nl6720 requested to merge nl6720/apparmor:update-profile-samba into master Feb 27, 2023

profiles/apparmor.d/samba*: allow access to pid files directly in /run/

On Arch Linux, samba-dcerpcd.pid is in /run/, not /run/samba/.

apparmor="DENIED" operation="mknod" profile="samba-dcerpcd" name="/run/samba-dcerpcd.pid" pid=80920 comm="samba-dcerpcd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

The same is true for nmbd.pid, smbd.pid and probably others too.

samba-dcerpcd requires access to `/var/cache/samba/names.tdb`.

audit: type=1400 audit(1676835286.187:62): apparmor="DENIED" operation="open" profile="samba-dcerpcd" name="/var/cache/samba/names.tdb" pid=6948 comm="samba-dcerpcd" requested_mask="wrc" denied_mask="wrc" fsuid=0 ouid=0

Since usr.sbin.winbindd already has a rule for it, and usr.sbin.nmbd has similar ones, simply add /var/cache/samba/*.tdb rwk to abstractions/samba.

Update samba profiles

profiles/apparmor.d/samba*: allow access to pid files directly in /run/

samba-dcerpcd requires access to /var/cache/samba/names.tdb.

Merge request reports

samba-dcerpcd requires access to `/var/cache/samba/names.tdb`.