=== ChanServ changed the topic of #ubuntu-security to: Twitter: @ubuntu_sec || https://usn.ubuntu.com || https://wiki.ubuntu.com/SecurityTeam || https://wiki.ubuntu.com/Security/Features || Community: leosilva [13:59] hi #security, I have an apparmor question. The path for a profile is incorrect: https://git.launchpad.net/ubuntu/+source/apparmor/tree/profiles/apparmor.d/samba-bgqd?h=ubuntu/jammy-devel [14:00] the samba-bgqd binary is in /usr/lib/*/samba, not /usr/lib*/samba [14:00] we are working on an sru for this (to fix the actual binary placement, not the profile) [14:00] but I"m wondering about workarounds users could apply [14:01] and the question is, is there a way via the "include if exists" line to override this path? [14:01] I guess in this case no, because the path is in the profile definition as well? [14:01] via the include, I could add another line to allow "m" on the correct path, like "/usr/lib/*/samba/samba-bgqd m,", (see line 16) [14:02] but what about the (incorrect) path in line 5? [14:03] note that this profile is also used in a transition, in which case I think the path in that lint 5 won't matter, because the transition uses the profile name. That transition is in line 40 here: https://git.launchpad.net/ubuntu/+source/apparmor/tree/profiles/apparmor.d/usr.sbin.smbd?h=ubuntu/jammy-devel#n40 [14:04] so the path in the profile name in the former file would just be used if that binary was ran on its own, from elsewhere [14:04] which is a case I would still like to keep [14:05] also, kind of related question (sorry!), is there a better globbing for the arch name other than jusr /usr/lib/*/ ? [14:05] which would match x86_64-linux-gnu, and all the other arch names [14:10] ahasenack: I think you can use ${DEB_HOST_MULTIARCH} eg. https://salsa.debian.org/pkg-netfilter-team/pkg-libmnl/-/blob/master/debian/libmnl-dev.install [14:10] That presumably needs a new enough debhelper [14:11] Oh, but I'm talking about packaging and you're talking about apparmor. [14:11] Sorry! [14:11] yeah [14:12] and apparmor can only do simple globbinb afaiak, there are some hilariously weird globbing rules [14:12] but I do see this, for example: [14:12] ./usr.lib.snapd.snap-confine.real: deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_files-[0-9]*.so* mr, [14:12] that @{multiarch} name [14:15] @{multiarch}=*-linux-gnu* [14:18] ahasenack: yes, there's @{multiarch}, so right now you would need to do something like what snapd is doing. there's an old open MR for introducing @{lib}, though so I'll try to see what we can do to unblock that [14:18] georgiag: why the x32 and x64 options, for other linux distros? [14:20] ahasenack: I'm not sure but it would make sense [14:25] that @{multiarch} macro might not match on armhf [14:25] just checked a jammy armhf host, and it only has /usr/lib/arm-linux-gnueabihf [14:36] oh, I missed the last *, multiarch would work on armhf too: @{multiarch}=*-linux-gnu* [16:55] ahasenack: so, /usr/lib*/samba/samba-bgqd m, is only mmapping, a workaround for the user would be just to ignore it, it adds extra permissions to that location, but doesn't stop you from adding a rule through include if exits [16:55] if you want to remove it via the include if exists, you can drop a [16:55] deny /usr/lib*/samba/samba-bgqd m, [16:55] deny rules have higher priority [16:56] it will effectively room the rule in the main profile when compiled [16:56] and of course you would drop the correct rule into the include if exists as well [16:57] the line 5 profile definition can't be fixed by an include [16:58] so no simple drop in with editing the base profile file :( [17:42] ok, thanks === JanC_ is now known as JanC === mbuhl6 is now known as mbuhl === eb3095-Vultr_ is now known as eb3095-Vultr === codingkoopa6 is now known as codingkoopa