Merge ~michal-maloszewski99/ubuntu/+source/apparmor:fix-apparmor-jammy into ubuntu/+source/apparmor:ubuntu/jammy-devel
- Git
- lp:~michal-maloszewski99/ubuntu/+source/apparmor
- fix-apparmor-jammy
- Merge into ubuntu/jammy-devel
Status: | Work in progress |
---|---|
Proposed branch: | ~michal-maloszewski99/ubuntu/+source/apparmor:fix-apparmor-jammy |
Merge into: | ubuntu/+source/apparmor:ubuntu/jammy-devel |
Diff against target: |
95 lines (+73/-0) 3 files modified
debian/changelog (+8/-0) debian/patches/series (+1/-0) debian/patches/ubuntu/fix-samba-bgqd-apparmor-profile.patch (+64/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Andreas Hasenack (community) | Approve | ||
Christian Ehrhardt (community) | Needs Fixing | ||
Robie Basak | Needs Fixing | ||
Canonical Server Reporter | Pending | ||
Review via email: mp+427973@code.qastaging.launchpad.net |
This proposal supersedes a proposal from 2022-08-01.
Commit message
Description of the change
PPA: michal-
Andreas Hasenack (ahasenack) : Posted in a previous version of this proposal | # |
Andreas Hasenack (ahasenack) : Posted in a previous version of this proposal | # |
Michał Małoszewski (michal-maloszewski99) wrote : | # |
> This MP is now correctly based on jammy-devel, but your branch itself is still
> based on jammy. Please rebase your branch onto jammy-devel, and then force
> push (no need to resubmit the MP).
Done. I've been doing it while you're writing that comment :D
Michał Małoszewski (michal-maloszewski99) wrote : | # |
SRU bug report to be evaluated.
https:/
Christian Ehrhardt (paelzer) wrote : | # |
I've reviewed the MP and also the SRU suggestion.
=> (patch and SRU) needs fixing
Michał Małoszewski (michal-maloszewski99) (last edit ): | # |
Georgia Garcia (georgiag) : | # |
Andreas Hasenack (ahasenack) wrote : | # |
The SRU text needs some caring, I added comments to the google doc.
This commit message is confusing:
commit 34006daa61e223a
Author: Michal Maloszewski <email address hidden>
Date: Thu Aug 11 20:27:43 2022 +0200
Fix the samba-bgqd apparmor profile
Fix the apparmor profile. It's a minor issue,
but help users to keep everything in order and
helps visibility of maintainers. (LP: #1979879)
The fix is basically to adjust the path of the samba-bgqd binary in the samba-bgqd and smbd apparmor profiles to match what is shipped in the package.
Georgia Garcia (georgiag) wrote : | # |
From an AppArmor perspective, this LGTM.
Michał Małoszewski (michal-maloszewski99) wrote : | # |
Results: (from http://
apparmor @ amd64:
http://
30.08.22 16:53:27 ✅ Triggers: apparmor/
apparmor @ arm64:
http://
30.08.22 17:21:08 ✅ Triggers: apparmor/
apparmor @ armhf:
http://
30.08.22 17:06:14 ✅ Triggers: apparmor/
apparmor @ ppc64el:
http://
30.08.22 16:53:57 ✅ Triggers: apparmor/
apparmor @ s390x:
http://
30.08.22 16:52:00 ✅ Triggers: apparmor/
Andreas Hasenack (ahasenack) wrote : | # |
I'm taking another look
Andreas Hasenack (ahasenack) wrote : | # |
I checked and in kinetic the startup of these extra daemons by samba has changed a bit. The reason you didn't see the need for the "k" flag in kinetic is that in the simple testing we have been doing so far (just starting the samba service), the bgqd daemon isn't started.
