debian/changelog

+samba (2:4.9.4+dfsg-4) UNRELEASED; urgency=medium
+
+  * samba-libs: Add Breaks+Replaces: libndr-standard0 (<< 4) (Closes: #910242)
+  * Improve AppArmor integration (Closes: #896080)
+    - Install update-apparmor-samba-profile from Christian Boltz (SUSE)
+    - smbd.init: Run update-apparmor-samba-profile before start
+    - smbd.service: Run update-apparmor-samba-profile before start
+
+ -- Mathieu Parent <sathieu@debian.org>  Thu, 21 Feb 2019 21:13:26 +0100
+
 samba (2:4.9.4+dfsg-3) unstable; urgency=medium
 
   [ Ivo De Decker ]

debian/patches/series

@@ -9,3 +9,4 @@ heimdal-rfc3454.txt
 nsswitch-Add-try_authtok-option-to-pam_winbind.patch
 s3-auth-ignore-create_builtin_guests-failing-without.patch
 python-gpg.patch
+smbd.service-Run-update-apparmor-samba-profile-befor.patch

debian/patches/smbd.service-Run-update-apparmor-samba-profile-befor.patch

+From 0ecd28ff3fd7f3d5c20705a2b8233fc8648cbf9c Mon Sep 17 00:00:00 2001
+From: Mathieu Parent <math.parent@gmail.com>
+Date: Thu, 21 Feb 2019 21:04:30 +0100
+Subject: [PATCH] smbd.service: Run update-apparmor-samba-profile before start
+
+Bug-Debian: https://bugs.debian.org/896080
+---
+ packaging/systemd/smb.service.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/packaging/systemd/smb.service.in b/packaging/systemd/smb.service.in
+index 18912ef0e98..6bb24861682 100644
+--- a/packaging/systemd/smb.service.in
++++ b/packaging/systemd/smb.service.in
+@@ -10,6 +10,7 @@ NotifyAccess=all
+ PIDFile=@PIDDIR@/smbd.pid
+ LimitNOFILE=16384
+ EnvironmentFile=-@SYSCONFDIR@/sysconfig/samba
++ExecStartPre=/usr/share/samba/update-apparmor-samba-profile
+ ExecStart=@SBINDIR@/smbd --foreground --no-process-group $SMBDOPTIONS
+ ExecReload=/bin/kill -HUP $MAINPID
+ LimitCORE=infinity
+-- 
+2.20.1
+

debian/rules

@@ -124,6 +124,7 @@ override_dh_auto_install:
 	# Debian goodies
 	cp debian/smb.conf* $(DESTDIR)/usr/share/samba/
 	install -m755 debian/panic-action $(DESTDIR)/usr/share/samba/panic-action
+	install -m755 debian/update-apparmor-samba-profile $(DESTDIR)/usr/share/samba/update-apparmor-samba-profile
 	cp debian/gdbcommands $(DESTDIR)/etc/samba/
 	mkdir -p $(DESTDIR)/etc/dhcp/dhclient-enter-hooks.d
 	install -m755 debian/samba-common.dhcp $(DESTDIR)/etc/dhcp/dhclient-enter-hooks.d/samba

debian/samba.install

@@ -42,3 +42,4 @@ usr/share/man/man8/samba-gpupdate.8
 usr/share/man/man8/samba.8
 usr/share/man/man8/smbd.8
 usr/share/samba/setup
+usr/share/samba/update-apparmor-samba-profile

debian/samba.smbd.init

@@ -31,6 +31,11 @@ case $1 in
 		    exit 0
 		fi
 
+		# Update /etc/apparmor.d/local/usr.sbin.smbd-shares
+		if [ -x /usr/share/samba/update-apparmor-samba-profile ]; then
+			/usr/share/samba/update-apparmor-samba-profile || exit $?
+		fi
+
 		log_daemon_msg "Starting SMB/CIFS daemon" smbd
 		# Make sure we have our PIDDIR, even if it's on a tmpfs
 		install -o root -g root -m 755 -d $PIDDIR

