Ubuntu
apparmor package

  1. Kinetic (22.10)
  2. Bug #1993572
  3. Activity log

Activity log for bug #1993572

Date Who What changed Old value New value Message
2022-10-19 17:46:12 Andreas Hasenack bug added bug
2022-10-19 17:46:22 Andreas Hasenack summary Missing rule for mkdir /var/cache/samba/printing samba profile: missing rule for mkdir /var/cache/samba/printing
2022-10-21 20:13:22 Andreas Hasenack description After the fix for #1990692, one more rule is needed it seems. I put all samba profiles in enforce mode, and when I ran that final command, got an error and an apparmor denied message: $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2' cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error NT_STATUS_CONNECTION_DISCONNECTED do_cmd: Could not initialise spoolss. Error was NT_STATUS_CONNECTION_DISCONNECTED [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342): apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-k-samba-apparmor_<var-snap-lxd-common-lxd>" profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=129107 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=1000000 ouid=1000000 And indeed, that directory wasn't created: $ l /var/cache/samba/printing ls: cannot access '/var/cache/samba/printing': No such file or directory $ l /var/cache/samba/ total 16K drwxr-xr-x 1 root root 48 Oct 19 17:42 . drwxr-xr-x 1 root root 170 Oct 19 17:41 .. -rw-r--r-- 1 root root 166 Oct 19 17:42 browse.dat -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb After the fix for bug #1990692, one more rule is needed it seems. I put all samba profiles in enforce mode, and when I ran that final command, got an error and an apparmor denied message: $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2' cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error NT_STATUS_CONNECTION_DISCONNECTED do_cmd: Could not initialise spoolss. Error was NT_STATUS_CONNECTION_DISCONNECTED [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342): apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-k-samba-apparmor_<var-snap-lxd-common-lxd>" profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=129107 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=1000000 ouid=1000000 And indeed, that directory wasn't created: $ l /var/cache/samba/printing ls: cannot access '/var/cache/samba/printing': No such file or directory $ l /var/cache/samba/ total 16K drwxr-xr-x 1 root root 48 Oct 19 17:42 . drwxr-xr-x 1 root root 170 Oct 19 17:41 .. -rw-r--r-- 1 root root 166 Oct 19 17:42 browse.dat -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb
2022-10-26 20:31:52 Andreas Hasenack description After the fix for bug #1990692, one more rule is needed it seems. I put all samba profiles in enforce mode, and when I ran that final command, got an error and an apparmor denied message: $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2' cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error NT_STATUS_CONNECTION_DISCONNECTED do_cmd: Could not initialise spoolss. Error was NT_STATUS_CONNECTION_DISCONNECTED [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342): apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-k-samba-apparmor_<var-snap-lxd-common-lxd>" profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=129107 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=1000000 ouid=1000000 And indeed, that directory wasn't created: $ l /var/cache/samba/printing ls: cannot access '/var/cache/samba/printing': No such file or directory $ l /var/cache/samba/ total 16K drwxr-xr-x 1 root root 48 Oct 19 17:42 . drwxr-xr-x 1 root root 170 Oct 19 17:41 .. -rw-r--r-- 1 root root 166 Oct 19 17:42 browse.dat -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb After the fix for bug #1990692, one more rule is needed it seems. I put all samba profiles in enforce mode, and when I ran that final rpcclient command, got an error and an apparmor denied message: Prep: sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra sudo apt install samba smbclient cups cups-client Set a password for the samba "root" user: printf "root\nroot\n" | sudo smbpasswd -a root Create a fake printer: sudo lpadmin -p testprinter -E -v /dev/null Check it's there: sudo lpstat -l -p testprinter $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2' cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error NT_STATUS_CONNECTION_DISCONNECTED do_cmd: Could not initialise spoolss. Error was NT_STATUS_CONNECTION_DISCONNECTED [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342): apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-k-samba-apparmor_<var-snap-lxd-common-lxd>" profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=129107 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=1000000 ouid=1000000 And indeed, that directory wasn't created: $ l /var/cache/samba/printing ls: cannot access '/var/cache/samba/printing': No such file or directory $ l /var/cache/samba/ total 16K drwxr-xr-x 1 root root 48 Oct 19 17:42 . drwxr-xr-x 1 root root 170 Oct 19 17:41 .. -rw-r--r-- 1 root root 166 Oct 19 17:42 browse.dat -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb
