Accepting request 1152898 from home:npower:branches:security:apparmor

- Add smbd-unix_chkpwd.diff to allow smbd to execute unix_chkpwd and fix other pam related denies; (boo#1220032). OBS-URL: https://build.opensuse.org/request/show/1152898 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=398
2024-02-29 20:44:35 +00:00 · 2024-02-29 20:44:35 +00:00 · 8cf3c6a617
commit 8cf3c6a617
parent 9041844394
3 changed files with 42 additions and 0 deletions
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Feb 27 14:26:58 UTC 2024 - Noel Power <nopower@suse.com>
+
+- Add smbd-unix_chkpwd.diff to allow smbd to execute
+  unix_chkpwd and fix other pam related denies; (boo#1220032).
+
 -------------------------------------------------------------------
 Mon Feb 26 17:25:58 UTC 2024 - Ludwig Nussel <lnussel@suse.com>

--- a/apparmor.spec
+++ b/apparmor.spec
@ -98,6 +98,10 @@ Patch9:         dovecot-unix_chkpwd.diff
 # abstractions/openssl: allow version specific engdef & engines paths (boo#1219571)
 Patch10:        apparmor-abstractions-openssl-allow-version-specific-en.patch

+# allow smbd to execute unix_chkpwd (boo#1220032)
+# https://gitlab.com/apparmor/apparmor/-/merge_requests/1159
+Patch11:        smbd-unix_chkpwd.diff
+
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison
@ -367,6 +371,7 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/
 %endif
 %patch -P 9 -p1
 %patch -P 10 -p1
+%patch -P 11 -p1

 %build
 export SUSE_ASNEEDED=0
--- a/smbd-unix_chkpwd.diff
+++ b/smbd-unix_chkpwd.diff
@ -0,0 +1,31 @@
+Index: apparmor-3.1.7/profiles/apparmor.d/usr.sbin.smbd
+===================================================================
+--- apparmor-3.1.7.orig/profiles/apparmor.d/usr.sbin.smbd
+++ apparmor-3.1.7/profiles/apparmor.d/usr.sbin.smbd
+@@ -33,6 +33,9 @@ profile smbd /usr/{bin,sbin}/smbd {
+   /etc/samba/* rwk,
+   @{PROC}/@{pid}/mounts r,
+   @{PROC}/sys/kernel/core_pattern r,
+  /usr/etc/environment r,
+  /usr/etc/security/limits.d/ r,
+  /usr/etc/security/limits.d/*.conf  r,
+   /usr/lib*/samba/vfs/*.so mr,
+   /usr/lib*/samba/auth/*.so mr,
+   /usr/lib*/samba/charset/*.so mr,
+@@ -47,6 +50,7 @@ profile smbd /usr/{bin,sbin}/smbd {
+   /usr/share/samba/** r,
+   /usr/{bin,sbin}/smbd mr,
+   /usr/{bin,sbin}/smbldap-useradd Px,
+  /usr/sbin/unix_chkpwd Px,
+   /var/cache/samba/** rwk,
+   /var/{cache,lib}/samba/printing/printers.tdb mrw,
+   /var/lib/nscd/netgroup r,
+@@ -59,6 +63,8 @@ profile smbd /usr/{bin,sbin}/smbd {
+   @{run}/samba/ncalrpc/** rw,
+   /var/spool/samba/** rw,
+ 
+  owner /proc/@{pid}/loginuid r,
+
+   @{HOMEDIRS}/** lrwk,
+   /var/lib/samba/usershares/{,**} lrwk,
+