Accepting request 970238 from security:apparmor

- Add samba-new-dcerpcd.patch, samba-4.16 has a new dcerpcd daemon which now will spawn new additional services on demand. We need to modify the existing smbd/winbind profiles and additionally add a new set of profiles to cater for the new functionality; (bnc#1198309); - Add samba_deny_net_admin.patch to add new rule to deny noisy setsockopt calls from systemd; (bnc#1196850). (forwarded request 970229 from npower) OBS-URL: https://build.opensuse.org/request/show/970238 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=168
2022-04-15 22:14:06 +00:00 · 2022-04-15 22:14:06 +00:00 · 6e38e3ea06
commit 6e38e3ea06
parent 7814fe9c5a c04137f806
4 changed files with 212 additions and 1 deletions
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Wed Apr 13 13:38:29 UTC 2022 - Noel Power <nopower@suse.com>
+
+- Add samba-new-dcerpcd.patch, samba-4.16 has a new dcerpcd daemon
+  which now will spawn new additional services on demand. We need to
+  modify the existing smbd/winbind profiles and additionally add a
+  new set of profiles to cater for the new functionality;
+  (bnc#1198309);
+  
+-------------------------------------------------------------------
+Mon Apr 11 14:34:51 UTC 2022 - Noel Power <nopower@suse.com>
+
+- Add samba_deny_net_admin.patch to add new rule to deny
+  noisy setsockopt calls from systemd; (bnc#1196850).
+
 -------------------------------------------------------------------
 Sun Apr 10 13:08:56 UTC 2022 - Christian Boltz <suse-beta@cboltz.de>

--- a/apparmor.spec
+++ b/apparmor.spec
@ -88,7 +88,13 @@ Patch8:         update-usr-sbin-smbd.diff

 # add zgrep and xzgrep profile (submitted upstream 2022-04-10 https://gitlab.com/apparmor/apparmor/-/merge_requests/870)
 Patch9:         zgrep-profile-mr870.diff
-
+# squash noisy setsockopt calls https://gitlab.com/apparmor/apparmor/-/merge_requests/867
+# bsc#1196850
+Patch10:        samba_deny_net_admin.patch
+# support for new dcerpcd subsytem in >= samba-4.16
+# https://gitlab.com/apparmor/apparmor/-/merge_requests/871
+# bsc#1198309
+Patch11:        samba-new-dcerpcd.patch
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define apparmor_bin_prefix %{?usrmerged:/usr}/lib/apparmor
@ -354,6 +360,8 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
+%patch11 -p1

