[Manjaro] Apparmor Kernel patches create issues with smbd

philm · June 26, 2019, 9:07am

@zyga-snapd: currently we face some issues with the additional out of tree patches and smbd. A user can’t connect to his samba shares. Using a kernel without the patches works with apparmor enabled. We original added the additional patches to create full confinement for snaps in Manjaro Linux. Here the details from my user.

https://forum.manjaro.org/t/unstable-update-2019-06-22-kernels-pamac-firefox-python-texlive/92104/3

For now the default profile for smbd on Manjaro is this:

phil@development ~ $ cat /etc/apparmor.d/usr.sbin.smbd
#include <tunables/global>

profile smbd /usr/{bin,sbin}/smbd {
  #include <abstractions/authentication>
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/cups-client>
  #include <abstractions/nameservice>
  #include <abstractions/samba>
  #include <abstractions/user-tmp>
  #include <abstractions/wutmp>

  capability audit_write,
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability lease,
  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_admin,
  capability sys_resource,
  capability sys_tty_config,

  /etc/mtab r,
  /etc/netgroup r,
  /etc/printcap r,
  /etc/samba/* rwk,
  @{PROC}/@{pid}/mounts r,
  @{PROC}/sys/kernel/core_pattern r,
  /usr/lib*/samba/vfs/*.so mr,
  /usr/lib*/samba/auth/*.so mr,
  /usr/lib*/samba/charset/*.so mr,
  /usr/lib*/samba/gensec/*.so mr,
  /usr/lib*/samba/pdb/*.so mr,
  /usr/lib*/samba/{lowcase,upcase,valid}.dat r,
  /usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr,
  /usr/lib/@{multiarch}/samba/**/ r,
  /usr/lib/@{multiarch}/samba/**/*.so{,.[0-9]*} mr,
  /usr/{bin,sbin}/smbd mr,
  /usr/{bin,sbin}/smbldap-useradd Px,
  /var/cache/samba/** rwk,
  /var/{cache,lib}/samba/printing/printers.tdb mrw,
  /var/lib/samba/** rwk,
  /var/lib/sss/pubconf/kdcinfo.* r,
  /{,var/}run/dbus/system_bus_socket rw,
  /{,var/}run/smbd.pid rwk,
  /{,var/}run/samba/** rk,
  /{,var/}run/samba/ncalrpc/ rw,
  /{,var/}run/samba/ncalrpc/** rw,
  /{,var/}run/samba/smbd.pid rw,
  /{,var/}run/samba/msg.lock/ rw,
  /{,var/}run/samba/msg.lock/[0-9]* rwk,
  /var/spool/samba/** rw,

  @{HOMEDIRS}/** lrwk,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.smbd>
}

Shares outside of the home-dir may be whitelisted them in the profile. Temporally disableing the smbd profile might work. More about apparmor here.

Feedback from the User:

Hi Phil,
What I can tell so far is:
security=apparmor apparmor=1 is added to both 5.1 and 5.2 kernel options, but smb starts fine only on 5.2 if these options are appended. On both kernels aa-status reports that Apparmor is loaded and mounted.
I tried to remove all smb shares and the issue still persists. So this seems to happen without any shares at all. This is why I suggest you to try it on your side too since it’s just a matter of enabling smb.service along with apparmor service and kernel options. If you have the same issue, then it is something Apparmor’s smbd profile related.
Also I tried disabling smbd Apparmor profile and it worked: smb.service started without problems.
All samba related packages I have are samba and Manjaro samba settings with stock configs.
For now I have no idea what is wrong with my setup.
I don’t know, maybe symlinks to another drive that I have inside some home folders are to blame?

Here is some useful info to understand the situation:

Without apparmor=1 security=apparmor, kernel 5.1:

Summary

┬─[openm@reiwa:~]─[22:28:41]
╰─>$ smbclient -L 10.0.0.5
Unable to initialize messaging context
Enter WORKGROUP\openm’s password:

    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    IPC$            IPC       IPC Service (Samba 4.10.5)
    openm           Disk      Home Directories

Reconnecting with SMB1 for workgroup listing.

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------
    WORKGROUP

┬─[openm@reiwa:~]─[22:29:07]
╰─>$ sudo aa-status
[sudo] password for openm:
apparmor module is loaded.
apparmor filesystem is not mounted.

With apparmor=1 security=apparmor, kernel 5.1:

