Mathieu Parent · Mathieu Parent · Mathieu Parent · Mathieu Parent · acff585f · acff585f
--- a/debian/changelog
+++ b/debian/changelog
-samba (2:4.9.4+dfsg-4) UNRELEASED; urgency=medium
+samba (2:4.9.4+dfsg-4) unstable; urgency=medium

  * samba-libs: Add Breaks+Replaces: libndr-standard0 (<< 4) (Closes: #910242)
  * Improve AppArmor integration (Closes: #896080)
-    - Install update-apparmor-samba-profile from Christian Boltz (SUSE)
+    - Install update-apparmor-samba-profile 1.2 from Christian Boltz (openSUSE)
+    - Adapt update-apparmor-samba-profile: Rename apparmor profile snippet, and
+      test for it's directory
    - smbd.init: Run update-apparmor-samba-profile before start
    - smbd.service: Run update-apparmor-samba-profile before start
+    - Remove /etc/apparmor.d/samba/smbd-shares on purge

- -- Mathieu Parent <sathieu@debian.org>  Thu, 21 Feb 2019 21:13:26 +0100
+ -- Mathieu Parent <sathieu@debian.org>  Tue, 26 Feb 2019 22:18:19 +0100

 samba (2:4.9.4+dfsg-3) unstable; urgency=medium


--- a/debian/samba.dirs
+++ b/debian/samba.dirs
+etc/apparmor.d/samba
 usr/bin
 usr/sbin
 var/lib/samba/printers/COLOR

--- a/debian/samba.postrm
+++ b/debian/samba.postrm
@@ -13,6 +13,10 @@ if [ "$1" = purge ]; then
 		# Remove masking done by postinst (#832352)
 		rm /etc/systemd/system/samba-ad-dc.service
 	fi
+
+	if [ -f /etc/apparmor.d/samba/smbd-shares ]; then
+		rm /etc/apparmor.d/samba/smbd-shares
+	fi
 fi

 #DEBHELPER#
--- a/debian/update-apparmor-samba-profile
+++ b/debian/update-apparmor-samba-profile
@@ -8,7 +8,7 @@
 # - "/" - if someone is insane enough to share his complete filesystem, he'll have
 #   to modify the apparmor profile himself

-# (c) Christian Boltz 2011-2016
+# (c) Christian Boltz 2011-2019
 # This script is licensed under the GPL v2 or, at your choice, any later version.


@@ -25,7 +25,7 @@ verboseexit() {
 }

 # if you change this script, _always_ update the version to force an update of the profile sniplet
-versionstring="${0##*/} 1.1"
+versionstring="${0##*/} 1.2+deb"

 aastatus="/usr/sbin/aa-status"
 aaparser="/sbin/apparmor_parser"
@@ -33,13 +33,13 @@ loadedprofiles="/sys/kernel/security/apparmor/profiles"

 smbconf="/etc/samba/smb.conf"
 smbd_profile="/etc/apparmor.d/usr.sbin.smbd"
-profilesniplet="/etc/apparmor.d/local/usr.sbin.smbd-shares"
-tmp_profilesniplet="/etc/apparmor.d/local/usr.sbin.smbd-shares.new"
+profilesniplet="/etc/apparmor.d/samba/smbd-shares"
+tmp_profilesniplet="/etc/apparmor.d/samba/smbd-shares.new"

 # test -x "$aastatus" || silentexit "apparmor not installed"
 # "$aastatus" --enabled || silentexit "apparmor not loaded (or not running as root)"
 test -e "$loadedprofiles" || silentexit "apparmor not loaded"
-test -e "$profilesniplet" || silentexit "apparmor profile snippet not available"
+test -d "/etc/apparmor.d/samba" || silentexit "directory for samba profile snippet doesn't exist"
 test -r "$loadedprofiles" || verboseexit "no read permissions for $loadedprofiles - not running as root?"

 widelinks=$(testparm -s --parameter-name "wide links" 2>/dev/null)
@@ -66,7 +66,7 @@ diff "$profilesniplet" "$tmp_profilesniplet" >/dev/null && {

 mv -f "$tmp_profilesniplet" "$profilesniplet"

-grep -q '^/usr/sbin/smbd (' /sys/kernel/security/apparmor/profiles || silentexit "smbd profile not loaded"
+grep -q '^/usr/sbin/smbd (\|^smbd (' /sys/kernel/security/apparmor/profiles || silentexit "smbd profile not loaded"

 echo "Reloading updated AppArmor profile for Samba..."