Apparmor profile in 22.04 jammy - fails to start when printing enabled

[Impact]

Users who have:
a) opted in to confining samba with apparmor (by installing apparmor-profiles); and
b) changed the usr.sbin.smbd and samba-bgqd apparmor profiles to enforce mode;

will experience an error in starting the smbd service in jammy:

[2022/08/25 16:04:05.848067, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
  exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13

This "printing subsystem" is actually a new daemon called samba-bgqd. This errors prevents "smbd" from starting.

The reason it failed to start is that this binary is installed on a different path than what is allowed in the samba apparmor profiles, and as a result its execution is denied.

The chosen fix for this is to change the path of samba-bgqd in the samba apparmor profiles to match where it is actually being installed in the jammy packaging. Changing the actual path in the samba packaging would be a more invasive fix.

In kinetic and later, the installation path of samba-bgqd was changed instead, and requires no changes to the apparmor profiles.

However, once the path in the apparmor profiles was fixed for jammy, another error comes up which also requires an apparmor change. samba-bgqd is using locking when opening the *.tdb files in /run/samba, and that requires an extra "k" flag to apparmor rules that cover that directory and its tdb files.

This bug doesn't affect jammy samba users by default, as they have to complete steps (a) and (b) from above to be impacted. Therefore, on its own, this bug does not warrant an SRU, and we are using the block-proposed-jammy tag to prevent its release until such time when another more SRU-worthy apparmor bug is fixed for Jammy.

[Test Plan]

Make a container for testing:

$ lxc launch ubuntu-daily:jammy jammy-test
$ lxc shell jammy-test

Install the needed packages in this order, with two separate commands:L
# apt update
# apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
# apt install samba smbclient cups cups-client

Confirm that you have smbd and samba-bgqd processes confined and in complain mode (check first column):
# ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep

smbd (complain) 2432 ? Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2434 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (complain) 2435 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd (complain) 2436 ? S 0:00 \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd

Change the samba profiles to enforce mode:
# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.

Restart smbd:
# systemctl restart smbd

systemctl won't complain, but smbd failed to start:
# ps faxZ | grep smbd | grep -v grep
#

# tail -2 /var/log/samba/log.smbd
[2022/09/09 18:20:35.200901, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
  exit_daemon: daemon failed to start: Samba failed to init printing subsystem, error code 13

And dmesg on the *host* (not the container) will log a few DENIED messages like this:
[sex set 9 15:20:30 2022] audit: type=1400 audit(1662747635.194:10356): apparmor="DENIED" operation="exec" namespace="root//lxd-jammy-test_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=994396 comm="smbd" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000

After installing the fixed package (and accepting the dpkg conf prompt changes), the new profile will be loaded in complain mode again. So let's put it in enforce mode one more time:

# aa-enforce /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/samba-bgqd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
Setting /etc/apparmor.d/samba-bgqd to enforce mode.

Restart:
# systemctl restart smbd

And confirm that smbd and samba-bgqd are running this time, and in enforce mode:

# ps faxZ | grep -E "(smbd|bgqd)" | grep -v grep
avahi-daemon (complain) 4363 ? Ss 0:00 avahi-daemon: running [j-samba-bgqd-apparmor.local]
smbd (enforce) 6734 ? Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) 6736 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
smbd (enforce) 6737 ? S 0:00 \_ /usr/sbin/smbd --foreground --no-process-group
samba-bgqd (enforce) 6738 ? S 0:00 \_ /usr/lib/x86_64-linux-gnu/samba/samba-bgqd --ready-signal-fd=45 --parent-watch-fd=11 --debuglevel=0 -F

Now that the bgqd daemon is running, let's create an actual printer and interact with it:

First, set a password for the samba "root" user:
# printf "root\nroot\n" | sudo smbpasswd -a root

Create a fake printer:
# lpadmin -p testprinter -E -v /dev/null

Check it's there:
# lpstat -l -p testprinter

Add this section to the end of /etc/samba/smb.conf:
[testprinter]
        browseable = No
        comment = All Printers
        create mask = 0700
        path = /var/spool/samba
        printable = Yes

Restart samba so we don't have to wait for it to pick up the changes:
systemctl restart smbd nmbd

Probe the printer via samba:
# rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
(some printer related output)

This is the test: confirm dmesg on the *host* has no apparmor DENIED events related to the rpcclient command above.

[Where problems could occur]
An apparmor update will impact all ubuntu users, regardless if they are using samba or not. One has to weigh this carefully with the importance of the bug that is being fixed.

This update will restart apparmor on the target system. All sorts of things can happen due to that:
- all apparmor profiles will be reloaded and reapplied
- if users have modified default profiles in /etc/apparmor.d/* (not inside local/*), they will get a dpkg conf prompt during this update
- in particular, users who have changed the samba profiles to be in enforce mode (via aa-enforce) will definitely get a dpkg conf prompt, because the samba profiles coming in via the apparmor-profiles package are in complain mode. This is good, actually, as it will raise awareness about the change the update is bringing
- if apparmor profile files have syntax mistakes, these will show up at this time, and might end up leaving a service that was confined before, unconfined after the update
- the "k" change is being done in abstractions/samba, instead of samba-bgqd specifically, because it already had a rule to allow "rw" access to *.tdb files in there. That abstraction is only included by other samba profiles at the moment, so the change seems contained, but one might argue that it would be best to add the explicit "k" rule to the samba-bgqd profile instead.

[Other information]

This fix alone does not warrant an apparmor SRU, therefore we are using the block-proposed-jammy tag so that the fix can be bundled with another future apparmor SRU.

Apparmor in Kinetic does not need the samba-bgqd path fix, but it might need the "k" locking one. We are waiting for an apparmor version update that will still happen in Kinetic to evaluate if some change will be needed there.

-------------------original report-------------------

See bug here:
https://bugzilla.opensuse.org/show_bug.cgi?id=1191532

Fix was backported, but the path to samba-bgqd is wrong on 22.04.

Currently apparmor profile has it like this:
/usr/lib*/samba/samba-bgqd

When in fact 22.04 has it on /usr/lib/x86_64-linux-gnu/samba/samba-bgqd

Moreover, the dmesg output failed and it has showed that the 'k' flag is required for the *.tdb files within /etc/apparmor.d/abstractions/samba.