[13:59] <ahasenack> hi #security, I have an apparmor question. The path for a profile is incorrect: https://git.launchpad.net/ubuntu/+source/apparmor/tree/profiles/apparmor.d/samba-bgqd?h=ubuntu/jammy-devel
[14:00] <ahasenack> the samba-bgqd binary is in /usr/lib/*/samba, not /usr/lib*/samba
[14:00] <ahasenack> we are working on an sru for this (to fix the actual binary placement, not the profile)
[14:00] <ahasenack> but I"m wondering about workarounds users could apply
[14:01] <ahasenack> and the question is, is there a way via the "include if exists" line to override this path?
[14:01] <ahasenack> I guess in this case no, because the path is in the profile definition as well?
[14:01] <ahasenack> via the include, I could add another line to allow "m" on the correct path, like "/usr/lib/*/samba/samba-bgqd m,", (see line 16)
[14:02] <ahasenack> but what about the (incorrect) path in line 5?
[14:03] <ahasenack> note that this profile is also used in a transition, in which case I think the path in that lint 5 won't matter, because the transition uses the profile name. That transition is in line 40 here: https://git.launchpad.net/ubuntu/+source/apparmor/tree/profiles/apparmor.d/usr.sbin.smbd?h=ubuntu/jammy-devel#n40
[14:04] <ahasenack> so the path in the profile name in the former file would just be used if that binary was ran on its own, from elsewhere
[14:04] <ahasenack> which is a case I would still like to keep
[14:05] <ahasenack> also, kind of related question (sorry!), is there a better globbing for the arch name other than jusr /usr/lib/*/ ?
[14:05] <ahasenack> which would match x86_64-linux-gnu, and all the other arch names
[14:10] <rbasak> ahasenack: I think you can use ${DEB_HOST_MULTIARCH} eg. https://salsa.debian.org/pkg-netfilter-team/pkg-libmnl/-/blob/master/debian/libmnl-dev.install
[14:10] <rbasak> That presumably needs a new enough debhelper
[14:11] <rbasak> Oh, but I'm talking about packaging and you're talking about apparmor.
[14:11] <rbasak> Sorry!
[14:11] <ahasenack> yeah
[14:12] <ahasenack> and apparmor can only do simple globbinb afaiak, there are some hilariously weird globbing rules
[14:12] <ahasenack> but I do see this, for example:
[14:12] <ahasenack> ./usr.lib.snapd.snap-confine.real:    deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_files-[0-9]*.so* mr,                                                                
[14:12] <ahasenack> that @{multiarch} name
[14:15] <ahasenack> @{multiarch}=*-linux-gnu*
[14:18] <georgiag> ahasenack: yes, there's @{multiarch}, so right now you would need to do something like what snapd is doing. there's an old open MR for introducing @{lib}, though so I'll try to see what we can do to unblock that 
[14:18] <ahasenack> georgiag: why the x32 and x64 options, for other linux distros?
[14:20] <georgiag> ahasenack: I'm not sure but it would make sense
[14:25] <ahasenack> that @{multiarch} macro might not match on armhf
[14:25] <ahasenack> just checked a jammy armhf host, and it only has /usr/lib/arm-linux-gnueabihf
[14:36] <ahasenack> oh, I missed the last *, multiarch would work on armhf too: @{multiarch}=*-linux-gnu*
[16:55] <jjohansen> ahasenack: so, /usr/lib*/samba/samba-bgqd m, is only mmapping, a workaround for the user would be just to ignore it, it adds extra permissions to that location, but doesn't stop you from adding a rule through include if exits
[16:55] <jjohansen> if you want to remove it via the include if exists, you can drop a
[16:55] <jjohansen>   deny /usr/lib*/samba/samba-bgqd m,
[16:55] <jjohansen> deny rules have higher priority
[16:56] <jjohansen> it will effectively room the rule in the main profile when compiled
[16:56] <jjohansen> and of course you would drop the correct rule into the include if exists as well
[16:57] <jjohansen> the line 5 profile definition can't be fixed by an include
[16:58] <jjohansen> so no simple drop in with editing the base profile file :(
[17:42] <ahasenack> ok, thanks