Summary

┬─[openm@reiwa:~]─[22:34:35]
╰─>$ smbclient -L 10.0.0.5
Unable to initialize messaging context
do_connect: Connection to 10.0.0.5 failed (Error NT_STATUS_CONNECTION_REFUSED)
┬─[openm@reiwa:~]─[22:35:02]
╰─>$ sudo aa-status
[sudo] password for openm:
apparmor module is loaded.
47 profiles are loaded.
47 profiles are in enforce mode.
/usr/lib/apache2/mpm-prefork/apache2
/usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
/usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
/usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
/usr/lib/dovecot/anvil
/usr/lib/dovecot/auth
/usr/lib/dovecot/config
/usr/lib/dovecot/deliver
/usr/lib/dovecot/dict
/usr/lib/dovecot/dovecot-auth
/usr/lib/dovecot/dovecot-lda
/usr/lib/dovecot/dovecot-lda//sendmail
/usr/lib/dovecot/imap
/usr/lib/dovecot/imap-login
/usr/lib/dovecot/lmtp
/usr/lib/dovecot/log
/usr/lib/dovecot/managesieve
/usr/lib/dovecot/managesieve-login
/usr/lib/dovecot/pop3
/usr/lib/dovecot/pop3-login
/usr/lib/dovecot/ssl-params
/usr/lib/dovecot/stats
/usr/sbin/dnsmasq
/usr/sbin/dnsmasq//libvirt_leaseshelper
apache2
apache2//DEFAULT_URI
apache2//HANDLING_UNTRUSTED_INPUT
apache2//phpsysinfo
avahi-daemon
dovecot
identd
klogd
lsb_release
mdnsd
nmbd
nscd
ntpd
nvidia_modprobe
nvidia_modprobe//kmod
ping
smbd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
syslog-ng
syslogd
traceroute
winbindd
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode.
/usr/bin/nmbd (1628) nmbd
/usr/bin/ntpd (1621) ntpd
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
┬─[openm@reiwa:~]─[22:35:13]
╰─>$ sudo ln -s /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/disable/
┬─[openm@reiwa:~]─[22:36:45]
╰─>$ sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.smbd
┬─[openm@reiwa:~]─[22:36:51]
╰─>$ systemctl restart smb
┬─[openm@reiwa:~]─[22:37:12]
╰─>$ smbclient -L 10.0.0.5
Unable to initialize messaging context
Enter WORKGROUP\openm’s password:

    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    IPC$            IPC       IPC Service (Samba 4.10.5)
    openm           Disk      Home Directories

Reconnecting with SMB1 for workgroup listing.

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------
    WORKGROUP            RT-AC68U-ASMT

┬─[openm@reiwa:~]─[22:37:25]
╰─>$ sudo aa-status
apparmor module is loaded.
46 profiles are loaded.
46 profiles are in enforce mode.
/usr/lib/apache2/mpm-prefork/apache2
/usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
/usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
/usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
/usr/lib/dovecot/anvil
/usr/lib/dovecot/auth
/usr/lib/dovecot/config
/usr/lib/dovecot/deliver
/usr/lib/dovecot/dict
/usr/lib/dovecot/dovecot-auth
/usr/lib/dovecot/dovecot-lda
/usr/lib/dovecot/dovecot-lda//sendmail
/usr/lib/dovecot/imap
/usr/lib/dovecot/imap-login
/usr/lib/dovecot/lmtp
/usr/lib/dovecot/log
/usr/lib/dovecot/managesieve
/usr/lib/dovecot/managesieve-login
/usr/lib/dovecot/pop3
/usr/lib/dovecot/pop3-login
/usr/lib/dovecot/ssl-params
/usr/lib/dovecot/stats
/usr/sbin/dnsmasq
/usr/sbin/dnsmasq//libvirt_leaseshelper
apache2
apache2//DEFAULT_URI
apache2//HANDLING_UNTRUSTED_INPUT
apache2//phpsysinfo
avahi-daemon
dovecot
identd
klogd
lsb_release
mdnsd
nmbd
nscd
ntpd
nvidia_modprobe
nvidia_modprobe//kmod
ping
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
syslog-ng
syslogd
traceroute
winbindd
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode.
/usr/bin/nmbd (1628) nmbd
/usr/bin/ntpd (1621) ntpd
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

With apparmor=1 security=apparmor, kernel 5.2:

Summary

┬─[openm@reiwa:~]─[22:40:16]
╰─>$ smbclient -L 10.0.0.5
Unable to initialize messaging context
Enter WORKGROUP\openm’s password:

    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    IPC$            IPC       IPC Service (Samba 4.10.5)
    openm           Disk      Home Directories

Reconnecting with SMB1 for workgroup listing.

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------
    WORKGROUP

┬─[openm@reiwa:~]─[22:40:37]
╰─>$ sudo aa-status
[sudo] password for openm:
apparmor module is loaded.
47 profiles are loaded.
47 profiles are in enforce mode.
/usr/lib/apache2/mpm-prefork/apache2
/usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
/usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
/usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
/usr/lib/dovecot/anvil
/usr/lib/dovecot/auth
/usr/lib/dovecot/config
/usr/lib/dovecot/deliver
/usr/lib/dovecot/dict
/usr/lib/dovecot/dovecot-auth
/usr/lib/dovecot/dovecot-lda
/usr/lib/dovecot/dovecot-lda//sendmail
/usr/lib/dovecot/imap
/usr/lib/dovecot/imap-login
/usr/lib/dovecot/lmtp
/usr/lib/dovecot/log
/usr/lib/dovecot/managesieve
/usr/lib/dovecot/managesieve-login
/usr/lib/dovecot/pop3
/usr/lib/dovecot/pop3-login
/usr/lib/dovecot/ssl-params
/usr/lib/dovecot/stats
/usr/sbin/dnsmasq
/usr/sbin/dnsmasq//libvirt_leaseshelper
apache2
apache2//DEFAULT_URI
apache2//HANDLING_UNTRUSTED_INPUT
apache2//phpsysinfo
avahi-daemon
dovecot
identd
klogd
lsb_release
mdnsd
nmbd
nscd
ntpd
nvidia_modprobe
nvidia_modprobe//kmod
ping
smbd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
syslog-ng
syslogd
traceroute
winbindd
0 profiles are in complain mode.
6 processes have profiles defined.
6 processes are in enforce mode.
/usr/bin/nmbd (1585) nmbd
/usr/bin/ntpd (1581) ntpd
/usr/bin/smbd (1607) smbd
/usr/bin/smbd (1609) smbd
/usr/bin/smbd (1610) smbd
/usr/bin/smbd (1615) smbd
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

As you can see, there are no shares at all except the default one from /etc/samba/smb.conf, which is [homes] (manjaro-settings-samba package).

