root -m 755 -d $PIDDIR


=====================================
debian/update-apparmor-samba-profile
=====================================
@@ -0,0 +1,75 @@
+#!/bin/bash
+
+# update apparmor profile sniplet based on samba configuration
+#
+# This script creates and updates a profile sniplet with permissions for all
+# samba shares, except
+# - paths with variables (anything containing a % sign)
+# - "/" - if someone is insane enough to share his complete filesystem, he'll have
+#   to modify the apparmor profile himself
+
+# (c) Christian Boltz 2011-2016
+# This script is licensed under the GPL v2 or, at your choice, any later version.
+
+
+# exit silently - used if no profile update is needed
+silentexit() {
+	# echo "$@"
+	exit 0
+}
+
+# exit with an error message
+verboseexit() {
+	echo "$@" >&2
+	exit 1
+}
+
+# if you change this script, _always_ update the version to force an update of the profile sniplet
+versionstring="${0##*/} 1.1"
+
+aastatus="/usr/sbin/aa-status"
+aaparser="/sbin/apparmor_parser"
+loadedprofiles="/sys/kernel/security/apparmor/profiles"
+
+smbconf="/etc/samba/smb.conf"
+smbd_profile="/etc/apparmor.d/usr.sbin.smbd"
+profilesniplet="/etc/apparmor.d/local/usr.sbin.smbd-shares"
+tmp_profilesniplet="/etc/apparmor.d/local/usr.sbin.smbd-shares.new"
+
+# test -x "$aastatus" || silentexit "apparmor not installed"
+# "$aastatus" --enabled || silentexit "apparmor not loaded (or not running as root)"
+test -e "$loadedprofiles" || silentexit "apparmor not loaded"
+test -e "$profilesniplet" || silentexit "apparmor profile snippet not available"
+test -r "$loadedprofiles" || verboseexit "no read permissions for $loadedprofiles - not running as root?"
+
+widelinks=$(testparm -s --parameter-name "wide links" 2>/dev/null)
+test "$widelinks" == "Yes" && {
+	echo "[$(date '+%Y/%m/%d %T')] $(basename $0)"
+	echo '  WARNING: "wide links" enabled. You might need to modify the smbd apparmor profile manually.'
+} >> /var/log/samba/log.smbd
+
+grep -q "$versionstring" "$profilesniplet" && {
+	test "$smbconf" -nt "$profilesniplet" || silentexit "smb.conf is older than the AppArmor profile sniplet"
+}
+
+{
+	echo "# autogenerated by $versionstring at samba start - do not edit!"
+	echo ""
+	testparm -s 2>/dev/null |sed -n '/^[ \t]*path[ \t]*=[ \t]*[^% \t]\{2,\}/ s^[ \t]*path[ \t]*=[ \t]*\([^%]*\)$"\1/"   rk,\n"\1/**" rwkl,p'
+} > "$tmp_profilesniplet"
+
+diff "$profilesniplet" "$tmp_profilesniplet" >/dev/null && {
+	rm -f "$tmp_profilesniplet"
+	touch "$profilesniplet" # update timestamp - otherwise we'll have to check again on the next run
+	silentexit "profile sniplet unchanged"
+}
+
+mv -f "$tmp_profilesniplet" "$profilesniplet"
+
+grep -q '^/usr/sbin/smbd (' /sys/kernel/security/apparmor/profiles || silentexit "smbd profile not loaded"
+
+echo "Reloading updated AppArmor profile for Samba..."
+
+# reload profile
+"$aaparser" -r "$smbd_profile"
+


=====================================
packaging/systemd/smb.service.in
=====================================
@@ -10,6 +10,7 @@ NotifyAccess=all
 PIDFile=@PIDDIR@/smbd.pid
 LimitNOFILE=16384
 EnvironmentFile=- at SYSCONFDIR@/sysconfig/samba
+ExecStartPre=/usr/share/samba/update-apparmor-samba-profile
 ExecStart=@SBINDIR@/smbd --foreground --no-process-group $SMBDOPTIONS
 ExecReload=/bin/kill -HUP $MAINPID
 LimitCORE=infinity



View it on GitLab: https://salsa.debian.org/samba-team/samba/compare/18a9887b0d38ac6a1af1a8488a8aaff4548d3964...bd4c1577a9b99a501584fe3a663f54f47c91c600

-- 
View it on GitLab: https://salsa.debian.org/samba-team/samba/compare/18a9887b0d38ac6a1af1a8488a8aaff4548d3964...bd4c1577a9b99a501584fe3a663f54f47c91c600
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20190221/2d4bc4ac/attachment-0001.html>

More information about the Pkg-samba-maint mailing list