2022-11-23 15:02:54 Andreas Hasenack nominated for series Ubuntu Kinetic
2022-11-23 15:02:54 Andreas Hasenack bug task added apparmor (Ubuntu Kinetic)
2022-11-23 17:47:57 Andreas Hasenack apparmor (Ubuntu): assignee Andreas Hasenack (ahasenack)
2022-11-23 17:48:00 Andreas Hasenack apparmor (Ubuntu): status New In Progress
2022-11-23 18:30:38 Andreas Hasenack apparmor (Ubuntu Kinetic): importance Undecided Critical
2022-11-23 18:30:41 Andreas Hasenack apparmor (Ubuntu Kinetic): importance Critical Undecided
2022-11-23 18:31:22 Andreas Hasenack apparmor (Ubuntu Kinetic): status New In Progress
2022-11-23 18:31:25 Andreas Hasenack apparmor (Ubuntu Kinetic): importance Undecided Wishlist
2022-11-23 18:31:28 Andreas Hasenack apparmor (Ubuntu Kinetic): importance Wishlist Low
2022-11-23 18:31:30 Andreas Hasenack apparmor (Ubuntu): importance Undecided Low
2022-11-23 18:31:32 Andreas Hasenack apparmor (Ubuntu Kinetic): assignee Andreas Hasenack (ahasenack)
2022-11-23 18:32:06 Andreas Hasenack tags block-proposed-kinetic
2022-11-23 18:55:14 Andreas Hasenack description After the fix for bug #1990692, one more rule is needed it seems. I put all samba profiles in enforce mode, and when I ran that final rpcclient command, got an error and an apparmor denied message: Prep: sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra sudo apt install samba smbclient cups cups-client Set a password for the samba "root" user: printf "root\nroot\n" | sudo smbpasswd -a root Create a fake printer: sudo lpadmin -p testprinter -E -v /dev/null Check it's there: sudo lpstat -l -p testprinter $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2' cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error NT_STATUS_CONNECTION_DISCONNECTED do_cmd: Could not initialise spoolss. Error was NT_STATUS_CONNECTION_DISCONNECTED [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342): apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-k-samba-apparmor_<var-snap-lxd-common-lxd>" profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=129107 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=1000000 ouid=1000000 And indeed, that directory wasn't created: $ l /var/cache/samba/printing ls: cannot access '/var/cache/samba/printing': No such file or directory $ l /var/cache/samba/ total 16K drwxr-xr-x 1 root root 48 Oct 19 17:42 . drwxr-xr-x 1 root root 170 Oct 19 17:41 .. -rw-r--r-- 1 root root 166 Oct 19 17:42 browse.dat -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb [ Impact ] Users who chose to: a) install apparmor-profiles (a package with extra optional apparmor profiles, including samba) b) change the samba related profiles from complain (the default) to enforce mode will find out that sharing a printing in samba and using it won't work. In by itself this is *definitely* not worth an SRU for apparmor, which impacts all users of Ubuntu (because it's installed everywhere). But, if apparmor is to be updated for another more important reason, then this fix could be bundled together with it. Therefore I'm adding the block-proposed-kinetic tag to this bug. [ Test Plan ] sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra sudo apt install samba smbclient cups cups-client Set a password for the samba "root" user: printf "root\nroot\n" | sudo smbpasswd -a root Create a fake printer: sudo lpadmin -p testprinter -E -v /dev/null Check it's there: sudo lpstat -l -p testprinter $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2' (some printer related output) Check dmesg and look for an apparmor ALLOWED message: [497031.827841] audit: type=1400 audit(1669215188.733:555): apparmor="ALLOWED" operation="mkdir" class="file" namespace="root//lxd-l-samba-apparmor_<var-snap-lxd-common-lxd>" profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=388168 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=1000000 ouid=1000000 With the updated package, there should be no apparmor message for samba-rpcd-spoolss. [ Where problems could occur ] This change is adding an apparmor rule to a samba-related apparmor profile. Without this rule (and with the apparmor profile in confine mode), then printing does not work, so regressing that aspect of it is hard. Maybe some exotic future security vulnerability could take advantage of this new apparmor rule which allows writing to (and therefore deleting from) /var/cache/samba/printing. What's more likely perhaps (but still rare) is that an apparmor upgrade, which triggers all apparmor profiles to be reloaded, would find some error in an existing profile and fail to load it, and perhaps stop loading all other profiles after that, perhaps leaving the system without confinement. But this should be caught by the upgrade process since postinst would exit non-zero (hopefully). [ Other Info ] Not at this time. [Original Description] After the fix for bug #1990692, one more rule is needed it seems. I put all samba profiles in enforce mode, and