pool/apparmor
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 925557 from security:apparmor

Browse Source 
- add add-samba-bgqd.diff: add profile for samba-bgqd (boo#1191532)

OBS-URL: https://build.opensuse.org/request/show/925557
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=158
This commit is contained in:
Dominique Leuenberger 2021-10-19 21:03:30 +00:00 committed by Git OBS Bridge
commit a0d7871c36
3 changed files with 71 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
add-samba-bgqd.diff Normal file
View File

@ -0,0 +1,61 @@
commit 85e53a5d040cdf3f7705da9e625b85041694aa4c
Author: Christian Boltz <apparmor@cboltz.de>
Date: Fri Oct 15 22:02:36 2021 +0200
Add profile for samba-bgqd
... and some rules in the smbd profile to execute it and send it a term
signal.
samba-bgqd is (quoting its manpage) "an internal helper program
performing asynchronous printing-related jobs."
samba-bgqd was added in Samba 4.15.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
diff --git a/profiles/apparmor.d/samba-bgqd b/profiles/apparmor.d/samba-bgqd
new file mode 100644
index 00000000..c81c64f1
--- /dev/null
+++ b/profiles/apparmor.d/samba-bgqd
@@ -0,0 +1,18 @@
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile samba-bgqd /usr/lib*/samba/samba-bgqd {
+ include <abstractions/base>
+ include <abstractions/cups-client>
+ include <abstractions/nameservice>
+ include <abstractions/samba>
+
+ signal receive set=term peer=smbd,
+
+ @{PROC}/sys/kernel/core_pattern r,
+ @{run}/samba/samba-bgqd.pid wk,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/samba-bgqd>
+}
diff --git a/profiles/apparmor.d/usr.sbin.smbd b/profiles/apparmor.d/usr.sbin.smbd
index 92305564..b8fdad15 100644
--- a/profiles/apparmor.d/usr.sbin.smbd
+++ b/profiles/apparmor.d/usr.sbin.smbd
@@ -24,6 +24,8 @@ profile smbd /usr/{bin,sbin}/smbd {
capability sys_resource,
capability sys_tty_config,
+ signal send set=term peer=samba-bgqd,
+
/etc/mtab r,
/etc/netgroup r,
/etc/printcap r,
@@ -35,6 +37,7 @@ profile smbd /usr/{bin,sbin}/smbd {
/usr/lib*/samba/charset/*.so mr,
/usr/lib*/samba/gensec/*.so mr,
/usr/lib*/samba/pdb/*.so mr,
+ /usr/lib*/samba/samba-bgqd Px -> samba-bgqd,
/usr/lib*/samba/{lowcase,upcase,valid}.dat r,
/usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr,
/usr/lib/@{multiarch}/samba/**/ r,

5
apparmor.changes
View File

@ -1,3 +1,8 @@
-------------------------------------------------------------------
Fri Oct 15 20:22:11 UTC 2021 - Christian Boltz <suse-beta@cboltz.de>
- add add-samba-bgqd.diff: add profile for samba-bgqd (boo#1191532)
-------------------------------------------------------------------
Sat Sep 18 13:16:35 UTC 2021 - Christian Boltz <suse-beta@cboltz.de>

5
apparmor.spec
View File

@ -81,6 +81,9 @@ Patch6: apache-extra-profile-include-if-exists.diff
# update abstractions/python and profiles for python 3.10 (submitted upstream 2021-08-11 https://gitlab.com/apparmor/apparmor/-/merge_requests/783)
Patch7: profiles-python-3.10-mr783.diff
# add samba-bgqd profile (submitted upstream 2021-10-15 https://gitlab.com/apparmor/apparmor/-/merge_requests/807)
Patch8: add-samba-bgqd.diff
PreReq: sed
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%define apparmor_bin_prefix %{?usrmerged:/usr}/lib/apparmor
@ -344,6 +347,7 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/
%patch4
%patch5
%patch7 -p1
%patch8 -p1
%build
%define _lto_cflags %{nil}
@ -571,6 +575,7 @@ rm -fv %{buildroot}%{_libdir}/libapparmor.la
%config(noreplace) %{_sysconfdir}/apparmor.d/lsb_release
%config(noreplace) %{_sysconfdir}/apparmor.d/nvidia_modprobe
%config(noreplace) %{_sysconfdir}/apparmor.d/php-fpm
%config(noreplace) %{_sysconfdir}/apparmor.d/samba-bgqd
%config(noreplace) %{_sysconfdir}/apparmor.d/local/*
%dir /usr/share/apparmor/
%if %{with precompiled_cache}