The only difference I am sure of are Ubuntu patches applied to linux51.
Also, remember Frog’s reply? He said there was no issue on linux419 (his daily driver), which, as I have checked on Manjaro Gitlab, also (as linux52) does not have Ubuntu patches.

Yes, but that leaves Apparmor disabled.

I had such shares initially, but after removing them all, including those resided in /home as well, nothing has changed.
One thing to note: I have no snapd installed, if it makes any sense.
Also I have symlinks for stuff outside /home directory.

mborzecki · June 26, 2019, 9:26am

Can you put the profile in complain mode and check if anything related to AppArmor is logged in dmesg?
This should do it:

$ sudo aa-complain /usr/sbin/smbd

zyga-snapd · June 26, 2019, 9:34am

I just did a quick check on Ubuntu 19.04 and:

there are no apparmor specific patches to samba
samba source package doesn’t reference apparmor

I think that samba is not confined on Debian, I’m curious where the profiles for Manjaro’s samba package are coming from?

mborzecki · June 26, 2019, 9:43am

On Arch it’s from the apparmor package, I’d guess it’s quite the same on Manjaro.

$ pacman -Qo /etc/apparmor.d/usr.sbin.smbd
/etc/apparmor.d/usr.sbin.smbd is owned by apparmor 2.13.3-2

openminded · June 26, 2019, 10:49am

Hi guys,

I am the man who reported the issue initially.

Yes, exactly the same.

I did it and smb.service finally managed to start:

aa-status, kernel 5.1.14 with snapd/apparmor patches

$ sudo aa-status
[sudo] password for openm: 
apparmor module is loaded.
47 profiles are loaded.
46 profiles are in enforce mode.
   /usr/lib/apache2/mpm-prefork/apache2
   /usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
   /usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
   /usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
   /usr/lib/dovecot/anvil
   /usr/lib/dovecot/auth
   /usr/lib/dovecot/config
   /usr/lib/dovecot/deliver
   /usr/lib/dovecot/dict
   /usr/lib/dovecot/dovecot-auth
   /usr/lib/dovecot/dovecot-lda
   /usr/lib/dovecot/dovecot-lda//sendmail
   /usr/lib/dovecot/imap
   /usr/lib/dovecot/imap-login
   /usr/lib/dovecot/lmtp
   /usr/lib/dovecot/log
   /usr/lib/dovecot/managesieve
   /usr/lib/dovecot/managesieve-login
   /usr/lib/dovecot/pop3
   /usr/lib/dovecot/pop3-login
   /usr/lib/dovecot/ssl-params
   /usr/lib/dovecot/stats
   /usr/sbin/dnsmasq
   /usr/sbin/dnsmasq//libvirt_leaseshelper
   apache2
   apache2//DEFAULT_URI
   apache2//HANDLING_UNTRUSTED_INPUT
   apache2//phpsysinfo
   avahi-daemon
   dovecot
   identd
   klogd
   lsb_release
   mdnsd
   nmbd
   nscd
   ntpd
   nvidia_modprobe
   nvidia_modprobe//kmod
   ping
   smbldap-useradd
   smbldap-useradd///etc/init.d/nscd
   syslog-ng
   syslogd
   traceroute
   winbindd
1 profiles are in complain mode.
   smbd
6 processes have profiles defined.
2 processes are in enforce mode.
   /usr/bin/nmbd (1577) nmbd
   /usr/bin/ntpd (1567) ntpd
4 processes are in complain mode.
   /usr/bin/smbd (1655) smbd
   /usr/bin/smbd (1663) smbd
   /usr/bin/smbd (1664) smbd
   /usr/bin/smbd (1685) smbd
0 processes are unconfined but have a profile defined.

