[apparmor] [patch] Samba profile updates

Steve Beattie steve at nxnw.org
Fri Aug 26 21:50:25 UTC 2011 

On Sun, Aug 21, 2011 at 05:33:06PM +0200, Christian Boltz wrote:
> From: Jeff Mahoney <jeffm at suse.com>
> Subject: apparmor-profiles: Add samba config files
> References: bnc#679182 bnc#666450
> 
> Signed-off-by: Jeff Mahoney <jeffm at suse.com>
> 
> - updated to match trunk
> - added changed path to nmbd profile (/var/cache/samba has moved to 
>   /var/lib/samba on (at least) openSUSE 11.4), bnc#679182#c8
>   For backward compability, it also allows /var/spool/samba.
> - Note: The smbd profile already contains both locations.
> by Christian Boltz <apparmor at cboltz.de>
> 
> 
> === modified file 'profiles/apparmor.d/abstractions/samba'
> --- profiles/apparmor.d/abstractions/samba	2011-07-14 12:57:57 +0000
> +++ profiles/apparmor.d/abstractions/samba	2011-08-21 15:18:51 +0000
> @@ -9,11 +9,11 @@
>  #
>  # ------------------------------------------------------------------
>  
> -  /etc/samba/smb.conf r,
> +  /etc/samba/* r,
>    /usr/share/samba/*.dat r,
>    /var/lib/samba/**.tdb rwk,
>    /var/log/samba/cores/ rw,
> -  /var/log/samba/cores/* w,
> +  /var/log/samba/cores/* rw,

On Ubuntu, there are subdirs smbd, nmbd, and winbindd. Perhaps either
per-daemon rules or /var/log/samba/cores/** is appropriate?

(That said, I don't know what the cores subdirs are used for.)

>    /var/log/samba/log.* w,
>    /{,var/}run/samba/*.tdb rw,
>  
> 
> === modified file 'profiles/apparmor.d/usr.sbin.nmbd'
> --- profiles/apparmor.d/usr.sbin.nmbd	2011-07-14 12:57:57 +0000
> +++ profiles/apparmor.d/usr.sbin.nmbd	2011-08-21 15:21:01 +0000
> @@ -8,10 +8,11 @@
>    capability net_bind_service,
>  
>    /usr/sbin/nmbd mr,
> -  /var/cache/samba/browse.dat* rw,
> -  /var/lib/samba/wins.dat* rw,
> -  /{,var/}run/samba/** rk,
> +  /var/{cache,lib}/samba/browse.dat* rw,
> +  /var/{cache,lib}/samba/wins.dat* rw,
> +  /{,var/}run/samba/** rwk,
>    /{,var/}run/samba/nmbd.pid rw,

Might as well drop the /{,var/}run/samba/nmbd.pid rw, since it's a
subset of the /{,var/}run/samba/** rwk, rule.

> +  /var/log/samba/cores/ rw,

Should this not go into abstractions/samba?

>    /var/log/samba/cores/nmbd/ rw,
>    /var/log/samba/cores/nmbd/** rw,

See above comment on the cores/ dir in the samba abstraction.

> === modified file 'profiles/apparmor.d/usr.sbin.smbd'
> --- profiles/apparmor.d/usr.sbin.smbd	2011-07-14 12:57:57 +0000
> +++ profiles/apparmor.d/usr.sbin.smbd	2011-08-21 15:17:56 +0000
> @@ -20,6 +20,9 @@
>    /etc/printcap r,
>    /proc/*/mounts r,
>    /usr/sbin/smbd mr,
> +  /etc/samba/* rwk,

Err, this covers the following two additions.

> +  /etc/samba/passdb.tdb rwk,
> +  /etc/samba/secrets.tdb rwk,

That said, on Ubuntu (11.04 anyway), these are located in
/var/lib/samba/, but...

>    /var/cache/samba/** rwk,
>    /var/cache/samba/printing/printers.tdb mrw,
>    /var/lib/samba/** rwk,

they're covered by the above rule.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110826/f7609594/attachment.pgp>

More information about the AppArmor mailing list