Project

General

Profile

action #23652

create apparmor profiles for samba ad components

Added by flacco almost 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Urgent
Assignee:
Category:
-
Target version:
-
Start date:
2017-08-25
Due date:
2017-09-09
% Done:

100%

Estimated time:

Description

At frOSCon 12 we started to build new apparmor profiles for samba_ad.

These profiles are added to the invis-server setup package but not yet ready. With these profiles samba starts as expected, but joining the domain with a computer for example didn't work.

In difference to samba "classic" there is one ne daemon called samba which starts a lot of subprocesses like smbd and winbindd. This new daemon substitutes the classic single daemons like "smbd" and "nmbd". Their apparmor profiles didn't work for samba with active directory.

This job is a showstopper for our new 13.0 release. We have to decide if we fix this immediately or release the 13.0 without activated apparmor.

History

#1 Updated by flacco almost 5 years ago

  • Category set to Developement

#2 Updated by flacco almost 5 years ago

  • Due date set to 2017-09-01

#3 Updated by flacco almost 5 years ago

  • % Done changed from 10 to 30

Samba Profiles renewed. Joining the AD domain works now.

#4 Updated by flacco almost 5 years ago

  • % Done changed from 30 to 40

New apparmor profiles for sssd added, aparmor profiles for samba AD renewed.

#5 Updated by flacco almost 5 years ago

  • Due date changed from 2017-09-01 to 2017-09-09
  • Status changed from New to In Progress
  • % Done changed from 40 to 80

It seems that samba AD and sssd are now working with aktivated apparmor. Now we should test it for a while.

#6 Updated by flacco almost 5 years ago

  • % Done changed from 80 to 90

#7 Updated by cboltz almost 5 years ago

Did you need to add more rules to the smbd, nmbd or winbindd profile or one of the abstractions (besides what we added at FrOSCon)? If yes, please tell me so that I can integrate it in the official profiles/abstractions.

I might be able to do AppArmor maintenance updates with the updated profiles (and some other fixes). For this, knowing your schedule (when do you need the updated packages?) would be helpful ;-) (getting upstream maintenance releases usually takes some days, and the openSUSE maintenance process typically needs two weeks)

Also, if you want a review of the added profiles, tell me where I can find them ;-)

#8 Updated by flacco almost 5 years ago

  • Target version set to 13.0

#9 Updated by flacco almost 5 years ago

cboltz wrote:

Did you need to add more rules to the smbd, nmbd or winbindd profile or one of the abstractions (besides what we added at FrOSCon)? If yes, please tell me so that I can integrate it in the official profiles/abstractions.

I've added two new profiles "sssd" and "sssd_be". They are still "work in progress"....

I might be able to do AppArmor maintenance updates with the updated profiles (and some other fixes). For this, knowing your schedule (when do you need the updated packages?) would be helpful ;-) (getting upstream maintenance releases usually takes some days, and the openSUSE maintenance process typically needs two weeks)

Also, if you want a review of the added profiles, tell me where I can find them ;-)

You find our profiles in github: https://github.com/invisserver/invisAD-setup/tree/master/usr/share/sine/templates/samba_ad/apparmor

It would be nice, if you can have a look on it.

We don't have a fix schedule for this. At the moment we install our profiles out of our invisAD-setup RPM by just copying them from our templatedir to /etc/apparmor.d. If they are ready we can bring them upstream.

Thank you for your support.

Stefan

#10 Updated by flacco almost 5 years ago

  • Assignee set to flacco

#11 Updated by cboltz almost 5 years ago

The changes to existing profiles are (compared to what AppArmor bzr contains):

ntpd

+  /var/lib/sss/mc/initgroups r,

(covered by the upstream change in abstractions/nameservice, so you can drop the custom ntpd profile when the updated abstraction gets shipped)

smbd

+  /dev/urandom rw,
+  /usr/lib{,32,64}/** mr,
+  /var/lib/sss/mc/initgroups r,

writing to /dev/urandom surprises me - any idea why this could be done?

The /usr/lib{,32,64}/** mr, addition looks too broad to me. Can you please remove it and use more specific rules? (It's easy to merge multiple rules using a wildcard later, but making an overly broad rule more restrictive is close to impossible.)

sss/mc/initgroups is covered by the updated abstractions/nameservice

nmbd

matches the latest upstream profile

winbindd

+  /usr/lib{,32,64}/** mr,
-  /usr/lib*/samba/gensec/krb*.so mr,

Again, /usr/lib{,32,64}/** mr, looks too broad. Can you please remove it and use more specific rules? (Re-adding the deleted gensec/krb*.so rule might save you some log events ;-)

added profiles

I only had a quick look at the new profiles, so please take the following more as impressions, not as a full review:

sssd_be

/usr/lib{,32,64}/** mr,

too broad, see above

samba_dnsupdate

 /usr/lib{,32,64}/python{2.[4-7],3.[0-5]}/**.{pyc,so} mrw,

I'd recommend to remove this rule. mr is covered by abstractions/python, and samba_dnsupdate shouldn't be allowed to write those files. (Better open a bugreport about the *.pyc write attemps, it generally points to missing python cache files in the package.)

samba_kcc

/usr/lib{,32,64}/python{2.[4-7],3.[0-5]}/**.{pyc,so} mrw,
/tmp/* w,
/var/tmp/* w,

For the python files, see above.

For /tmp/ and /var/tmp/, two notes:

  • if there is a filename pattern (for example /tmp/samba_kcc_*), then use it instead of just *
  • rules for world-writeable directories should have the owner conditional whenever possible -> owner /tmp/* w,

sssd

/usr/lib/sssd/sssd_be px,
/usr/lib{,32,64}/** mr,

Do you really need to preserve environment variables in this exec? Otherwise please use Px.

Also, we have the overly broad /usr/lib{,32,64}/** mr, rule again.

#12 Updated by flacco almost 5 years ago

Hi Christian,

thank's a lot for your input. I try to implement your suggestions. Apparmor is very new for me, but your objections sounds reasonable. I let you know if i've further questions.

Stefan

#13 Updated by flacco almost 5 years ago

Hi Christian,

I have just renewed our apparmor Profiles. You may have a look at them.

Stefan

#14 Updated by flacco almost 5 years ago

  • Status changed from In Progress to Closed
  • % Done changed from 90 to 100

Some Tests with the lates profiles done: joining a domain with win7 and win10 works. Joining the domain with openSUSE/Samba/sssd works. Access to the Samba shares works.

There are perhaps some optimizations possible, but for invis 13.0 it works.

#15 Updated by ingogoeppert over 4 years ago

  • Project changed from invis-server to invisAD-setup
  • Category deleted (Developement)
  • Target version deleted (13.0)

Also available in: Atom PDF