journalctl, kernel 5.1.14 with snapd/apparmor patches

$ journalctl --no-pager --no-hostname -xb -g apparmor
-- Logs begin at Thu 2019-06-20 11:45:07 +10, end at Wed 2019-06-26 20:26:00 +10. --
Jun 26 20:25:21 kernel: Command line: ro initrd=\intel-ucode.img initrd=\initramfs-5.1-x86_64.img quiet splash apparmor=1 security=apparmor audit=0 root=/dev/mapper/reiwa rootfstype=ext4 resume=/dev/mapper/reiwa resume_offset=11952128
Jun 26 20:25:21 kernel: Kernel command line: ro initrd=\intel-ucode.img initrd=\initramfs-5.1-x86_64.img quiet splash apparmor=1 security=apparmor audit=0 root=/dev/mapper/reiwa rootfstype=ext4 resume=/dev/mapper/reiwa resume_offset=11952128
Jun 26 20:25:21 kernel: AppArmor: AppArmor initialized
Jun 26 20:25:21 kernel: AppArmor: AppArmor Filesystem Enabled
Jun 26 20:25:21 kernel: AppArmor: AppArmor sha1 policy hashing enabled
Jun 26 20:25:21 systemd[1]: systemd 242.29-3-manjaro running in system mode. (+PAM +AUDIT -SELINUX -IMA +APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid)
Jun 26 20:25:21 apparmor.systemd[512]: Restarting AppArmor
Jun 26 20:25:21 apparmor.systemd[512]: Reloading AppArmor profiles
Jun 26 20:25:24 systemd[1]: Started Load AppArmor profiles.
-- Subject: A start job for unit apparmor.service has finished successfully
-- Defined-By: systemd
-- Support: https://forum.manjaro.org/c/technical-issues-and-assistance
-- 
-- A start job for unit apparmor.service has finished successfully.
-- 
-- The job identifier is 111.
Jun 26 20:25:24 dbus-daemon[1393]: [system] AppArmor D-Bus mediation is enabled
Jun 26 20:25:27 dbus-daemon[1516]: [session uid=987 pid=1516] AppArmor D-Bus mediation is enabled
Jun 26 20:25:31 dbus-daemon[1596]: [session uid=1000 pid=1596] AppArmor D-Bus mediation is enabled
Jun 26 20:25:32 dbus-daemon[1393]: apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" name="org.freedesktop.DBus" pid=1655 label="smbd" peer_label="unconfined"
Jun 26 20:25:32 dbus-daemon[1393]: apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1655 label="smbd" peer_pid=1 peer_label="unconfined"
Jun 26 20:25:32 dbus-daemon[1393]: apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" name="org.freedesktop.DBus" pid=1655 label="smbd" peer_label="unconfined"
Jun 26 20:25:32 dbus-daemon[1393]: apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=1655 label="smbd" peer_pid=1 peer_label="unconfined"
Jun 26 20:25:32 dbus-daemon[1393]: apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" name="org.freedesktop.DBus" pid=1655 label="smbd" peer_label="unconfined"
Jun 26 20:25:32 dbus-daemon[1393]: apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="AddMatch" mask="send" name="org.freedesktop.DBus" pid=1655 label="smbd" peer_label="unconfined"
Jun 26 20:25:32 dbus-daemon[1393]: apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="AddMatch" mask="send" name="org.freedesktop.DBus" pid=1655 label="smbd" peer_label="unconfined"
Jun 26 20:25:32 dbus-daemon[1393]: apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="AddMatch" mask="send" name="org.freedesktop.DBus" pid=1655 label="smbd" peer_label="unconfined"
Jun 26 20:25:32 dbus-daemon[1393]: apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/" interface="org.freedesktop.DBus.Peer" member="Ping" mask="send" name="org.freedesktop.Avahi" pid=1655 label="smbd

This is before putting smbd to complain mode:

aa-status, kernel 5.1.15 from upstream (kernel.org)

$ sudo aa-status
apparmor module is loaded.
47 profiles are loaded.
47 profiles are in enforce mode.
   /usr/lib/apache2/mpm-prefork/apache2
   /usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
   /usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
   /usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
   /usr/lib/dovecot/anvil
   /usr/lib/dovecot/auth
   /usr/lib/dovecot/config
   /usr/lib/dovecot/deliver
   /usr/lib/dovecot/dict
   /usr/lib/dovecot/dovecot-auth
   /usr/lib/dovecot/dovecot-lda
   /usr/lib/dovecot/dovecot-lda//sendmail
   /usr/lib/dovecot/imap
   /usr/lib/dovecot/imap-login
   /usr/lib/dovecot/lmtp
   /usr/lib/dovecot/log
   /usr/lib/dovecot/managesieve
   /usr/lib/dovecot/managesieve-login
   /usr/lib/dovecot/pop3
   /usr/lib/dovecot/pop3-login
   /usr/lib/dovecot/ssl-params
   /usr/lib/dovecot/stats
   /usr/sbin/dnsmasq
   /usr/sbin/dnsmasq//libvirt_leaseshelper
   apache2
   apache2//DEFAULT_URI
   apache2//HANDLING_UNTRUSTED_INPUT
   apache2//phpsysinfo
   avahi-daemon
   dovecot
   identd
   klogd
   lsb_release
   mdnsd
   nmbd
   nscd
   ntpd
   nvidia_modprobe
   nvidia_modprobe//kmod
   ping
   smbd
   smbldap-useradd
   smbldap-useradd///etc/init.d/nscd
   syslog-ng
   syslogd
   traceroute
   winbindd
0 profiles are in complain mode.
6 processes have profiles defined.
6 processes are in enforce mode.
   /usr/bin/nmbd (1631) nmbd
   /usr/bin/ntpd (1623) ntpd
   /usr/bin/smbd (1652) smbd
   /usr/bin/smbd (1654) smbd
   /usr/bin/smbd (1655) smbd
   /usr/bin/smbd (1657) smbd
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

journalctl, kernel 5.1.15 from upstream (kernel.org)

