[apparmor] [patch] smbd profile needs capability sys_admin

Simon Deziel simon.deziel at gmail.com
Wed Apr 13 19:04:39 UTC 2016 

On 2016-04-13 02:23 PM, Steve Beattie wrote:
> On Sun, Mar 20, 2016 at 07:20:11PM +0100, Christian Boltz wrote:
>> smbd stores ACLS in the security.NTACL namespace, which means it needs
>> capability sys_admin.
>>
>> References: https://bugzilla.opensuse.org/show_bug.cgi?id=964971
>>             http://samba-technical.samba.narkive.com/eHtOW8DE/nt-acls-using-the-security-namespace-for-ntacl-considered-improper
>>
>> I propose this patch for trunk, 2.10 and 2.9.
>>
>> [ profiles-smbd-cap-sys_admin.diff ]
>>
>> === modified file 'profiles/apparmor.d/usr.sbin.smbd'
>> --- profiles/apparmor.d/usr.sbin.smbd   2015-02-28 20:35:18 +0000
>> +++ profiles/apparmor.d/usr.sbin.smbd   2016-02-11 17:51:14 +0000
>> @@ -17,6 +17,7 @@
>>    capability net_bind_service,
>>    capability setgid,
>>    capability setuid,
>> +  capability sys_admin,  # needed to store ACLS in the security.NTACL namespace
>>    capability sys_resource,
>>    capability sys_tty_config,
> 
> I really dislike this.

I don't like that either but I can't think of any good alternatives.
IMHO, Apparmor should be as transparent as possible. Breaking some
people's use cases is risking them turning off Apparmor completely.

Those that don't need/want this can always deny it via the local include.

> The sys_admin capability grants much too
> powerful stuff (e.g. the ability to load kernel modules, which can do
> whatever damage to in-kernel apparmor data structures they'd like),
> so essentially an unrestricted root level privilege.

Fortunately some of that can be (partly) mitigated if the administrator
knows how to disable module loading. Opt-in profiles like this one are,
I think/wish, generally deployed by people who know that.


That said, the upstream devs should be made aware of the dangers of
those super powers. If they care, maybe one day, we'll be able to
tighten up those profiles.

Regards,
Simon

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160413/6591e387/attachment-0001.pgp>

More information about the AppArmor mailing list