c04137f806
- Add samba-new-dcerpcd.patch, samba-4.16 has a new dcerpcd daemon which now will spawn new additional services on demand. We need to modify the existing smbd/winbind profiles and additionally add a new set of profiles to cater for the new functionality; (bnc#1198309); - Add samba_deny_net_admin.patch to add new rule to deny noisy setsockopt calls from systemd; (bnc#1196850). OBS-URL: https://build.opensuse.org/request/show/970229 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=324
174 lines
6.0 KiB
Diff
174 lines
6.0 KiB
Diff
Index: apparmor-3.0.4/profiles/apparmor.d/usr.sbin.smbd
|
|
===================================================================
|
|
--- apparmor-3.0.4.orig/profiles/apparmor.d/usr.sbin.smbd
|
|
+++ apparmor-3.0.4/profiles/apparmor.d/usr.sbin.smbd
|
|
@@ -39,6 +39,7 @@ profile smbd /usr/{bin,sbin}/smbd {
|
|
/usr/lib*/samba/gensec/*.so mr,
|
|
/usr/lib*/samba/pdb/*.so mr,
|
|
/usr/lib*/samba/samba-bgqd Px -> samba-bgqd,
|
|
+ /usr/lib*/samba/samba-dcerpcd Px -> samba-dcerpcd,
|
|
/usr/lib*/samba/{lowcase,upcase,valid}.dat r,
|
|
/usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr,
|
|
/usr/lib/@{multiarch}/samba/**/ r,
|
|
Index: apparmor-3.0.4/profiles/apparmor.d/usr.sbin.winbindd
|
|
===================================================================
|
|
--- apparmor-3.0.4.orig/profiles/apparmor.d/usr.sbin.winbindd
|
|
+++ apparmor-3.0.4/profiles/apparmor.d/usr.sbin.winbindd
|
|
@@ -26,6 +26,7 @@ profile winbindd /usr/{bin,sbin}/winbind
|
|
/usr/lib*/samba/idmap/*.so mr,
|
|
/usr/lib*/samba/nss_info/*.so mr,
|
|
/usr/lib*/samba/pdb/*.so mr,
|
|
+ /usr/lib*/samba/samba-dcerpcd Px -> samba-dcerpcd,
|
|
/usr/{bin,sbin}/winbindd mr,
|
|
/var/cache/krb5rcache/* rwk,
|
|
/var/cache/samba/*.tdb rwk,
|
|
Index: apparmor-3.0.4/profiles/apparmor.d/samba-dcerpcd
|
|
===================================================================
|
|
--- /dev/null
|
|
+++ apparmor-3.0.4/profiles/apparmor.d/samba-dcerpcd
|
|
@@ -0,0 +1,29 @@
|
|
+# ------------------------------------------------------------------
|
|
+#
|
|
+# Copyright (C) 2022 SUSE LLC
|
|
+#
|
|
+# This program is free software; you can redistribute it and/or
|
|
+# modify it under the terms of version 2 of the GNU General Public
|
|
+# License published by the Free Software Foundation.
|
|
+#
|
|
+# ------------------------------------------------------------------
|
|
+# vim:syntax=apparmor
|
|
+
|
|
+abi <abi/3.0>,
|
|
+
|
|
+include <tunables/global>
|
|
+
|
|
+profile samba-dcerpcd /usr/lib*/samba/samba-dcerpcd {
|
|
+ include <abstractions/samba-rpcd>
|
|
+
|
|
+ @{run}/samba/samba-dcerpcd.pid wk,
|
|
+
|
|
+ /usr/lib*/samba/rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} Px -> samba-rpcd,
|
|
+ /usr/lib*/samba/rpcd_classic Px -> samba-rpcd-classic,
|
|
+ /usr/lib*/samba/rpcd_spoolss Px -> samba-rpcd-spoolss,
|
|
+
|
|
+ @{run}/samba/ncalrpc/ rw,
|
|
+ @{run}/samba/ncalrpc/** rw,
|
|
+ # Site-specific additions and overrides. See local/README for details.
|
|
+ include if exists <local/samba-dcerpcd>
|
|
+}
|
|
Index: apparmor-3.0.4/profiles/apparmor.d/abstractions/samba-rpcd
|
|
===================================================================
|
|
--- /dev/null
|
|
+++ apparmor-3.0.4/profiles/apparmor.d/abstractions/samba-rpcd
|
|
@@ -0,0 +1,30 @@
|
|
+# ------------------------------------------------------------------
|
|
+#
|
|
+# Copyright (C) 2022 SUSE LLC
|
|
+#
|
|
+# This program is free software; you can redistribute it and/or
|
|
+# modify it under the terms of version 2 of the GNU General Public
|
|
+# License published by the Free Software Foundation.
