As mentioned in bnc#666450, the answer isn't to add specific directories to the profile, it's to add the ability to have local extensions without modifying the profile as-shipped.

This isn't a samba issue but a general apparmor one.

Agreed. It would still be worth some bonus points if the samba initscript would auto-generate a profile sniplet with the path of all shares ;-)

Free coffee and cake if we see a submit request implementing the suggestion from comment #2 in a way that it works generic with the current sysvinit approach and with systemd too.

Quick hint: this would be super easy for someone looking to learn python. Specifically, check out the ConfigParser module.

(In reply to comment #0)
> I updated apparmor from
> http://download.opensuse.org/repositories/home:/jeff_mahoney:/branches:/openSUSE:/11.4:/Update:/Test/standard
> 
openSUSE 11.4 (32b) with latest update + Tumbleweed repo as of 05/21/2011.
Seems the samba need to read /etc/netgroup file, it denied.. here the
/var/log/audit/audit.log :

type=AVC msg=audit(1305954890.279:29): apparmor="DENIED" operation="open" parent=4692 profile="/usr/sbin/smbd" name="/etc/netgroup" pid=4732 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

The relevant info :

rpm -qa | grep samba
samba-3.5.8-2.5.i586

rpm -qa | grep apparmor
apparmor-docs-2.5.1.r1445-62.11.noarch
apparmor-parser-2.5.1.r1445-62.11.i586
apparmor-profiles-2.5.1.r1445-62.11.noarch
apparmor-utils-2.5.1.r1445-62.11.noarch
libapparmor-devel-2.5.1.r1445-62.11.i586
libapparmor1-2.5.1.r1445-62.11.i586
pam_apparmor-2.5.1.r1445-62.11.i586
patterns-openSUSE-apparmor-11.4-6.9.1.i586
patterns-openSUSE-apparmor_opt-11.4-6.9.1.i586
perl-apparmor-2.5.1.r1445-62.11.i586
yast2-apparmor-2.20.1-1.2.1.noarch

rpm -qa | grep kernel
kernel-desktop-2.6.38.6-29.1.i586
kernel-xen-2.6.38.6-29.1.i586

Another quick hint: if someone wants to implement comment #2 in perl, Config::IniFiles is probably a good choice.

(In reply to comment #2)
> Agreed. It would still be worth some bonus points if the samba initscript would
> auto-generate a profile sniplet with the path of all shares ;-)

Although attractive, this method is far from a silver bullet. As Lars described on the opensuse-factory ML, Samba share definitions can be updated with various actions: process restart, SIGHUP, smbcontrol message and registry change. 

Acting on internal MSG_SMB_CONF_UPDATED messages may be a less cumbersome option but even then there's still the option of [homes] and other variable dependent share paths.

(In reply to comment #7)
> (In reply to comment #2)
> > Agreed. It would still be worth some bonus points if the samba initscript 
> > would auto-generate a profile sniplet with the path of all shares ;-)
> 
> Although attractive, this method is far from a silver bullet. As Lars 
> described on the opensuse-factory ML, Samba share definitions can be updated 
> with various actions: process restart, SIGHUP, smbcontrol message and registry 
> change. 

Yes, I've seen his mail - however I'd say this is where things get scary ;-)

Basically I see two options:
a) parse smb.conf to create an apparmor profile sniplet (without the 
   "dynamicly" created shares)
b) let Samba itsself update the profile sniplet
c) (did I miss another option?)

b) might sound like the better solution, but comes with the risk that someone exploits Samba and then raise his privileges.
With a) he would at least have to modify smb.conf and re-run the initscript to update the apparmor profile sniplet, which is much more difficult to exploit IMHO.

Lars, what is your opinion about this?

*** Bug 714089 has been marked as a duplicate of this bug. ***

Based on the discussion on the ML, here's a script to generate an apparmor profile sniplet that includes all shares listed in smb.conf, with the exception of
- variables (anything containing a % sign)
- "/" - if someone is insane enough to share his complete filesystem, he'll have 
  to modify the apparmor profile himself.
testparm turned out to be quite useful :-)

echo '# autogenerated at samba start - do not edit!'
testparm -s 2>/dev/null |sed -n '/^[ \t]*path[ \t]*=[ \t]*[^% \t]\{2,\}/ s§^[ \t]*path[ \t]*=[ \t]*\(.*\)$§\1/   rk,\n\1/** rwkl,§p'

("[ \t]" means space and tab - ignore the linebreak above)

Created attachment 457112 [details]
update-apparmor-samba-profile

update-apparmor-samba-profile - script to create or update an apparmor sniplet with permissions for all samba shares.