when I ran that final rpcclient command, got an error and an apparmor denied message: Prep: sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra sudo apt install samba smbclient cups cups-client Set a password for the samba "root" user: printf "root\nroot\n" | sudo smbpasswd -a root Create a fake printer: sudo lpadmin -p testprinter -E -v /dev/null Check it's there: sudo lpstat -l -p testprinter $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2' cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error NT_STATUS_CONNECTION_DISCONNECTED do_cmd: Could not initialise spoolss. Error was NT_STATUS_CONNECTION_DISCONNECTED [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342): apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-k-samba-apparmor_<var-snap-lxd-common-lxd>" profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=129107 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=1000000 ouid=1000000 And indeed, that directory wasn't created: $ l /var/cache/samba/printing ls: cannot access '/var/cache/samba/printing': No such file or directory $ l /var/cache/samba/ total 16K drwxr-xr-x 1 root root 48 Oct 19 17:42 . drwxr-xr-x 1 root root 170 Oct 19 17:41 .. -rw-r--r-- 1 root root 166 Oct 19 17:42 browse.dat -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb
2022-11-23 19:17:52 Andreas Hasenack description [ Impact ] Users who chose to: a) install apparmor-profiles (a package with extra optional apparmor profiles, including samba) b) change the samba related profiles from complain (the default) to enforce mode will find out that sharing a printing in samba and using it won't work. In by itself this is *definitely* not worth an SRU for apparmor, which impacts all users of Ubuntu (because it's installed everywhere). But, if apparmor is to be updated for another more important reason, then this fix could be bundled together with it. Therefore I'm adding the block-proposed-kinetic tag to this bug. [ Test Plan ] sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra sudo apt install samba smbclient cups cups-client Set a password for the samba "root" user: printf "root\nroot\n" | sudo smbpasswd -a root Create a fake printer: sudo lpadmin -p testprinter -E -v /dev/null Check it's there: sudo lpstat -l -p testprinter $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2' (some printer related output) Check dmesg and look for an apparmor ALLOWED message: [497031.827841] audit: type=1400 audit(1669215188.733:555): apparmor="ALLOWED" operation="mkdir" class="file" namespace="root//lxd-l-samba-apparmor_<var-snap-lxd-common-lxd>" profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=388168 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=1000000 ouid=1000000 With the updated package, there should be no apparmor message for samba-rpcd-spoolss. [ Where problems could occur ] This change is adding an apparmor rule to a samba-related apparmor profile. Without this rule (and with the apparmor profile in confine mode), then printing does not work, so regressing that aspect of it is hard. Maybe some exotic future security vulnerability could take advantage of this new apparmor rule which allows writing to (and therefore deleting from) /var/cache/samba/printing. What's more likely perhaps (but still rare) is that an apparmor upgrade, which triggers all apparmor profiles to be reloaded, would find some error in an existing profile and fail to load it, and perhaps stop loading all other profiles after that, perhaps leaving the system without confinement. But this should be caught by the upgrade process since postinst would exit non-zero (hopefully). [ Other Info ] Not at this time. [Original Description] After the fix for bug #1990692, one more rule is needed it seems. I put all samba profiles in enforce mode, and when I ran that final rpcclient command, got an error and an apparmor denied message: Prep: sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra sudo apt install samba smbclient cups cups-client Set a password for the samba "root" user: printf "root\nroot\n" | sudo smbpasswd -a root Create a fake printer: sudo lpadmin -p testprinter -E -v /dev/null Check it's there: sudo lpstat -l -p testprinter $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2' cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error NT_STATUS_CONNECTION_DISCONNECTED do_cmd: Could not initialise spoolss. Error was NT_STATUS_CONNECTION_DISCONNECTED [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342): apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-k-samba-apparmor_<var-snap-lxd-common-lxd>" profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=129107 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=1000000 ouid=1000000 And indeed, that directory wasn't created: $ l /var/cache/samba/printing ls: cannot access '/var/cache/samba/printing': No such file or directory $ l /var/cache/samba/ total 16K drwxr-xr-x 1 root root 48 Oct 19 17:42 . drwxr-xr-x 1 root root 170 Oct 19 17:41 .. -rw-r--r-- 1 root root 166 Oct 19 17:42 browse.dat -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb [ Impact ] Users who chose to: a) install apparmor-profiles (a package with extra optional apparmor profiles, including samba) b) change the samba related profiles from complain (the default) to enforce mode will find out that sharing a printing in samba and using it won't work. In by itself this is *definitely* not worth an SRU for apparmor, which impacts all users of Ubuntu (because it's installed everywhere). But, if apparmor is to be updated for another more important reason, then this fix could be bundled together with it. Therefore I'm adding the block-proposed-kinetic tag to this bug. [ Test Plan ] sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra sudo apt install samba smbclient cups cups-client Set a password for the samba "root" user: printf "root\nroot\n" | sudo smbpasswd -a root Create a fake printer: sudo lpadmin -p testprinter -E -v /dev/null Check it's there: sudo lpstat -l -p testprinter Probe it via samba: rpcclient -Uroot%root localhost -c 'getprinter testprinter 2' (some printer related output) Check dmesg and look for an apparmor ALLOWED message: [497031.827841] audit: type=1400 audit(1669215188.733:555): apparmor="ALLOWED" operation="mkdir" class="file" namespace="root//lxd-l-samba-apparmor_<var-snap-lxd-common-lxd>" profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=388168 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=1000000 ouid=1000000 With the updated package, there should be no apparmor message for samba-rpcd-spoolss. [ Where problems could occur ] This change is adding an apparmor rule to a samba-related apparmor profile. Without this rule (and with the apparmor profile in confine mode), then printing does not work, so regressing that aspect of it is hard. Maybe some exotic future security vulnerability could take advantage of this new apparmor rule which allows writing to (and therefore deleting from) /var/cache/samba/printing. What's more likely perhaps (but still rare) is that an apparmor upgrade, which triggers all apparmor profiles to be reloaded, would find some error in an existing profile and fail to load it, and perhaps stop loading all other profiles after that, perhaps leaving the system without confinement. But this should be caught by the upgrade process since postinst would exit non-zero (hopefully). [ Other Info ] Not at this time. [Original Description] After the fix for bug #1990692, one more rule is needed it seems. I put all samba profiles in enforce mode, and when I ran that final rpcclient command, got an error and an apparmor denied message: Prep: sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra sudo apt install samba smbclient cups cups-client Set a password for the samba "root" user: printf "root\nroot\n" | sudo smbpasswd -a root Create a fake printer: sudo lpadmin -p testprinter -E -v /dev/null Check it's there: sudo lpstat -l -p testprinter $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2' cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error NT_STATUS_CONNECTION_DISCONNECTED do_cmd: Could not initialise spoolss. Error was NT_STATUS_CONNECTION_DISCONNECTED [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342): apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-k-samba-apparmor_<var-snap-lxd-common-lxd>" profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=129107 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=1000000 ouid=1000000 And indeed, that directory wasn't created: $ l /var/cache/samba/printing ls: cannot access '/var/cache/samba/printing': No such file or directory $ l /var/cache/samba/ total 16K drwxr-xr-x 1 root root 48 Oct 19 17:42 . drwxr-xr-x 1 root root 170 Oct 19 17:41 .. -rw-r--r-- 1 root root 166 Oct 19 17:42 browse.dat -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb
2022-11-23 19:18:23 Andreas Hasenack description [ Impact ] Users who chose to: a) install apparmor-profiles (a package with extra optional apparmor profiles, including samba) b) change the samba related profiles from complain (the default) to enforce mode will find out that sharing a printing in samba and using it won't work. In by itself this is *definitely* not worth an SRU for apparmor, which impacts all users of Ubuntu (because it's installed everywhere). But, if apparmor is to be updated for another more important reason, then this fix could be bundled together with it. Therefore I'm adding the block-proposed-kinetic tag to this bug. [ Test Plan ] sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra sudo apt install samba smbclient cups cups-client Set a password for the samba "root" user: printf "root\nroot\n" | sudo smbpasswd -a root Create a fake printer: sudo lpadmin -p testprinter -E -v /dev/null Check it's there: sudo lpstat -l -p testprinter Probe it via samba: rpcclient -Uroot%root localhost -c 'getprinter testprinter 2' (some printer related output) Check dmesg and look for an apparmor ALLOWED message: [497031.827841] audit: type=1400 