[Pkg-samba-maint] Bug#896080: AppArmor/Samba integration in Debian

Christian Boltz apparmor at cboltz.de
Thu Feb 21 23:23:04 GMT 2019 

Hi Mathieu,

Am Donnerstag, 21. Februar 2019, 22:19:34 CET schrieb Mathieu Parent:
> I'm working on AppArmor/Samba integration in Samba and integrated you'
> "update-apparmor-samba-profile" script.

I'm happy to hear that :-)

> I've taken version 1.1, but it silently exists with:
> 
>     grep -q '^/usr/sbin/smbd (' /sys/kernel/security/apparmor/profiles
> || \ silentexit "smbd profile not loaded"
> 
> I don't have the complete path but the profile name in this file:
> 
> $ sudo cat /sys/kernel/security/apparmor/profiles | grep smbd
> smbd (enforce)
> 
> I don't know much about Apparmor, is this a bug in the script or a
> behavior difference under Debian?

It's a new/changed behaviour of latest upstream AppArmor, and I have to 
admit that I completely forgot that this script will need to be adjusted.

Historically, the profiles used the attachment (= path of the binary, 
"/usr/sbin/smbd" in this case) as the profile name. This also means that 
the profile name changes if you extend the profile to attach to
"/usr/{bin,sbin}/smbd" (which is needed for distributions with merged 
/usr/bin/ and /usr/sbin/)

Latest AppArmor switched to using profile names ("smbd") instead, which 
makes this easier (and keeps the profile name short and readable).
The switch causes a one-time pain, but ensures that future attachment
changes (like the {bin,sbin} alternation) won't cause additional pain.

Both Debian and openSUSE will have to adjust the 
update-apparmor-samba-profile script - for backward compability, the 
best way is to grep for both names:

     grep '^smbd (\|^/usr/sbin/smbd (' /sys/kernel/security/apparmor/profiles || \
             silentexit "smbd profile not loaded"


Oh, BTW - thanks for accidently ;-) reporting this openSUSE bug!
I forwarded it to our Samba maintainers in
https://bugzilla.opensuse.org/show_bug.cgi?id=1126377

Please grab the patch from this bugreport to ensure that the Debian and
openSUSE scripts stay in sync.


Regards,

Christian Boltz
-- 
I am not a Dictator, I can think of no example where I've ordered
anyone to do anything. And I would expect people to stare at me funny
and tell me 'no', if I tried. [Richard Brown in opensuse-project]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20190222/7ee78774/attachment.sig>

More information about the Pkg-samba-maint mailing list