 %build
 %define _lto_cflags %{nil}
@ -584,6 +592,9 @@ rm -fv %{buildroot}%{_libdir}/libapparmor.la
 %config(noreplace) %{_sysconfdir}/apparmor.d/nvidia_modprobe
 %config(noreplace) %{_sysconfdir}/apparmor.d/php-fpm
 %config(noreplace) %{_sysconfdir}/apparmor.d/samba-bgqd
+%config(noreplace) %{_sysconfdir}/apparmor.d/samba-dcerpcd
+%config(noreplace) %{_sysconfdir}/apparmor.d/samba-rpcd
+%config(noreplace) %{_sysconfdir}/apparmor.d/samba-rpcd-*
 %config(noreplace) %{_sysconfdir}/apparmor.d/zgrep
 %config(noreplace) %{_sysconfdir}/apparmor.d/local/*
 %dir /usr/share/apparmor/
--- a/samba-new-dcerpcd.patch
+++ b/samba-new-dcerpcd.patch
@ -0,0 +1,173 @@
+Index: apparmor-3.0.4/profiles/apparmor.d/usr.sbin.smbd
+===================================================================
+--- apparmor-3.0.4.orig/profiles/apparmor.d/usr.sbin.smbd
+++ apparmor-3.0.4/profiles/apparmor.d/usr.sbin.smbd
+@@ -39,6 +39,7 @@ profile smbd /usr/{bin,sbin}/smbd {
+   /usr/lib*/samba/gensec/*.so mr,
+   /usr/lib*/samba/pdb/*.so mr,
+   /usr/lib*/samba/samba-bgqd Px -> samba-bgqd,
+  /usr/lib*/samba/samba-dcerpcd Px -> samba-dcerpcd,
+   /usr/lib*/samba/{lowcase,upcase,valid}.dat r,
+   /usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr,
+   /usr/lib/@{multiarch}/samba/**/ r,
+Index: apparmor-3.0.4/profiles/apparmor.d/usr.sbin.winbindd
+===================================================================
+--- apparmor-3.0.4.orig/profiles/apparmor.d/usr.sbin.winbindd
+++ apparmor-3.0.4/profiles/apparmor.d/usr.sbin.winbindd
+@@ -26,6 +26,7 @@ profile winbindd /usr/{bin,sbin}/winbind
+   /usr/lib*/samba/idmap/*.so mr,
+   /usr/lib*/samba/nss_info/*.so mr,
+   /usr/lib*/samba/pdb/*.so mr,
+  /usr/lib*/samba/samba-dcerpcd Px -> samba-dcerpcd,
+   /usr/{bin,sbin}/winbindd mr,
+   /var/cache/krb5rcache/* rwk,
+   /var/cache/samba/*.tdb rwk,
+Index: apparmor-3.0.4/profiles/apparmor.d/samba-dcerpcd
+===================================================================
+--- /dev/null
+++ apparmor-3.0.4/profiles/apparmor.d/samba-dcerpcd
+@@ -0,0 +1,29 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2022 SUSE LLC
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile samba-dcerpcd /usr/lib*/samba/samba-dcerpcd {
+  include <abstractions/samba-rpcd>
+
+  @{run}/samba/samba-dcerpcd.pid wk,
+
+  /usr/lib*/samba/rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} Px -> samba-rpcd,
+  /usr/lib*/samba/rpcd_classic Px -> samba-rpcd-classic,
+  /usr/lib*/samba/rpcd_spoolss Px -> samba-rpcd-spoolss,
+
+  @{run}/samba/ncalrpc/ rw,
+  @{run}/samba/ncalrpc/** rw,
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/samba-dcerpcd>
+}
+Index: apparmor-3.0.4/profiles/apparmor.d/abstractions/samba-rpcd
+===================================================================
+--- /dev/null
+++ apparmor-3.0.4/profiles/apparmor.d/abstractions/samba-rpcd
+@@ -0,0 +1,30 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2022 SUSE LLC
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+
+# This file contains basic permissions for samba rpcd_xyz services
+
+  abi <abi/3.0>,
+
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/samba>
+
+  capability setgid,
+  capability setuid,
+
+  signal receive set=term peer=smbd,
+
+  @{PROC}/sys/kernel/core_pattern r,
+  owner @{PROC}/@{pid}/fd/ r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/samba-rpcd.d>
+
+Index: apparmor-3.0.4/profiles/apparmor.d/samba-rpcd
+===================================================================
+--- /dev/null
+++ apparmor-3.0.4/profiles/apparmor.d/samba-rpcd
+@@ -0,0 +1,20 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2022 SUSE LLC
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile samba-rpcd /usr/lib*/samba/rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} {
+  include <abstractions/samba-rpcd>
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/samba-rpcd>
+}
+Index: apparmor-3.0.4/profiles/apparmor.d/samba-rpcd-classic
+===================================================================
+--- /dev/null
+++ apparmor-3.0.4/profiles/apparmor.d/samba-rpcd-classic
+@@ -0,0 +1,22 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2022 SUSE LLC
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile samba-rpcd-classic /usr/lib*/samba/rpcd_classic {
+  include <abstractions/samba-rpcd>
+  include <abstractions/wutmp>
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/samba-rpcd-classic>
+}
+Index: apparmor-3.0.4/profiles/apparmor.d/samba-rpcd-spoolss
+===================================================================
+--- /dev/null
+++ apparmor-3.0.4/profiles/apparmor.d/samba-rpcd-spoolss
+@@ -0,0 +1,23 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2022 SUSE LLC
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile samba-rpcd-spoolss /usr/lib*/samba/rpcd_spoolss {
+  include <abstractions/samba-rpcd>
+
+  /usr/lib*/samba/samba-bgqd Px -> samba-bgqd,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/samba-rpcd-spoolss>
+}
--- a/samba_deny_net_admin.patch
+++ b/samba_deny_net_admin.patch
@ -0,0 +1,12 @@
+Index: apparmor-3.0.4/profiles/apparmor.d/abstractions/samba
+===================================================================
+--- apparmor-3.0.4.orig/profiles/apparmor.d/abstractions/samba
+++ apparmor-3.0.4/profiles/apparmor.d/abstractions/samba
+@@ -34,5 +34,7 @@
+   # required for clustering
+   /var/lib/ctdb/** rwk,
+ 
+  deny capability net_admin, # noisy setsockopt() calls from systemd
+
+   # Include additions to the abstraction
+   include if exists <abstractions/samba.d>