diff options
Diffstat (limited to 'debian/update-apparmor-samba-profile')
-rw-r--r-- | debian/update-apparmor-samba-profile | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/debian/update-apparmor-samba-profile b/debian/update-apparmor-samba-profile new file mode 100644 index 0000000..5ad9194 --- /dev/null +++ b/debian/update-apparmor-samba-profile @@ -0,0 +1,75 @@ +#!/bin/bash + +# update apparmor profile sniplet based on samba configuration +# +# This script creates and updates a profile sniplet with permissions for all +# samba shares, except +# - paths with variables (anything containing a % sign) +# - "/" - if someone is insane enough to share his complete filesystem, he'll have +# to modify the apparmor profile himself + +# (c) Christian Boltz 2011-2019 +# This script is licensed under the GPL v2 or, at your choice, any later version. + + +# exit silently - used if no profile update is needed +silentexit() { + # echo "$@" + exit 0 +} + +# exit with an error message +verboseexit() { + echo "$@" >&2 + exit 1 +} + +# if you change this script, _always_ update the version to force an update of the profile sniplet +versionstring="${0##*/} 1.2+deb" + +aastatus="/usr/sbin/aa-status" +aaparser="/sbin/apparmor_parser" +loadedprofiles="/sys/kernel/security/apparmor/profiles" + +smbconf="/etc/samba/smb.conf" +smbd_profile="/etc/apparmor.d/usr.sbin.smbd" +profilesniplet="/etc/apparmor.d/samba/smbd-shares" +tmp_profilesniplet="/etc/apparmor.d/samba/smbd-shares.new" + +# test -x "$aastatus" || silentexit "apparmor not installed" +# "$aastatus" --enabled || silentexit "apparmor not loaded (or not running as root)" +test -e "$loadedprofiles" || silentexit "apparmor not loaded" +test -d "/etc/apparmor.d/samba" || silentexit "directory for samba profile snippet doesn't exist" +test -r "$loadedprofiles" || verboseexit "no read permissions for $loadedprofiles - not running as root?" + +widelinks=$(testparm -s --parameter-name "wide links" 2>/dev/null) +test "$widelinks" == "Yes" && { + echo "[$(date '+%Y/%m/%d %T')] $(basename $0)" + echo ' WARNING: "wide links" enabled. You might need to modify the smbd apparmor profile manually.' +} >> /var/log/samba/log.smbd + +grep -q "$versionstring" "$profilesniplet" && { + test "$smbconf" -nt "$profilesniplet" || silentexit "smb.conf is older than the AppArmor profile sniplet" +} + +{ + echo "# autogenerated by $versionstring at samba start - do not edit!" + echo "" + testparm -s 2>/dev/null |sed -n '/^[ \t]*path[ \t]*=[ \t]*[^% \t]\{2,\}/ s§^[ \t]*path[ \t]*=[ \t]*\([^%]*\)$§"\1/" rk,\n"\1/**" rwkl,§p' +} > "$tmp_profilesniplet" + +diff "$profilesniplet" "$tmp_profilesniplet" >/dev/null && { + rm -f "$tmp_profilesniplet" + touch "$profilesniplet" # update timestamp - otherwise we'll have to check again on the next run + silentexit "profile sniplet unchanged" +} + +mv -f "$tmp_profilesniplet" "$profilesniplet" + +grep -q '^/usr/sbin/smbd (\|^smbd (' /sys/kernel/security/apparmor/profiles || silentexit "smbd profile not loaded" + +echo "Reloading updated AppArmor profile for Samba..." + +# reload profile +"$aaparser" -r "$smbd_profile" + |