$ journalctl --no-pager --no-hostname -xb -g apparmor
-- Logs begin at Thu 2019-06-20 11:45:07 +10, end at Wed 2019-06-26 20:08:13 +10. --
Jun 26 20:00:25 kernel: Command line: ro initrd=\intel-ucode.img initrd=\initramfs-5.1-x86_64.img quiet splash apparmor=1 security=apparmor audit=0 root=/dev/mapper/reiwa rootfstype=ext4 resume=/dev/mapper/reiwa resume_offset=11952128
Jun 26 20:00:25 kernel: Kernel command line: ro initrd=\intel-ucode.img initrd=\initramfs-5.1-x86_64.img quiet splash apparmor=1 security=apparmor audit=0 root=/dev/mapper/reiwa rootfstype=ext4 resume=/dev/mapper/reiwa resume_offset=11952128
Jun 26 20:00:25 kernel: AppArmor: AppArmor initialized
Jun 26 20:00:25 kernel: AppArmor: AppArmor Filesystem Enabled
Jun 26 20:00:25 kernel: AppArmor: AppArmor sha1 policy hashing enabled
Jun 26 20:00:25 systemd[1]: systemd 242.29-3-manjaro running in system mode. (+PAM +AUDIT -SELINUX -IMA +APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid)
Jun 26 20:00:25 apparmor.systemd[579]: Restarting AppArmor
Jun 26 20:00:25 apparmor.systemd[579]: Reloading AppArmor profiles
Jun 26 20:00:28 systemd[1]: Started Load AppArmor profiles.
-- Subject: A start job for unit apparmor.service has finished successfully
-- Defined-By: systemd
-- Support: https://forum.manjaro.org/c/technical-issues-and-assistance
-- 
-- A start job for unit apparmor.service has finished successfully.
-- 
-- The job identifier is 131.

jdstrand · June 26, 2019, 11:26am

The smbd profile needs to be configured and tailored to the site-specific exported files before it can be used in enforce mode. I suggest adjusting the smbd file to be disabled by default while you decide how you want to handle system profiles (ie, non-snap) in Manjaro. To do so, simply symlink /etc/apparmor.d/usr.sbin.smbd to /etc/apparmor.d/disable/usr.sbin.smbd. In this manner the profile is shipped and users can opt into it. If the Manjaro (or Arch packages) are shipping enforcing profiles by default, each one will have to be carefully tested to make sure it works correctly in the distribution. If you aren’t sure, I suggest shipping disabled by default.

In Ubuntu, we ship profiles separately from the parser/stuff in etc in the apparmor-profiles package and let other debs ship their own profiles. We don’t ship /etc/apparmor.d/usr.sbin.smbd (or nmbd) by default and in our apparmor-profiles package, it is in complain mode. We only ship enforcing profiles where it can be reasonably expected that the profile works unmodified for the vast majority of users, else we ship it disabled (or for the handful of profile in apparmor-profiles, in complain mode for historical reasons-- note complain mode profiles take kernel memory and are noisy so it isn’t typically a reasonable default for a distro).

Suse does ship enforcing profiles for samba, but they have additional packaging IIRC that will configure the samba profile to make it more transparent to end users how to make it work.

openminded · June 26, 2019, 12:46pm

I have installed snapd to see how it works and I’ve found out that snapd.apparmor service fails to start on 5.1.14 with snapd/apparmor patches when smbd profile is NOT disabled.

So I am quitting playing with all these and switching to pure 5.1.15 again (for now at least). It looks like this on my side (and I am pretty much happy with it, sorry for such a long wall of text):

Summary

┬─[openm@reiwa:~]─[22:26:02]
╰─>$ systemd-analyze
Startup finished in 10.052s (firmware) + 62ms (loader) + 7.662s (kernel) + 11.397s (userspace) = 29.175s 
graphical.target reached after 11.228s in userspace

┬─[openm@reiwa:~]─[22:26:14]
╰─>$ uname -a
Linux reiwa 5.1.15-1-MANJARO #1 SMP PREEMPT Wed Jun 26 13:26:34 +10 2019 x86_64 GNU/Linux

┬─[openm@reiwa:~]─[22:27:55]
╰─>$ smbclient -L 10.0.0.5 -N
Unable to initialize messaging context

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        IPC$            IPC       IPC Service (Samba 4.10.5)
        Documents       Disk      
        SPB             Disk      
        Z_Downloads     Disk      
        Z_Android       Disk      
        Downloads       Disk      
        Z_Documents     Disk      
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            

