samba profile: missing rule for mkdir /var/cache/samba/printing

Bug #1993572 reported by Andreas Hasenack
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Low
Andreas Hasenack
Kinetic
Fix Committed
Low
Andreas Hasenack

Bug Description

[ Impact ]

Users who chose to:

a) install apparmor-profiles (a package with extra optional apparmor profiles, including samba)

b) change the samba related profiles from complain (the default) to enforce mode

will find out that sharing a printing in samba and using it won't work.

In by itself this is *definitely* not worth an SRU for apparmor, which impacts all users of Ubuntu (because it's installed everywhere). But, if apparmor is to be updated for another more important reason, then this fix could be bundled together with it. Therefore I'm adding the block-proposed-kinetic tag to this bug.

[ Test Plan ]

sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
sudo apt install samba smbclient cups cups-client

Set a password for the samba "root" user:
printf "root\nroot\n" | sudo smbpasswd -a root

Create a fake printer:
sudo lpadmin -p testprinter -E -v /dev/null

Check it's there:
sudo lpstat -l -p testprinter

Probe it via samba:
rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
(some printer related output, or even an error, doesn't matter)

Check dmesg and look for an apparmor ALLOWED message:
[497031.827841] audit: type=1400 audit(1669215188.733:555): apparmor="ALLOWED" operation="mkdir" class="file" namespace="root//lxd-l-samba-apparmor_<var-snap-lxd-common-lxd>" profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=388168 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=1000000 ouid=1000000

With the updated package, there should be no apparmor message for samba-rpcd-spoolss.

NOTE: since, for this test, we are not switching the apparmor profile to enforce mode, this means that the mkdir attempted by rpcd_spoolss will succeed, and if you try the rpcclient command one more time, there will be no further apparmor messages about it in the logs.

[ Where problems could occur ]

This change is adding an apparmor rule to a samba-related apparmor profile. Without this rule (and with the apparmor profile in confine mode), then printing does not work, so regressing that aspect of it is hard.

Maybe some exotic future security vulnerability could take advantage of this new apparmor rule which allows writing to (and therefore deleting from) /var/cache/samba/printing.

What's more likely perhaps (but still rare) is that an apparmor upgrade, which triggers all apparmor profiles to be reloaded, would find some error in an existing profile and fail to load it, and perhaps stop loading all other profiles after that, perhaps leaving the system without confinement. But this should be caught by the upgrade process since postinst would exit non-zero (hopefully).

[ Other Info ]
Not at this time.

[Original Description]

After the fix for bug #1990692, one more rule is needed it seems.

I put all samba profiles in enforce mode, and when I ran that final rpcclient command, got an error and an apparmor denied message:

Prep:
sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
sudo apt install samba smbclient cups cups-client

Set a password for the samba "root" user:
printf "root\nroot\n" | sudo smbpasswd -a root

Create a fake printer:
sudo lpadmin -p testprinter -E -v /dev/null

Check it's there:
sudo lpstat -l -p testprinter

$ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error NT_STATUS_CONNECTION_DISCONNECTED
do_cmd: Could not initialise spoolss. Error was NT_STATUS_CONNECTION_DISCONNECTED

[qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342): apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-k-samba-apparmor_<var-snap-lxd-common-lxd>" profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=129107 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=1000000 ouid=1000000

And indeed, that directory wasn't created:
$ l /var/cache/samba/printing
ls: cannot access '/var/cache/samba/printing': No such file or directory
$ l /var/cache/samba/
total 16K
drwxr-xr-x 1 root root 48 Oct 19 17:42 .
drwxr-xr-x 1 root root 170 Oct 19 17:41 ..
-rw-r--r-- 1 root root 166 Oct 19 17:42 browse.dat
-rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb

Related branches

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This looks like is enough to address it:

--- samba-rpcd-spoolss.orig 2022-10-19 17:48:42.767775584 +0000
+++ samba-rpcd-spoolss 2022-10-19 17:47:50.527693050 +0000
@@ -18,6 +18,7 @@

   /usr/lib*/samba/{,samba/}rpcd_spoolss mr,
   /usr/lib*/samba/{,samba/}samba-bgqd Px -> samba-bgqd,
+ /var/cache/samba/printing/ rw,
   /var/cache/samba/printing/*.tdb rwk,
   @{run}/samba/samba-bgqd.pid rk,

summary: - Missing rule for mkdir /var/cache/samba/printing
+ samba profile: missing rule for mkdir /var/cache/samba/printing
description: updated
Revision history for this message
Christian Boltz (cboltz) wrote :

Based on your DENIED message, I wonder if read (= directory listing) permissions are really needed, or if

    /var/cache/samba/printing/ w, # without r

would be enough. Can you please test and report back?

description: updated
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

    /var/cache/samba/printing/ w, # without r,

Just "r" was enough indeed!

Revision history for this message
Christian Boltz (cboltz) wrote :

Typo? I'd expect 'Just "w" is enough' ;-)

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Er, correct, just "w" is enough :)

Revision history for this message
Christian Boltz (cboltz) wrote :
Changed in apparmor (Ubuntu):
assignee: nobody → Andreas Hasenack (ahasenack)
status: New → In Progress
Changed in apparmor (Ubuntu Kinetic):
importance: Undecided → Critical
importance: Critical → Undecided
status: New → In Progress
importance: Undecided → Wishlist
importance: Wishlist → Low
Changed in apparmor (Ubuntu):
importance: Undecided → Low
Changed in apparmor (Ubuntu Kinetic):
assignee: nobody → Andreas Hasenack (ahasenack)
tags: added: block-proposed-kinetic
description: updated
description: updated
description: updated
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 3.0.7-1ubuntu4

---------------
apparmor (3.0.7-1ubuntu4) lunar; urgency=medium

  * d/p/u/samba-rpcd-spoolss.patch: fix samba-rpcd-spoolss apparmor
    profile (LP: #1993572)

 -- Andreas Hasenack <email address hidden> Wed, 23 Nov 2022 14:47:14 -0300

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Andreas, or anyone else affected,

Accepted apparmor into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apparmor/3.0.7-1ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in apparmor (Ubuntu Kinetic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-kinetic
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (apparmor/3.0.7-1ubuntu2.1)

All autopkgtests for the newly accepted apparmor (3.0.7-1ubuntu2.1) for kinetic have finished running.
The following regressions have been reported in tests triggered by the package:

firejail/0.9.70-1ubuntu1 (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/kinetic/update_excuses.html#apparmor

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.