[apparmor] [patch] deny capability net_admin in abstractions/samba
Christian Boltz
apparmor at cboltz.de
Thu Aug 4 19:02:59 UTC 2016
Hello,
$subject.
quoting https://bugzilla.opensuse.org/show_bug.cgi?id=991901#c2
the net_admin DENIED error happens for smbd, winbind & nmb. This is
related to systemd and how samba communicates with it. Additionally
that the operation is denied is not a problem imho as the systemd code
handles the EPERM gracefully.
Briefly all the samba daemons call 'become_daemon', see
https://git.samba.org/?p=samba.git;a=blob;f=lib/util/become_daemon.c;h=9979fad569d993aa982d4074761a62f45cc6e95b;hb=HEAD#l66
The sd_notifyf in that function ends up calling fd_inc_sndbuf, see
https://github.com/systemd/systemd/blob/master/src/libsystemd/sd-daemon/sd-daemon.c#L404
https://github.com/systemd/systemd/blob/master/src/basic/socket-util.c#L754
and this results in the strace snippet as shown in comment #0
I propose this patch for trunk, 2.10 and 2.9.
[ samba-deny-net_admin.diff ]
=== modified file 'profiles/apparmor.d/abstractions/samba'
--- profiles/apparmor.d/abstractions/samba 2016-07-26 19:12:35 +0000
+++ profiles/apparmor.d/abstractions/samba 2016-08-04 18:57:31 +0000
@@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
+ deny capability net_admin,
+
/etc/samba/* r,
/usr/lib*/ldb/*.so mr,
/usr/share/samba/*.dat r,
Regards,
Christian Boltz
--
never touch a running system ---->
for windows: never touch the keyboard of a running system
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160804/51d75b8d/attachment.pgp>
More information about the AppArmor
mailing list