┬─[openm@reiwa:~]─[22:28:13]
╰─>$ journalctl --no-pager --no-hostname -xb -g snapd
-- Logs begin at Fri 2019-06-21 13:22:18 +10, end at Wed 2019-06-26 22:28:24 +10. --
Jun 26 22:23:15 systemd[1]: Starting Load AppArmor profiles managed internally by snapd...
-- Subject: A start job for unit snapd.apparmor.service has begun execution
-- Defined-By: systemd
-- Support: https://forum.manjaro.org/c/technical-issues-and-assistance
-- 
-- A start job for unit snapd.apparmor.service has begun execution.
-- 
-- The job identifier is 88.
Jun 26 22:23:15 systemd[1]: Started Load AppArmor profiles managed internally by snapd.
-- Subject: A start job for unit snapd.apparmor.service has finished successfully
-- Defined-By: systemd
-- Support: https://forum.manjaro.org/c/technical-issues-and-assistance
-- 
-- A start job for unit snapd.apparmor.service has finished successfully.
-- 
-- The job identifier is 88.
Jun 26 22:23:15 snapd[1490]: daemon.go:379: started snapd/2.39.3-1 (series 16; classic; devmode) manjaro/ (amd64) linux/5.1.15-1-MANJARO.
Jun 26 22:23:15 systemd[1]: Starting Wait until snapd is fully seeded...
-- Subject: A start job for unit snapd.seeded.service has begun execution
-- Defined-By: systemd
-- Support: https://forum.manjaro.org/c/technical-issues-and-assistance
-- 
-- A start job for unit snapd.seeded.service has begun execution.
-- 
-- The job identifier is 116.
Jun 26 22:23:16 systemd[1]: Started Wait until snapd is fully seeded.
-- Subject: A start job for unit snapd.seeded.service has finished successfully
-- Defined-By: systemd
-- Support: https://forum.manjaro.org/c/technical-issues-and-assistance
-- 
-- A start job for unit snapd.seeded.service has finished successfully.
-- 
-- The job identifier is 116.
Jun 26 22:23:34 appimagelauncherd[1908]: which: no gtk-update-icon-cache-3.0 in (/usr/local/sbin:/usr/local/bin:/usr/bin:/var/lib/snapd/snap/bin:/var/lib/snapd/snap/bin)

┬─[openm@reiwa:~]─[22:28:24]
╰─>$ journalctl --no-pager --no-hostname -xb -g apparmor
-- Logs begin at Fri 2019-06-21 13:22:18 +10, end at Wed 2019-06-26 22:28:30 +10. --
Jun 26 22:23:13 kernel: Command line: ro initrd=\intel-ucode.img initrd=\initramfs-5.1-x86_64.img add_efi_memmap tpmkey=/dev/sda1:/keyfile:0x81000003 tpmpcr=sha1:0,2,4,7 quiet splash apparmor=1 security=apparmor audit=0 cryptdevice=PARTUUID=fb760976-5942-c249-8506-f2b0aa034d32:reiwa:allow-discards root=/dev/mapper/reiwa rootfstype=ext4 resume=/dev/mapper/reiwa resume_offset=11952128
Jun 26 22:23:13 kernel: Kernel command line: ro initrd=\intel-ucode.img initrd=\initramfs-5.1-x86_64.img add_efi_memmap tpmkey=/dev/sda1:/keyfile:0x81000003 tpmpcr=sha1:0,2,4,7 quiet splash apparmor=1 security=apparmor audit=0 cryptdevice=PARTUUID=fb760976-5942-c249-8506-f2b0aa034d32:reiwa:allow-discards root=/dev/mapper/reiwa rootfstype=ext4 resume=/dev/mapper/reiwa resume_offset=11952128
Jun 26 22:23:13 kernel: AppArmor: AppArmor initialized
Jun 26 22:23:13 kernel: AppArmor: AppArmor Filesystem Enabled
Jun 26 22:23:13 kernel: AppArmor: AppArmor sha1 policy hashing enabled
Jun 26 22:23:13 systemd[1]: systemd 242.29-3-manjaro running in system mode. (+PAM +AUDIT -SELINUX -IMA +APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid)
Jun 26 22:23:13 apparmor.systemd[568]: Restarting AppArmor
Jun 26 22:23:13 apparmor.systemd[568]: Reloading AppArmor profiles
Jun 26 22:23:15 systemd[1]: Started Load AppArmor profiles.
-- Subject: A start job for unit apparmor.service has finished successfully
-- Defined-By: systemd
-- Support: https://forum.manjaro.org/c/technical-issues-and-assistance
-- 
-- A start job for unit apparmor.service has finished successfully.
-- 
-- The job identifier is 115.
Jun 26 22:23:15 systemd[1]: Starting Load AppArmor profiles managed internally by snapd...
-- Subject: A start job for unit snapd.apparmor.service has begun execution
-- Defined-By: systemd
-- Support: https://forum.manjaro.org/c/technical-issues-and-assistance
-- 
-- A start job for unit snapd.apparmor.service has begun execution.
-- 
-- The job identifier is 88.
Jun 26 22:23:15 systemd[1]: Started Load AppArmor profiles managed internally by snapd.
-- Subject: A start job for unit snapd.apparmor.service has finished successfully
-- Defined-By: systemd
-- Support: https://forum.manjaro.org/c/technical-issues-and-assistance
-- 
-- A start job for unit snapd.apparmor.service has finished successfully.
-- 
-- The job identifier is 88.
Jun 26 22:23:15 snapd[1490]: AppArmor status: apparmor is enabled but some kernel features are missing: dbus, network

┬─[openm@reiwa:~]─[22:28:31]
╰─>$ snap run hello-world
Hello World!