audit(1669215188.733:555): apparmor="ALLOWED" operation="mkdir" class="file" namespace="root//lxd-l-samba-apparmor_<var-snap-lxd-common-lxd>" profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=388168 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=1000000 ouid=1000000 With the updated package, there should be no apparmor message for samba-rpcd-spoolss. [ Where problems could occur ] This change is adding an apparmor rule to a samba-related apparmor profile. Without this rule (and with the apparmor profile in confine mode), then printing does not work, so regressing that aspect of it is hard. Maybe some exotic future security vulnerability could take advantage of this new apparmor rule which allows writing to (and therefore deleting from) /var/cache/samba/printing. What's more likely perhaps (but still rare) is that an apparmor upgrade, which triggers all apparmor profiles to be reloaded, would find some error in an existing profile and fail to load it, and perhaps stop loading all other profiles after that, perhaps leaving the system without confinement. But this should be caught by the upgrade process since postinst would exit non-zero (hopefully). [ Other Info ] Not at this time. [Original Description] After the fix for bug #1990692, one more rule is needed it seems. I put all samba profiles in enforce mode, and when I ran that final rpcclient command, got an error and an apparmor denied message: Prep: sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra sudo apt install samba smbclient cups cups-client Set a password for the samba "root" user: printf "root\nroot\n" | sudo smbpasswd -a root Create a fake printer: sudo lpadmin -p testprinter -E -v /dev/null Check it's there: sudo lpstat -l -p testprinter $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2' cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error NT_STATUS_CONNECTION_DISCONNECTED do_cmd: Could not initialise spoolss. Error was NT_STATUS_CONNECTION_DISCONNECTED [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342): apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-k-samba-apparmor_<var-snap-lxd-common-lxd>" profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=129107 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=1000000 ouid=1000000 And indeed, that directory wasn't created: $ l /var/cache/samba/printing ls: cannot access '/var/cache/samba/printing': No such file or directory $ l /var/cache/samba/ total 16K drwxr-xr-x 1 root root 48 Oct 19 17:42 . drwxr-xr-x 1 root root 170 Oct 19 17:41 .. -rw-r--r-- 1 root root 166 Oct 19 17:42 browse.dat -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb [ Impact ] Users who chose to: a) install apparmor-profiles (a package with extra optional apparmor profiles, including samba) b) change the samba related profiles from complain (the default) to enforce mode will find out that sharing a printing in samba and using it won't work. In by itself this is *definitely* not worth an SRU for apparmor, which impacts all users of Ubuntu (because it's installed everywhere). But, if apparmor is to be updated for another more important reason, then this fix could be bundled together with it. Therefore I'm adding the block-proposed-kinetic tag to this bug. [ Test Plan ] sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra sudo apt install samba smbclient cups cups-client Set a password for the samba "root" user: printf "root\nroot\n" | sudo smbpasswd -a root Create a fake printer: sudo lpadmin -p testprinter -E -v /dev/null Check it's there: sudo lpstat -l -p testprinter Probe it via samba: rpcclient -Uroot%root localhost -c 'getprinter testprinter 2' (some printer related output, or even an error, doesn't matter) Check dmesg and look for an apparmor ALLOWED message: [497031.827841] audit: type=1400 audit(1669215188.733:555): apparmor="ALLOWED" operation="mkdir" class="file" namespace="root//lxd-l-samba-apparmor_<var-snap-lxd-common-lxd>" profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=388168 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=1000000 ouid=1000000 With the updated package, there should be no apparmor message for samba-rpcd-spoolss. [ Where problems could occur ] This change is adding an apparmor rule to a samba-related apparmor profile. Without this rule (and with the apparmor profile in confine mode), then printing does not work, so regressing that aspect of it is hard. Maybe some exotic future security vulnerability could take advantage of this new apparmor rule which allows writing to (and therefore deleting from) /var/cache/samba/printing. What's more likely perhaps (but still rare) is that an apparmor upgrade, which triggers all apparmor profiles to be reloaded, would find some error in an existing profile and fail to load it, and perhaps stop loading all other profiles after that, perhaps leaving the system without confinement. But this should be caught by the upgrade process since postinst would exit non-zero (hopefully). [ Other Info ] Not at this time. [Original Description] After the fix for bug #1990692, one more