[Touch-packages] [Bug 1952242] Re: [jammy] missing rules for samba profile

Tue, 07 Dec 2021 02:01:36 -0800 

This bug was fixed in the package apparmor - 3.0.3-0ubuntu4

---------------
apparmor (3.0.3-0ubuntu4) jammy; urgency=medium

  * d/p/u/samba-systemd-interaction.patch: allow smbd to interact with
    systemd (LP: #1952242):
    - allow notify access
    - allow specific /proc access
    - allow ptrace read

 -- Andreas Hasenack <andr...@canonical.com>  Mon, 29 Nov 2021 14:43:28
+0000

** Changed in: apparmor (Ubuntu)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1952242

Title:
  [jammy] missing rules for samba profile

Status in apparmor package in Ubuntu:
  Fix Released

Bug description:
  ubuntu jammy

  apparmor-profiles 3.0.3-0ubuntu3
  samba             2:4.13.5+dfsg-2ubuntu3

  smbd:
  Nov 25 14:59:56 jammy-samba-apparmor systemd[1]: Starting Samba SMB Daemon...
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.586080] audit: type=1400 
audit(1637852396.969:77): apparmor="ALLOWED" operation="capable" profile="smbd" 
pid=1094 comm="smbd" capability=12  capname="net_admin"
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.586241] audit: type=1400 
audit(1637852396.969:78): apparmor="ALLOWED" operation="sendmsg" profile="smbd" 
name="/run/systemd/notify" pid=1094 comm="smbd" requested_mask="w" 
denied_mask="w" fsuid=0 ouid=0
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.592258] audit: type=1400 
audit(1637852396.977:79): apparmor="ALLOWED" operation="open" profile="smbd" 
name="/proc/sys/kernel/osrelease" pid=1094 comm="smbd" requested_mask="r" 
denied_mask="r" fsuid=0 ouid=0
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.592460] audit: type=1400 
audit(1637852396.977:80): apparmor="ALLOWED" operation="open" profile="smbd" 
name="/proc/1/environ" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.592532] audit: type=1400 
audit(1637852396.977:81): apparmor="ALLOWED" operation="ptrace" profile="smbd" 
pid=1094 comm="smbd" requested_mask="read" denied_mask="read" peer="unconfined"
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.592683] audit: type=1400 
audit(1637852396.977:82): apparmor="ALLOWED" operation="open" profile="smbd" 
name="/proc/cmdline" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.600378] audit: type=1400 
audit(1637852396.985:83): apparmor="ALLOWED" operation="sendmsg" profile="smbd" 
name="/run/systemd/notify" pid=1094 comm="smbd" requested_mask="w" 
denied_mask="w" fsuid=0 ouid=0

  nmbd:
  Nov 25 14:59:26 jammy-samba-apparmor systemd[1]: Starting Samba NMB Daemon... 
                                                                                
                                
  Nov 25 14:59:26 jammy-samba-apparmor kernel: [  196.718721] audit: type=1400 
audit(1637852366.105:76): apparmor="ALLOWED" operation="capable" profile="nmbd" 
pid=1067 comm="nmbd" capability=1
  2  capname="net_admin"                               

  
  The systemd notify one for smbd was first fixed for nmbd in 
https://gitlab.com/apparmor/apparmor/-/merge_requests/236 for nmbd, but smbd 
was missed.

  net_admin might be https://github.com/systemd/systemd/pull/10085, I
  didn't check if jammy's systemd has that patch (it should, since it's
  old)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1952242/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to