The moment we start it (after installing cups, cups-client, registering a fake printer, and calling rpcclient on it), we see a flood of warnings in kinetic (when the profiles are in complain mode):
[qui set 1 16:27:42 2022] audit: type=1400 audit(166206046
[qui set 1 16:27:42 2022] audit: type=1400 audit(166206046
[qui set 1 16:27:42 2022] audit: type=1400 audit(166206046
[qui set 1 16:27:42 2022] audit: type=1400 audit(166206046
[qui set 1 16:27:42 2022] audit: type=1400 audit(166206046
[qui set 1 16:27:42 2022] audit: type=1400 audit(166206046
[qui set 1 16:27:42 2022] audit: type=1400 audit(166206046
[qui set 1 16:27:42 2022] audit: type=1400 audit(166206046
[qui set 1 16:27:42 2022] audit: type=1400 audit(166206046
Andreas Hasenack (ahasenack) : | # |
Andreas Hasenack (ahasenack) wrote : | # |
For reference, these are the high level steps to get the bgqd service (and others) to react in the kinetic version of samba:
sudo -i
apt install cups cups-client
lpadmin -p testprinter -E -v /dev/null
smbpasswd -a root
systemctl start smbd
lpstat -l -p testprinter
rpcclient -Uroot localhost -c 'getprinter testprinter 2'
Andreas Hasenack (ahasenack) : | # |
Andreas Hasenack (ahasenack) : | # |
Andreas Hasenack (ahasenack) wrote : | # |
Ok, this is good. Can you please update the SRU bug with the SRU template filled out? If it needs changing, it's fine to do it there from now on.
Andreas Hasenack (ahasenack) wrote : | # |
Please update the package in the PPA (https:/
Andreas Hasenack (ahasenack) wrote : | # |
> Please update the package in the PPA (https:/
Sorry, my mistake. The rwk change is in abstractions/samba, which ships in the apparmor package, not apparmor-profiles as the rest of the samba profiles.
There is no need for a new upload.
Andreas Hasenack (ahasenack) wrote : | # |
Something that I missed until now is that the ubuntu patches are in their own directory, so I think the patch we are adding here should follow that pattern:
debian/
should be in
debian/
And the path for it in debian/
Michał Małoszewski (michal-maloszewski99) wrote (last edit ): | # |
@Andreas, done but there is a problem where the diff with series is above the diff with the patch.
I don't know why it has happened. I have added files to staging area in the correct order. I didn't bump into something like that before. Moreover I think there is some problem because when I have used 'git reflog' to restore commits - I have seen that previous diffs which were correct are in reverse order now.
Andreas Hasenack (ahasenack) wrote : | # |
> @Andreas, done but there is a problem where the diff with series is above the diff with the patch.
This is fine and nothing to worry about.
Andreas Hasenack (ahasenack) wrote : | # |
This looks good, +1.
But let's park it for now, because the samba apparmor profiles in kinetic need work. I tested them there, and found out many changes are needed, and filed https:/
I'm going to approve this MP, but please move it back to "work in progress" while we wait for kinetic's apparmor to be updated. In that way we will have a record of the +1, but at the same time remove this MP from the status page for the time being.
Michał Małoszewski (michal-maloszewski99) wrote : | # |
Done, changed for 'work in progress'
Andreas Hasenack (ahasenack) wrote : | # |
I checked kinetic, found one more issue there[1], but I think it doesn't affect jammy, so we don't need to change anything here. I'll do one more pass on jammy with that in mind, though, just to be sure.
1. https:/
Andreas Hasenack (ahasenack) wrote : | # |
I'm afraid I found one more thing. Quite the rabbit hole this bug! :)
When actually trying to print something, with a real printer and such, got this DENIED:
[Thu Oct 20 21:26:04 2022] audit: type=1400 audit(166630116
So we need a rule like this in the samba-bgqd profile:
/var/cache/
This is pretty much the same thing we need in kinetic[1], but the samba version there is different and the printing system changed such that it's another daemon that needs that rule in kinetic, and not samba-bgqd like is the case in focal.
Could you please add that rule above to the samba-bgqd profile? And adjust the patch description (DEP3 header).
1. https:/
Andreas Hasenack (ahasenack) wrote : | # |
Let's change the DEP3 description to this:
Description: Fix samba apparmor profiles wrt samba-bgqd
The installation path of samba-bgqd in Ubuntu Jammy does not match the
corresponding apparmor profiles where it's used. In Ubuntu Kinetic and later,
that path was fixed in the samba packaging, so this patch is not needed there.
.
Once samba-bgqd was referenced in the correct path and allowed to start, more
tweaks were needed for this profile to allow it to run properly:
- locking ("k") of tdb files in /run/samba
- read/write access to printer tdb files in /var/cache/
For the commit message that adds the patch (currently dbc8179ae0d965b
Andreas Hasenack (ahasenack) wrote : | # |
Tested and all good, even on arm64 (so that @multiarch trick worked just fine). I hope by monday LL will be open, then we can make this same last change to the apparmor package in the devel release.
There was an error fetching revisions from git servers. Please try again in a few minutes. If the problem persists, contact Launchpad support.
This MP is now correctly based on jammy-devel, but your branch itself is still based on jammy. Please rebase your branch onto jammy-devel, and then force push (no need to resubmit the MP).