┬─[openm@reiwa:~]─[22:29:32]
╰─>$ sudo aa-status
[sudo] password for openm: 
apparmor module is loaded.
58 profiles are loaded.
58 profiles are in enforce mode.
   /usr/lib/apache2/mpm-prefork/apache2
   /usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
   /usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
   /usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
   /usr/lib/dovecot/anvil
   /usr/lib/dovecot/auth
   /usr/lib/dovecot/config
   /usr/lib/dovecot/deliver
   /usr/lib/dovecot/dict
   /usr/lib/dovecot/dovecot-auth
   /usr/lib/dovecot/dovecot-lda
   /usr/lib/dovecot/dovecot-lda//sendmail
   /usr/lib/dovecot/imap
   /usr/lib/dovecot/imap-login
   /usr/lib/dovecot/lmtp
   /usr/lib/dovecot/log
   /usr/lib/dovecot/managesieve
   /usr/lib/dovecot/managesieve-login
   /usr/lib/dovecot/pop3
   /usr/lib/dovecot/pop3-login
   /usr/lib/dovecot/ssl-params
   /usr/lib/dovecot/stats
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/sbin/dnsmasq
   /usr/sbin/dnsmasq//libvirt_leaseshelper
   /var/lib/snapd/snap/core/7169/usr/lib/snapd/snap-confine
   /var/lib/snapd/snap/core/7169/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   apache2
   apache2//DEFAULT_URI
   apache2//HANDLING_UNTRUSTED_INPUT
   apache2//phpsysinfo
   avahi-daemon
   dovecot
   identd
   klogd
   lsb_release
   mdnsd
   nmbd
   nscd
   ntpd
   nvidia_modprobe
   nvidia_modprobe//kmod
   ping
   smbd
   smbldap-useradd
   smbldap-useradd///etc/init.d/nscd
   snap-update-ns.core
   snap-update-ns.hello-world
   snap.core.hook.configure
   snap.hello-world.env
   snap.hello-world.evil
   snap.hello-world.hello-world
   snap.hello-world.sh
   syslog-ng
   syslogd
   traceroute
   winbindd
0 profiles are in complain mode.
6 processes have profiles defined.
6 processes are in enforce mode.
   /usr/bin/nmbd (1716) nmbd
   /usr/bin/ntpd (1711) ntpd
   /usr/bin/smbd (1738) smbd
   /usr/bin/smbd (1740) smbd
   /usr/bin/smbd (1741) smbd
   /usr/bin/smbd (1744) smbd
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

I will disable smbd profile if it would be necessary in future.

philm · June 26, 2019, 1:10pm

OK. Will double check apparmor then and adjust the way profiles are shipped on our end.

Best, Philip

jdstrand · June 26, 2019, 5:33pm

That’s a rather curious outcome. You may want to report that in the appropriate forum (eg, Manjaro, Arch, apparmor upstream) since even if the smbd profile was broken, the snapd profiles should load. Perhaps it is more a systemd dependency thing cause smbd didn’t due to denials which caused cascading failures (or snapd.apparmor to start after a long timeout, etc)…

philm · June 26, 2019, 6:00pm

I think the issue is with dbus which has now apparmor as a hard dependency. Then systemd has apparmor enabled, which might create a ripple effect. Also the out of tree patches might create issues with the smbd profile, which is the original profile from upstream.

philm · June 26, 2019, 6:35pm

Seems you do via apparmor-profiles.

openminded · June 27, 2019, 5:47am

Sorry, this was kind of blind lead. I think I did something wrong during the activation of snapd services for the first time. I cannot reproduce this again.

philm · June 27, 2019, 11:10am

I was mostly able to revert additional changes made to dbus and systemd on my end. Still we have full containment with snapd. When the profiles are updated, I assume this will work. However it is interesting to see that those patches affect the stock smbd profile.

jdstrand · June 27, 2019, 7:57pm

Right, the systemd dependency on apparmor is just so it can use libapparmor to load profiles via ‘AppArmorProfile=…’ in the unit, so this shouldn’t affect anything with snapd not loading. Similarly, dbus’ dependency is simply to use libapparmor to query if something should be allowed doesn’t do anything with policy loads.

Glad to hear that you got the policy loads sorted.

jdstrand · June 27, 2019, 8:00pm

By default, I meant the default Ubuntu install of which apparmor-profiles is not a part. The profiles are put in complain mode as part of the build: https://salsa.debian.org/apparmor-team/apparmor/blob/ubuntu/master/debian/rules#L170

philm · June 28, 2019, 12:38pm

I used your script @jdstrand, however I get now permission denied for the /run/snapd/lock file. Have to double check. Maybe I only set smbd into complain mode.

Best, Philip

philm · June 28, 2019, 12:46pm

Seems some is off on my end with live-session. On installed system it works. Maybe some overlay issue. Will see. Maybe I’ve to check with @zyga-snapd at some point.

