summaryrefslogtreecommitdiffstats
path: root/debian/update-apparmor-samba-profile
diff options
context:
space:
mode:
Diffstat (limited to 'debian/update-apparmor-samba-profile')
-rw-r--r--debian/update-apparmor-samba-profile75
1 files changed, 75 insertions, 0 deletions
diff --git a/debian/update-apparmor-samba-profile b/debian/update-apparmor-samba-profile
new file mode 100644
index 0000000..5ad9194
--- /dev/null
+++ b/debian/update-apparmor-samba-profile
@@ -0,0 +1,75 @@
+#!/bin/bash
+
+# update apparmor profile sniplet based on samba configuration
+#
+# This script creates and updates a profile sniplet with permissions for all
+# samba shares, except
+# - paths with variables (anything containing a % sign)
+# - "/" - if someone is insane enough to share his complete filesystem, he'll have
+# to modify the apparmor profile himself
+
+# (c) Christian Boltz 2011-2019
+# This script is licensed under the GPL v2 or, at your choice, any later version.
+
+
+# exit silently - used if no profile update is needed
+silentexit() {
+ # echo "$@"
+ exit 0
+}
+
+# exit with an error message
+verboseexit() {
+ echo "$@" >&2
+ exit 1
+}
+
+# if you change this script, _always_ update the version to force an update of the profile sniplet
+versionstring="${0##*/} 1.2+deb"
+
+aastatus="/usr/sbin/aa-status"
+aaparser="/sbin/apparmor_parser"
+loadedprofiles="/sys/kernel/security/apparmor/profiles"
+
+smbconf="/etc/samba/smb.conf"
+smbd_profile="/etc/apparmor.d/usr.sbin.smbd"
+profilesniplet="/etc/apparmor.d/samba/smbd-shares"
+tmp_profilesniplet="/etc/apparmor.d/samba/smbd-shares.new"
+
+# test -x "$aastatus" || silentexit "apparmor not installed"
+# "$aastatus" --enabled || silentexit "apparmor not loaded (or not running as root)"
+test -e "$loadedprofiles" || silentexit "apparmor not loaded"
+test -d "/etc/apparmor.d/samba" || silentexit "directory for samba profile snippet doesn't exist"
+test -r "$loadedprofiles" || verboseexit "no read permissions for $loadedprofiles - not running as root?"
+
+widelinks=$(testparm -s --parameter-name "wide links" 2>/dev/null)
+test "$widelinks" == "Yes" && {
+ echo "[$(date '+%Y/%m/%d %T')] $(basename $0)"
+ echo ' WARNING: "wide links" enabled. You might need to modify the smbd apparmor profile manually.'
+} >> /var/log/samba/log.smbd
+
+grep -q "$versionstring" "$profilesniplet" && {
+ test "$smbconf" -nt "$profilesniplet" || silentexit "smb.conf is older than the AppArmor profile sniplet"
+}
+
+{
+ echo "# autogenerated by $versionstring at samba start - do not edit!"
+ echo ""
+ testparm -s 2>/dev/null |sed -n '/^[ \t]*path[ \t]*=[ \t]*[^% \t]\{2,\}/ s§^[ \t]*path[ \t]*=[ \t]*\([^%]*\)$§"\1/" rk,\n"\1/**" rwkl,§p'
+} > "$tmp_profilesniplet"
+
+diff "$profilesniplet" "$tmp_profilesniplet" >/dev/null && {
+ rm -f "$tmp_profilesniplet"
+ touch "$profilesniplet" # update timestamp - otherwise we'll have to check again on the next run
+ silentexit "profile sniplet unchanged"
+}
+
+mv -f "$tmp_profilesniplet" "$profilesniplet"
+
+grep -q '^/usr/sbin/smbd (\|^smbd (' /sys/kernel/security/apparmor/profiles || silentexit "smbd profile not loaded"
+
+echo "Reloading updated AppArmor profile for Samba..."
+
+# reload profile
+"$aaparser" -r "$smbd_profile"
+