debian/update-apparmor-samba-profile

+#!/bin/bash
+
+# update apparmor profile sniplet based on samba configuration
+#
+# This script creates and updates a profile sniplet with permissions for all
+# samba shares, except
+# - paths with variables (anything containing a % sign)
+# - "/" - if someone is insane enough to share his complete filesystem, he'll have
+#   to modify the apparmor profile himself
+
+# (c) Christian Boltz 2011-2016
+# This script is licensed under the GPL v2 or, at your choice, any later version.
+
+
+# exit silently - used if no profile update is needed
+silentexit() {
+	# echo "$@"
+	exit 0
+}
+
+# exit with an error message
+verboseexit() {
+	echo "$@" >&2
+	exit 1
+}
+
+# if you change this script, _always_ update the version to force an update of the profile sniplet
+versionstring="${0##*/} 1.1"
+
+aastatus="/usr/sbin/aa-status"
+aaparser="/sbin/apparmor_parser"
+loadedprofiles="/sys/kernel/security/apparmor/profiles"
+
+smbconf="/etc/samba/smb.conf"
+smbd_profile="/etc/apparmor.d/usr.sbin.smbd"
+profilesniplet="/etc/apparmor.d/local/usr.sbin.smbd-shares"
+tmp_profilesniplet="/etc/apparmor.d/local/usr.sbin.smbd-shares.new"
+
+# test -x "$aastatus" || silentexit "apparmor not installed"
+# "$aastatus" --enabled || silentexit "apparmor not loaded (or not running as root)"
+test -e "$loadedprofiles" || silentexit "apparmor not loaded"
+test -e "$profilesniplet" || silentexit "apparmor profile snippet not available"
+test -r "$loadedprofiles" || verboseexit "no read permissions for $loadedprofiles - not running as root?"
+
+widelinks=$(testparm -s --parameter-name "wide links" 2>/dev/null)
+test "$widelinks" == "Yes" && {
+	echo "[$(date '+%Y/%m/%d %T')] $(basename $0)"
+	echo '  WARNING: "wide links" enabled. You might need to modify the smbd apparmor profile manually.'
+} >> /var/log/samba/log.smbd
+
+grep -q "$versionstring" "$profilesniplet" && {
+	test "$smbconf" -nt "$profilesniplet" || silentexit "smb.conf is older than the AppArmor profile sniplet"
+}
+
+{
+	echo "# autogenerated by $versionstring at samba start - do not edit!"
+	echo ""
+	testparm -s 2>/dev/null |sed -n '/^[ \t]*path[ \t]*=[ \t]*[^% \t]\{2,\}/ s^[ \t]*path[ \t]*=[ \t]*\([^%]*\)$"\1/"   rk,\n"\1/**" rwkl,p'
+} > "$tmp_profilesniplet"
+
+diff "$profilesniplet" "$tmp_profilesniplet" >/dev/null && {
+	rm -f "$tmp_profilesniplet"
+	touch "$profilesniplet" # update timestamp - otherwise we'll have to check again on the next run
+	silentexit "profile sniplet unchanged"
+}
+
+mv -f "$tmp_profilesniplet" "$profilesniplet"
+
+grep -q '^/usr/sbin/smbd (' /sys/kernel/security/apparmor/profiles || silentexit "smbd profile not loaded"
+
+echo "Reloading updated AppArmor profile for Samba..."
+
+# reload profile
+"$aaparser" -r "$smbd_profile"
+

packaging/systemd/smb.service.in

@@ -10,6 +10,7 @@ NotifyAccess=all
 PIDFile=@PIDDIR@/smbd.pid
 LimitNOFILE=16384
 EnvironmentFile=-@SYSCONFDIR@/sysconfig/samba
+ExecStartPre=/usr/share/samba/update-apparmor-samba-profile
 ExecStart=@SBINDIR@/smbd --foreground --no-process-group $SMBDOPTIONS
 ExecReload=/bin/kill -HUP $MAINPID
 LimitCORE=infinity