Best, Philip

mborzecki · June 28, 2019, 12:56pm

Are you using snapd built from master? The fixes from https://github.com/snapcore/snapd/pull/7011 are currently in master only.

philm · June 28, 2019, 4:38pm

Seems a needed patch for overlayfs got commented out during update. We had fixed that now. Still working on the apparmor-profiles to make it work. So there is progress.

openminded · June 29, 2019, 6:25am

I had to enable audit and follow its recommendations to make smbd work in enforce mode. Here is a sequence of commands:

Summary

┬─[openm@reiwa:~/Applications]─[15:48:21]
╰─>$ sudo aa-complain /etc/apparmor.d/usr.sbin.smbd
Setting /etc/apparmor.d/usr.sbin.smbd to complain mode.
┬─[openm@reiwa:~/Applications]─[15:48:28]
╰─>$ systemctl restart smb
┬─[openm@reiwa:~/Applications]─[15:48:36]
╰─>$ sudo aa-logprof
Reading log entries from /var/log/audit/audit.log.
Updating AppArmor profiles in /etc/apparmor.d.
Complain-mode changes:

Profile:  smbd
Path:     /run/systemd/notify
New Mode: owner w
Severity: unknown

 [1 - owner /run/systemd/notify w,]
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish
Adding owner /run/systemd/notify w, to profile.
Enforce-mode changes:

= Changed Local Profiles =

The following local profiles were changed. Would you like to save them?

 [1 - smbd]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t

= Changed Local Profiles =

The following local profiles were changed. Would you like to save them?

 [1 - smbd]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
Writing updated profile for smbd.
┬─[openm@reiwa:~/Applications]─[15:51:07]
╰─>$ sudo aa-enforce /etc/apparmor.d/usr.sbin.smbd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
┬─[openm@reiwa:~/Applications]─[15:51:20]
╰─>$ systemctl restart smb
┬─[openm@reiwa:~/Applications]─[16:05:41]
╰─>$ sudo aa-status
[sudo] password for openm: 
apparmor module is loaded.
63 profiles are loaded.
63 profiles are in enforce mode.
   /usr/lib/apache2/mpm-prefork/apache2
   /usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
   /usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
   /usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
   /usr/lib/dovecot/anvil
   /usr/lib/dovecot/auth
   /usr/lib/dovecot/config
   /usr/lib/dovecot/deliver
   /usr/lib/dovecot/dict
   /usr/lib/dovecot/dovecot-auth
   /usr/lib/dovecot/dovecot-lda
   /usr/lib/dovecot/dovecot-lda//sendmail
   /usr/lib/dovecot/imap
   /usr/lib/dovecot/imap-login
   /usr/lib/dovecot/lmtp
   /usr/lib/dovecot/log
   /usr/lib/dovecot/managesieve
   /usr/lib/dovecot/managesieve-login
   /usr/lib/dovecot/pop3
   /usr/lib/dovecot/pop3-login
   /usr/lib/dovecot/ssl-params
   /usr/lib/dovecot/stats
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/sbin/dnsmasq
   /usr/sbin/dnsmasq//libvirt_leaseshelper
   /var/lib/snapd/snap/core/7270/usr/lib/snapd/snap-confine
   /var/lib/snapd/snap/core/7270/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   apache2
   apache2//DEFAULT_URI
   apache2//HANDLING_UNTRUSTED_INPUT
   apache2//phpsysinfo
   avahi-daemon
   dovecot
   identd
   klogd
   lsb_release
   mdnsd
   nmbd
   nscd
   ntpd
   nvidia_modprobe
   nvidia_modprobe//kmod
   smbd
   smbldap-useradd
   smbldap-useradd///etc/init.d/nscd
   snap-update-ns.core
   snap-update-ns.hello-world
   snap-update-ns.minter-console-web
   snap-update-ns.wps-office
   snap.core.hook.configure
   snap.hello-world.env
   snap.hello-world.evil
   snap.hello-world.hello-world
   snap.hello-world.sh
   snap.minter-console-web.minter-console-web
   snap.wps-office.et
   snap.wps-office.wpp
   snap.wps-office.wps
   syslog-ng
   syslogd
   traceroute
   winbindd
0 profiles are in complain mode.
8 processes have profiles defined.
8 processes are in enforce mode.
   /usr/bin/avahi-daemon (1522) avahi-daemon
   /usr/bin/avahi-daemon (1549) avahi-daemon
   /usr/bin/nmbd (1754) nmbd
   /usr/bin/ntpd (1747) ntpd
   /usr/bin/smbd (22717) smbd
   /usr/bin/smbd (22720) smbd
   /usr/bin/smbd (22721) smbd
   /usr/bin/smbd (22722) smbd
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
┬─[openm@reiwa:~/Applications]─[15:51:25]
╰─>$ systemctl status smb
● smb.service - Samba SMB Daemon
   Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2019-06-29 15:51:25 +10; 13min ago
     Docs: man:smbd(8)
           man:samba(7)
           man:smb.conf(5)
 Main PID: 22717 (smbd)
   Status: "smbd: ready to serve connections..."
    Tasks: 4 (limit: 4915)
   Memory: 9.8M
   CGroup: /system.slice/smb.service
           ├─22717 /usr/bin/smbd --foreground --no-process-group
           ├─22720 /usr/bin/smbd --foreground --no-process-group
           ├─22721 /usr/bin/smbd --foreground --no-process-group
           └─22722 /usr/bin/smbd --foreground --no-process-group

What has changed in usr.sbin.smbd is one new line owner /run/systemd/notify w,:

  @{PROC}/@{pid}/mounts r,
  @{PROC}/sys/kernel/core_pattern r,
  owner /run/systemd/notify w,

}

Of course I had to add audit=1 to kernel options and start corresponding service.