[Manjaro] Apparmor Kernel patches create issues with smbd

Chrissy · July 23, 2019, 10:04am

Have you got more informations about this issue?

kereldude · January 3, 2020, 5:13pm

I had the same issue smbd not starting up in enforce mode
I altered openminded solution somewhat to following line

/{,var/}run/systemd/notify w,

I found this solution seems to be used in other apparmor profiles too with similar problems.
Dunno if this is better or worse though, noob here.

jdstrand · January 9, 2020, 9:43pm

openminded:

I had to enable audit and follow its recommendations to make smbd work in enforce mode. Here is a sequence of commands:

Summary

┬─[openm@reiwa:~/Applications]─[15:48:21]
╰─>$ sudo aa-complain /etc/apparmor.d/usr.sbin.smbd
Setting /etc/apparmor.d/usr.sbin.smbd to complain mode.
┬─[openm@reiwa:~/Applications]─[15:48:28]
╰─>$ systemctl restart smb
┬─[openm@reiwa:~/Applications]─[15:48:36]
╰─>$ sudo aa-logprof
Reading log entries from /var/log/audit/audit.log.
Updating AppArmor profiles in /etc/apparmor.d.
Complain-mode changes:

Profile:  smbd
Path:     /run/systemd/notify
New Mode: owner w
Severity: unknown

 [1 - owner /run/systemd/notify w,]
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish
Adding owner /run/systemd/notify w, to profile.
Enforce-mode changes:

= Changed Local Profiles =

The following local profiles were changed. Would you like to save them?

 [1 - smbd]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t

= Changed Local Profiles =

The following local profiles were changed. Would you like to save them?

 [1 - smbd]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
Writing updated profile for smbd.
┬─[openm@reiwa:~/Applications]─[15:51:07]
╰─>$ sudo aa-enforce /etc/apparmor.d/usr.sbin.smbd
Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
┬─[openm@reiwa:~/Applications]─[15:51:20]
╰─>$ systemctl restart smb
┬─[openm@reiwa:~/Applications]─[16:05:41]
╰─>$ sudo aa-status
[sudo] password for openm: 
apparmor module is loaded.
63 profiles are loaded.
63 profiles are in enforce mode.
   /usr/lib/apache2/mpm-prefork/apache2
   /usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
   /usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
   /usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
   /usr/lib/dovecot/anvil
   /usr/lib/dovecot/auth
   /usr/lib/dovecot/config
   /usr/lib/dovecot/deliver
   /usr/lib/dovecot/dict
   /usr/lib/dovecot/dovecot-auth
   /usr/lib/dovecot/dovecot-lda
   /usr/lib/dovecot/dovecot-lda//sendmail
   /usr/lib/dovecot/imap
   /usr/lib/dovecot/imap-login
   /usr/lib/dovecot/lmtp
   /usr/lib/dovecot/log
   /usr/lib/dovecot/managesieve
   /usr/lib/dovecot/managesieve-login
   /usr/lib/dovecot/pop3
   /usr/lib/dovecot/pop3-login
   /usr/lib/dovecot/ssl-params
   /usr/lib/dovecot/stats
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/sbin/dnsmasq
   /usr/sbin/dnsmasq//libvirt_leaseshelper
   /var/lib/snapd/snap/core/7270/usr/lib/snapd/snap-confine
   /var/lib/snapd/snap/core/7270/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   apache2
   apache2//DEFAULT_URI
   apache2//HANDLING_UNTRUSTED_INPUT
   apache2//phpsysinfo
   avahi-daemon
   dovecot
   identd
   klogd
   lsb_release
   mdnsd
   nmbd
   nscd
   ntpd
   nvidia_modprobe
   nvidia_modprobe//kmod
   smbd
   smbldap-useradd
   smbldap-useradd///etc/init.d/nscd
   snap-update-ns.core
   snap-update-ns.hello-world
   snap-update-ns.minter-console-web
   snap-update-ns.wps-office
   snap.core.hook.configure
   snap.hello-world.env
   snap.hello-world.evil
   snap.hello-world.hello-world
   snap.hello-world.sh
   snap.minter-console-web.minter-console-web
   snap.wps-office.et
   snap.wps-office.wpp
   snap.wps-office.wps
   syslog-ng
   syslogd
   traceroute
   winbindd
0 profiles are in complain mode.
8 processes have profiles defined.
8 processes are in enforce mode.
   /usr/bin/avahi-daemon (1522) avahi-daemon
   /usr/bin/avahi-daemon (1549) avahi-daemon
   /usr/bin/nmbd (1754) nmbd
   /usr/bin/ntpd (1747) ntpd
   /usr/bin/smbd (22717) smbd
   /usr/bin/smbd (22720) smbd
   /usr/bin/smbd (22721) smbd
   /usr/bin/smbd (22722) smbd
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
┬─[openm@reiwa:~/Applications]─[15:51:25]
╰─>$ systemctl status smb
● smb.service - Samba SMB Daemon
   Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2019-06-29 15:51:25 +10; 13min ago
     Docs: man:smbd(8)
           man:samba(7)
           man:smb.conf(5)
 Main PID: 22717 (smbd)
   Status: "smbd: ready to serve connections..."
    Tasks: 4 (limit: 4915)
   Memory: 9.8M
   CGroup: /system.slice/smb.service
           ├─22717 /usr/bin/smbd --foreground --no-process-group
           ├─22720 /usr/bin/smbd --foreground --no-process-group
           ├─22721 /usr/bin/smbd --foreground --no-process-group
           └─22722 /usr/bin/smbd --foreground --no-process-group

What has changed in usr.sbin.smbd is one new line owner /run/systemd/notify w, :

  @{PROC}/@{pid}/mounts r,
  @{PROC}/sys/kernel/core_pattern r,
  owner /run/systemd/notify w,

}

Thanks for providing this information!

I suggest someone file a bug with the Manjaro distribution since it sounds like this is a bug in their distribution of the usr.sbin.smbd apparmor profile, which is unrelated to snapd. This will allow Manjaro to fix the bug for all of its users.