rule is needed it seems. I put all samba profiles in enforce mode, and when I ran that final rpcclient command, got an error and an apparmor denied message: Prep: sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra sudo apt install samba smbclient cups cups-client Set a password for the samba "root" user: printf "root\nroot\n" | sudo smbpasswd -a root Create a fake printer: sudo lpadmin -p testprinter -E -v /dev/null Check it's there: sudo lpstat -l -p testprinter $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2' cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error NT_STATUS_CONNECTION_DISCONNECTED do_cmd: Could not initialise spoolss. Error was NT_STATUS_CONNECTION_DISCONNECTED [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342): apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-k-samba-apparmor_<var-snap-lxd-common-lxd>" profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=129107 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=1000000 ouid=1000000 And indeed, that directory wasn't created: $ l /var/cache/samba/printing ls: cannot access '/var/cache/samba/printing': No such file or directory $ l /var/cache/samba/ total 16K drwxr-xr-x 1 root root 48 Oct 19 17:42 . drwxr-xr-x 1 root root 170 Oct 19 17:41 .. -rw-r--r-- 1 root root 166 Oct 19 17:42 browse.dat -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb
2022-11-23 19:21:52 Andreas Hasenack description [ Impact ] Users who chose to: a) install apparmor-profiles (a package with extra optional apparmor profiles, including samba) b) change the samba related profiles from complain (the default) to enforce mode will find out that sharing a printing in samba and using it won't work. In by itself this is *definitely* not worth an SRU for apparmor, which impacts all users of Ubuntu (because it's installed everywhere). But, if apparmor is to be updated for another more important reason, then this fix could be bundled together with it. Therefore I'm adding the block-proposed-kinetic tag to this bug. [ Test Plan ] sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra sudo apt install samba smbclient cups cups-client Set a password for the samba "root" user: printf "root\nroot\n" | sudo smbpasswd -a root Create a fake printer: sudo lpadmin -p testprinter -E -v /dev/null Check it's there: sudo lpstat -l -p testprinter Probe it via samba: rpcclient -Uroot%root localhost -c 'getprinter testprinter 2' (some printer related output, or even an error, doesn't matter) Check dmesg and look for an apparmor ALLOWED message: [497031.827841] audit: type=1400 audit(1669215188.733:555): apparmor="ALLOWED" operation="mkdir" class="file" namespace="root//lxd-l-samba-apparmor_<var-snap-lxd-common-lxd>" profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=388168 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=1000000 ouid=1000000 With the updated package, there should be no apparmor message for samba-rpcd-spoolss. [ Where problems could occur ] This change is adding an apparmor rule to a samba-related apparmor profile. Without this rule (and with the apparmor profile in confine mode), then printing does not work, so regressing that aspect of it is hard. Maybe some exotic future security vulnerability could take advantage of this new apparmor rule which allows writing to (and therefore deleting from) /var/cache/samba/printing. What's more likely perhaps (but still rare) is that an apparmor upgrade, which triggers all apparmor profiles to be reloaded, would find some error in an existing profile and fail to load it, and perhaps stop loading all other profiles after that, perhaps leaving the system without confinement. But this should be caught by the upgrade process since postinst would exit non-zero (hopefully). [ Other Info ] Not at this time. [Original Description] After the fix for bug #1990692, one more rule is needed it seems. I put all samba profiles in enforce mode, and when I ran that final rpcclient command, got an error and an apparmor denied message: Prep: sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra sudo apt install samba smbclient cups cups-client Set a password for the samba "root" user: printf "root\nroot\n" | sudo smbpasswd -a root Create a fake printer: sudo lpadmin -p testprinter -E -v /dev/null Check it's there: sudo lpstat -l -p testprinter $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2' cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error NT_STATUS_CONNECTION_DISCONNECTED do_cmd: Could not initialise spoolss. Error was NT_STATUS_CONNECTION_DISCONNECTED [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342): apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-k-samba-apparmor_<var-snap-lxd-common-lxd>" profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=129107 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=1000000 ouid=1000000 And indeed, that directory wasn't created: $ l /var/cache/samba/printing ls: cannot access '/var/cache/samba/printing': No such file or directory $ l /var/cache/samba/ total 16K