Proposed path: /usr/share/samba/update-apparmor-samba-profile
(called by initscript or systemd - no need to have it in /usr/sbin/)

Created attachment 457113 [details]
Patch for the smb initscript

This patch for the smb initscript adds calls to the update-apparmor-samba-profile script on (re)start and reload.

The attachments contain everything you need to let samba update its AppArmor profile. (Well, I have to admit that I'm not sure about systemd - if there is a service file for samba, you'll have to include a call to my script.)

I didn't send a SR because changing the initscript inside a tarball looks 
a bit ;-) horrible to me.

Please include this script and patch in openSUSE 12.1.
For the records: The risk of the patch and the script is very low IMHO.

I'll commit an updated AppArmor package that includes the generated sniplet in the Samba AppArmor profile when you have included the script in the samba package.

Suggested fix merged and pushed into network:samba:TESTING.

Please test if that works for you.  Without complains we'll merge the required changes tomorrow.

(In reply to comment #14)
> Suggested fix merged and pushed into network:samba:TESTING.
> 
> Please test if that works for you.  Without complains we'll merge the required
> changes tomorrow.

error: Installed (but unpackaged) file(s) found:
   /usr/share/samba/update-apparmor-samba-profile

Please add it to %files ;-)

Fixed.

This is an autogenerated message for OBS integration:
This bug (688040) was mentioned in
https://build.opensuse.org/request/show/88635 Factory / samba

This is an autogenerated message for OBS integration:
This bug (688040) was mentioned in
https://build.opensuse.org/request/show/88695 Factory / apparmor

SR 88695 (for the apparmor package) will include the autogenerated profile sniplet in the smbd profile.

The bug is still available in the main repo, and also in network:samba:TESTING.

Please switch AppArmor in complain mode and provide which access rights are missing.

Samba from network:samba:TESTING and network:samba:STABLE are currently at the identical code level.  This is easy to check via the content of the build-source-timestamp file.

If this is a different issue please close this bug and file a separate one.

I updated Apparmor from 'Updates' repo and samba from 'samba:STABLE'.

It works for me. Access to custom directories is allowed.

OpenSUSE 11.4.

(In reply to comment #21)
> Please switch AppArmor in complain mode and provide which access rights are
> missing.
> 
> Samba from network:samba:TESTING and network:samba:STABLE are currently at the
> identical code level.  This is easy to check via the content of the
> build-source-timestamp file.
> 
> If this is a different issue please close this bug and file a separate one.

I switched smbd to complain mode, but I nothing else seen:
[ 4169.986750] type=1400 audit(1328003056.364:237): apparmor="ALLOWED" operation="open" parent=11157 profile="/usr/sbin/smbd" name="/srv/samba-share/" pid=11423 comm="smbd" requested_mask="r" denied_mask="r" fsuid=65534 ouid=1000

samba version in the testing repo: samba-3.6.3-97.1
in the stable: samba-3.6.3-85.1

(In reply to comment #22)
> I updated Apparmor from 'Updates' repo and samba from 'samba:STABLE'.
> 
> It works for me. Access to custom directories is allowed.
> 
> OpenSUSE 11.4.

From which updates? http://download.opensuse.org/update/11.4/ ?
I'am updated too...

Ah, you are using 11.4 - that explains it. The autogenerated apparmor sniplet for all shares is included starting with 12.1.

Basically, you have two options:
a) manual way:
- echo "# replaceme" > /etc/apparmor.d/local/usr.sbin.smbd-shares
- add " #include <local/usr.sbin.smbd-shares>" to /etc/apparmor.d/usr.sbin.smbd
- rcsmb restart (this should update the local/usr.sbin.smbd-shares sniplet)

b) update your apparmor-profiles package to 2.7.1 from security:apparmor:factory - I never tested the 2.7.1 profiles with apparmor 2.5, but if it works, it's the easiest solution.

(In reply to comment #25)
> Ah, you are using 11.4 - that explains it. The autogenerated apparmor sniplet
> for all shares is included starting with 12.1.
> 
> Basically, you have two options:
> a) manual way:
> - echo "# replaceme" > /etc/apparmor.d/local/usr.sbin.smbd-shares
> - add " #include <local/usr.sbin.smbd-shares>" to /etc/apparmor.d/usr.sbin.smbd
> - rcsmb restart (this should update the local/usr.sbin.smbd-shares sniplet)
> 
> b) update your apparmor-profiles package to 2.7.1 from
> security:apparmor:factory - I never tested the 2.7.1 profiles with apparmor
> 2.5, but if it works, it's the easiest solution.

