smbd: allow reading under /usr/share/samba

Today, a normal user connected and did something (dunno what) that caused smbd to try to /usr/share/samba/mdssvc/elasticsearch_mappings.json:

Samba logs:

root@smb:~# journalctl -b0 -u smbd
-- Logs begin at Fri 2022-01-21 14:17:01 UTC, end at Thu 2022-02-17 23:56:02 UTC. --
Feb 17 14:01:20 smb systemd[1]: Starting Samba SMB Daemon...
Feb 17 14:01:26 smb smbd[113]: [2022/02/17 14:01:26.904865,  0] ../../lib/util/become_daemon.c:135(daemon_ready)
Feb 17 14:01:26 smb systemd[1]: Started Samba SMB Daemon.
Feb 17 14:01:26 smb smbd[113]:   daemon_ready: daemon 'smbd' finished starting up and ready to serve connections
Feb 17 21:05:35 smb smbd[3084]: pam_unix(samba:session): session opened for user jdoe by (uid=0)
Feb 17 21:05:37 smb smbd[3084]: [2022/02/17 21:05:37.735182,  0] ../../source3/rpc_server/mdssvc/mdssvc_es.c:92(mdssvc_es_init)
Feb 17 21:05:37 smb smbd[3084]:   mdssvc_es_init: Opening mapping file [/usr/share/samba/mdssvc/elasticsearch_mappings.json] failed: unable to open /usr/share/samba/mdssvc/elasticsearch_mappings.json: Permission denied
Feb 17 21:05:37 smb smbd[3084]: [2022/02/17 21:05:37.735436,  0] ../../source3/rpc_server/mdssvc/mdssvc.c:1490(mdssvc_init)
Feb 17 21:05:37 smb smbd[3084]:   mdssvc_init: backend init failed
Feb 17 21:05:37 smb smbd[3084]: [2022/02/17 21:05:37.735562,  0] ../../source3/rpc_server/mdssvc/srv_mdssvc_nt.c:152(_mdssvc_open)
Feb 17 21:05:37 smb smbd[3084]:   _mdssvc_open: Couldn't create policy handle for partage
Feb 17 23:56:02 smb smbd[3084]: pam_unix(samba:session): session closed for user jdoe

Since the 'smb' machine is a container, the Apparmor denial ended up in the host's log:

$ journalctl -o cat --grep samba -k --since today | cat
audit: type=1400 audit(1645131937.730:98): apparmor="DENIED" operation="open" namespace="root//lxd-smb_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/share/samba/mdssvc/elasticsearch_mappings.json" pid=35359 comm="smbd" requested_mask="r" denied_mask="r" fsuid=166549 ouid=165536

It is the first time it occurs in years of use but it seems legitimate as:

1. this file is installed by the package
2. git grep -F elasticsearch_mappings in Debian samba's source shows many hits:

$ git grep -F elasticsearch_mappings
debian/samba.install:usr/share/samba/mdssvc/elasticsearch_mappings.json
docs-xml/manpages/mdsearch.1.xml:         <filename>/usr/share/samba/mdssvc/elasticsearch_mappings.json</filename>
docs-xml/smbdotconf/misc/elasticsearchmappings.xml:  <value type="default">&pathconfig.SAMBA_DATADIR;/elasticsearch_mappings.json</value>
docs/manpages/mdfind.1:/usr/share/samba/mdssvc/elasticsearch_mappings\&.json
docs/manpages/smb.conf.5:\fI\fIelasticsearch:mappings\fR\fR\fI = \fR\fI${prefix}/var/samba/elasticsearch_mappings\&.json\fR\fI \fR
selftest/selftest.pl:   elasticsearch:mappings = $srcdir_abs/source3/rpc_server/mdssvc/elasticsearch_mappings.json
selftest/target/Samba3.pm:      elasticsearch:mappings = $srcdir_abs/source3/rpc_server/mdssvc/elasticsearch_mappings.json
source3/rpc_server/mdssvc/es_parser_test.c:             "%s/mdssvc/elasticsearch_mappings.json",
source3/rpc_server/mdssvc/mdssvc_es.c:          "%s/mdssvc/elasticsearch_mappings.json",
source3/rpc_server/wscript_build:                          'mdssvc/elasticsearch_mappings.json')

While only the mdssvc sub-dir could be authorized, the whole dir content seemed OK for read access anyway:

root@smb:~# ll /usr/share/samba/
total 53
drwxr-xr-x  5 root root   10 Feb  1 14:08 ./
drwxr-xr-x 67 root root   67 Jun 22  2021 ../
-rwxr-xr-x  1 root root 1163 Jan 31 13:11 addshare.py*
drwxr-xr-x  3 root root    4 Feb  1 14:08 admx/
drwxr-xr-x  2 root root    3 Feb  1 14:08 mdssvc/
-rwxr-xr-x  1 root root 2059 Jan 31 13:11 panic-action*
-rwxr-xr-x  1 root root 1333 Jan 31 13:11 setoption.py*
drwxr-xr-x  5 root root   57 Feb  1 14:08 setup/
-rw-r--r--  1 root root 8942 Jan 31 13:11 smb.conf
-rwxr-xr-x  1 root root 2682 Jan 31 13:11 update-apparmor-samba-profile*