drwxr-xr-x 1 root root 48 Oct 19 17:42 . drwxr-xr-x 1 root root 170 Oct 19 17:41 .. -rw-r--r-- 1 root root 166 Oct 19 17:42 browse.dat -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb [ Impact ] Users who chose to: a) install apparmor-profiles (a package with extra optional apparmor profiles, including samba) b) change the samba related profiles from complain (the default) to enforce mode will find out that sharing a printing in samba and using it won't work. In by itself this is *definitely* not worth an SRU for apparmor, which impacts all users of Ubuntu (because it's installed everywhere). But, if apparmor is to be updated for another more important reason, then this fix could be bundled together with it. Therefore I'm adding the block-proposed-kinetic tag to this bug. [ Test Plan ] sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra sudo apt install samba smbclient cups cups-client Set a password for the samba "root" user: printf "root\nroot\n" | sudo smbpasswd -a root Create a fake printer: sudo lpadmin -p testprinter -E -v /dev/null Check it's there: sudo lpstat -l -p testprinter Probe it via samba: rpcclient -Uroot%root localhost -c 'getprinter testprinter 2' (some printer related output, or even an error, doesn't matter) Check dmesg and look for an apparmor ALLOWED message: [497031.827841] audit: type=1400 audit(1669215188.733:555): apparmor="ALLOWED" operation="mkdir" class="file" namespace="root//lxd-l-samba-apparmor_<var-snap-lxd-common-lxd>" profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=388168 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=1000000 ouid=1000000 With the updated package, there should be no apparmor message for samba-rpcd-spoolss. NOTE: since, for this test, we are not switching the apparmor profile to enforce mode, this means that the mkdir attempted by rpcd_spoolss will succeed, and if you try the rpcclient command one more time, there will be no further apparmor messages about it in the logs. [ Where problems could occur ] This change is adding an apparmor rule to a samba-related apparmor profile. Without this rule (and with the apparmor profile in confine mode), then printing does not work, so regressing that aspect of it is hard. Maybe some exotic future security vulnerability could take advantage of this new apparmor rule which allows writing to (and therefore deleting from) /var/cache/samba/printing. What's more likely perhaps (but still rare) is that an apparmor upgrade, which triggers all apparmor profiles to be reloaded, would find some error in an existing profile and fail to load it, and perhaps stop loading all other profiles after that, perhaps leaving the system without confinement. But this should be caught by the upgrade process since postinst would exit non-zero (hopefully). [ Other Info ] Not at this time. [Original Description] After the fix for bug #1990692, one more rule is needed it seems. I put all samba profiles in enforce mode, and when I ran that final rpcclient command, got an error and an apparmor denied message: Prep: sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra sudo apt install samba smbclient cups cups-client Set a password for the samba "root" user: printf "root\nroot\n" | sudo smbpasswd -a root Create a fake printer: sudo lpadmin -p testprinter -E -v /dev/null Check it's there: sudo lpstat -l -p testprinter $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2' cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error NT_STATUS_CONNECTION_DISCONNECTED do_cmd: Could not initialise spoolss. Error was NT_STATUS_CONNECTION_DISCONNECTED [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342): apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-k-samba-apparmor_<var-snap-lxd-common-lxd>" profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=129107 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=1000000 ouid=1000000 And indeed, that directory wasn't created: $ l /var/cache/samba/printing ls: cannot access '/var/cache/samba/printing': No such file or directory $ l /var/cache/samba/ total 16K drwxr-xr-x 1 root root 48 Oct 19 17:42 . drwxr-xr-x 1 root root 170 Oct 19 17:41 .. -rw-r--r-- 1 root root 166 Oct 19 17:42 browse.dat -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb
2022-11-23 19:25:19 Launchpad Janitor merge proposal linked https://code.launchpad.net/~ahasenack/ubuntu/+source/apparmor/+git/apparmor/+merge/433541
2022-11-23 19:25:47 Launchpad Janitor merge proposal linked https://code.launchpad.net/~ahasenack/ubuntu/+source/apparmor/+git/apparmor/+merge/433542
2022-12-04 17:14:20 Launchpad Janitor apparmor (Ubuntu): status In Progress Fix Released
2023-03-03 20:36:38 Steve Langasek apparmor (Ubuntu Kinetic): status In Progress Fix Committed
2023-03-03 20:36:39 Steve Langasek bug added subscriber Ubuntu Stable Release Updates Team
2023-03-03 20:36:41 Steve Langasek bug added subscriber SRU Verification
2023-03-03 20:36:44 Steve Langasek tags block-proposed-kinetic block-proposed-kinetic verification-needed verification-needed-kinetic