a)
AppArmor parser error for /etc/apparmor.d/usr.sbin.smbd in /etc/apparmor.d/local/usr.sbin.smbd-shares at line 3: syntax error, unexpected TOK_MODE, expecting TOK_OPEN

/etc/apparmor.d/usr.sbin.smbd failed to load

b)
Same error:
[ 6270.775634] type=1400 audit(1328005157.152:357): apparmor="DENIED" operation="open" parent=15544 profile="/usr/sbin/smbd" name="/srv/samba-share/" pid=15640 comm="smbd" requested_mask="r" denied_mask="r" fsuid=65534 ouid=1000

(In reply to comment #26)
> > - add " #include <local/usr.sbin.smbd-shares>" to 
> >   /etc/apparmor.d/usr.sbin.smbd
> > - rcsmb restart (this should update the local/usr.sbin.smbd-shares sniplet)

> AppArmor parser error for /etc/apparmor.d/usr.sbin.smbd in
> /etc/apparmor.d/local/usr.sbin.smbd-shares at line 3: syntax error, unexpected
> TOK_MODE, expecting TOK_OPEN

Sounds like you added the include before the opening "/usr/sbin/smbd {" line. You should add it below (inside the {...} block).

> > b) update your apparmor-profiles package to 2.7.1 from
> > security:apparmor:factory - I never tested the 2.7.1 profiles with apparmor
> > 2.5, but if it works, it's the easiest solution.

> Same error: [DENIED message from audit.log]

So the good news is that the 2.7 profiles work with AppArmor 2.5 :-)

Did you restart AppArmor and Samba after updating the profiles package? If not, run:
rcapparmor restart
rcsmb restart

(In reply to comment #27)
> Sounds like you added the include before the opening "/usr/sbin/smbd {" line.
> You should add it below (inside the {...} block).

Yeah, this is my fault. I'll downgraded back to apparmor 2.5, which are in 11.4 oss repo, and with this correction, it seems to be OK... 


> So the good news is that the 2.7 profiles work with AppArmor 2.5 :-)

No, I'll updated everything (libapparmor, parser, utils...) from factory repo, so all of my apparmor packages was 2.7.

> Did you restart AppArmor and Samba after updating the profiles package? If not,
> run:
> rcapparmor restart
> rcsmb restart

Yes, I'll restarted everything, but with apparmor 2.7 doesn't worked.

Thanks for your feedback.

OK, then this bug stays "fixed" for >= 12.1 - and "wontfix" for 11.4 (with comment #25 method a) as workaround).

And why not fix in 11.4?

(In reply to comment #30)
> And why not fix in 11.4?

Because (AFAIK) the samba package in 11.4 does not contain the script to generate the AppArmor sniplet - you got it only because you use samba:stable repo. In other words: this would be a bigger change (basically introducing a new feature) in multiple packages. IMHO it's a bit too late for new features in 11.4 ;-) (but if you really want it, you can always do a SR to openSUSE:11.4:Update:Test and point to this bugreport)

(In reply to comment #31)
> Because (AFAIK) the samba package in 11.4 does not contain the script to
> generate the AppArmor sniplet

I think, this is the problem... Apparmor is delivered (and installed by default?) with 11.4, have a profile for samba too, but if you install and want to use samba, it isn't working.

For 11.4 (and every release prior), this is the case. It will also be true of *any* file serving daemon, simply because you can export anything on the file system through them. That is fundamentally opposite the premise of a tool like AppArmor which wants to restrict access to the file system.

The Samba profile has *always* needed to be modified. It's just that in 12.1 we've included a tool to do it automatically.

For prior releases, it would be a post-release enhancement, which is against the openSUSE update policies.

Yeah, you are right.

But I'll try to add manually the access to the shared directory (/srv/samba-share/** rwkl) for smbd, but did not help.
Not need for create automatically these rules, but if I add manually, it should work.

Ehm :)
So, I checked what is in /etc/apparmor.d/local/usr.sbin.smbd-shares file...

Nobody asked me what rules I added. The error caused by a missing rule:
/srv/samba-share/ rl

I thought that, the /srv/samba-share/** contains the permission for these directory too. I'm now downgraded samba and apparmor to 11.4 oss repo version, then I fix the rules, and everything works fine.

(In reply to comment #35)
> So, I checked what is in /etc/apparmor.d/local/usr.sbin.smbd-shares file...

If you use a samba package that updates this file (in other words: a package from the samba:* repo), you can just add an include rule to the smbd profile to include local/usr.sbin.smbd-shares.

> Nobody asked me what rules I added. The error caused by a missing rule:
> /srv/samba-share/ rl

;-)