|
|
+#
|
|
+# ------------------------------------------------------------------
|
|
+# vim:syntax=apparmor
|
|
+
|
|
+# This file contains basic permissions for samba rpcd_xyz services
|
|
+
|
|
+ abi <abi/3.0>,
|
|
+
|
|
+ include <abstractions/base>
|
|
+ include <abstractions/nameservice>
|
|
+ include <abstractions/samba>
|
|
+
|
|
+ capability setgid,
|
|
+ capability setuid,
|
|
+
|
|
+ signal receive set=term peer=smbd,
|
|
+
|
|
+ @{PROC}/sys/kernel/core_pattern r,
|
|
+ owner @{PROC}/@{pid}/fd/ r,
|
|
+
|
|
+ # Include additions to the abstraction
|
|
+ include if exists <abstractions/samba-rpcd.d>
|
|
+
|
|
Index: apparmor-3.0.4/profiles/apparmor.d/samba-rpcd
|
|
===================================================================
|
|
--- /dev/null
|
|
+++ apparmor-3.0.4/profiles/apparmor.d/samba-rpcd
|
|
@@ -0,0 +1,20 @@
|
|
+# ------------------------------------------------------------------
|
|
+#
|
|
+# Copyright (C) 2022 SUSE LLC
|
|
+#
|
|
+# This program is free software; you can redistribute it and/or
|
|
+# modify it under the terms of version 2 of the GNU General Public
|
|
+# License published by the Free Software Foundation.
|
|
+#
|
|
+# ------------------------------------------------------------------
|
|
+# vim:syntax=apparmor
|
|
+
|
|
+abi <abi/3.0>,
|
|
+
|
|
+include <tunables/global>
|
|
+
|
|
+profile samba-rpcd /usr/lib*/samba/rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} {
|
|
+ include <abstractions/samba-rpcd>
|
|
+ # Site-specific additions and overrides. See local/README for details.
|
|
+ include if exists <local/samba-rpcd>
|
|
+}
|
|
Index: apparmor-3.0.4/profiles/apparmor.d/samba-rpcd-classic
|
|
===================================================================
|
|
--- /dev/null
|
|
+++ apparmor-3.0.4/profiles/apparmor.d/samba-rpcd-classic
|
|
@@ -0,0 +1,22 @@
|
|
+# ------------------------------------------------------------------
|
|
+#
|
|
+# Copyright (C) 2022 SUSE LLC
|
|
+#
|
|
+# This program is free software; you can redistribute it and/or
|
|
+# modify it under the terms of version 2 of the GNU General Public
|
|
+# License published by the Free Software Foundation.
|
|
+#
|
|
+# ------------------------------------------------------------------
|
|
+# vim:syntax=apparmor
|
|
+
|
|
+abi <abi/3.0>,
|
|
+
|
|
+include <tunables/global>
|
|
+
|
|
+profile samba-rpcd-classic /usr/lib*/samba/rpcd_classic {
|
|
+ include <abstractions/samba-rpcd>
|
|
+ include <abstractions/wutmp>
|
|
+
|
|
+ # Site-specific additions and overrides. See local/README for details.
|
|
+ include if exists <local/samba-rpcd-classic>
|
|
+}
|
|
Index: apparmor-3.0.4/profiles/apparmor.d/samba-rpcd-spoolss
|
|
===================================================================
|
|
--- /dev/null
|
|
+++ apparmor-3.0.4/profiles/apparmor.d/samba-rpcd-spoolss
|
|
@@ -0,0 +1,23 @@
|
|
+# ------------------------------------------------------------------
|
|
+#
|
|
+# Copyright (C) 2022 SUSE LLC
|
|
+#
|
|
+# This program is free software; you can redistribute it and/or
|
|
+# modify it under the terms of version 2 of the GNU General Public
|
|
+# License published by the Free Software Foundation.
|
|
+#
|
|
+# ------------------------------------------------------------------
|
|
+# vim:syntax=apparmor
|
|
+
|
|
+abi <abi/3.0>,
|
|
+
|
|
+include <tunables/global>
|
|
+
|
|
+profile samba-rpcd-spoolss /usr/lib*/samba/rpcd_spoolss {
|
|
+ include <abstractions/samba-rpcd>
|
|
+
|
|
+ /usr/lib*/samba/samba-bgqd Px -> samba-bgqd,
|
|
+
|
|
+ # Site-specific additions and overrides. See local/README for details.
|
|
+ include if exists <local/samba-rpcd-spoolss>
|
|
+}
|