#!/bin/bash

# update apparmor profile sniplet based on samba configuration
#
# This script creates and updates a profile sniplet with permissions for all
# samba shares, except
# - paths with variables (anything containing a % sign)
# - "/" - if someone is insane enough to share his complete filesystem, he'll have
#   to modify the apparmor profile himself

# (c) Christian Boltz 2011-2019
# This script is licensed under the GPL v2 or, at your choice, any later version.


# exit silently - used if no profile update is needed
silentexit() {
	# echo "$@"
	exit 0
}

# exit with an error message
verboseexit() {
	echo "$@" >&2
	exit 1
}

# if you change this script, _always_ update the version to force an update of the profile sniplet
versionstring="${0##*/} 1.2+deb"

aastatus="/usr/sbin/aa-status"
aaparser="/sbin/apparmor_parser"
loadedprofiles="/sys/kernel/security/apparmor/profiles"

smbconf="/etc/samba/smb.conf"
smbd_profile="/etc/apparmor.d/usr.sbin.smbd"
profilesniplet="/etc/apparmor.d/samba/smbd-shares"
tmp_profilesniplet="/etc/apparmor.d/samba/smbd-shares.new"

# test -x "$aastatus" || silentexit "apparmor not installed"
# "$aastatus" --enabled || silentexit "apparmor not loaded (or not running as root)"
test -e "$loadedprofiles" || silentexit "apparmor not loaded"
test -d "/etc/apparmor.d/samba" || silentexit "directory for samba profile snippet doesn't exist"
test -r "$loadedprofiles" || verboseexit "no read permissions for $loadedprofiles - not running as root?"

widelinks=$(testparm -s --parameter-name "wide links" 2>/dev/null)
test "$widelinks" == "Yes" && {
	echo "[$(date '+%Y/%m/%d %T')] $(basename $0)"
	echo '  WARNING: "wide links" enabled. You might need to modify the smbd apparmor profile manually.'
} >> /var/log/samba/log.smbd

grep -q "$versionstring" "$profilesniplet" && {
	test "$smbconf" -nt "$profilesniplet" || silentexit "smb.conf is older than the AppArmor profile sniplet"
}

{
	echo "# autogenerated by $versionstring at samba start - do not edit!"
	echo ""
	testparm -s 2>/dev/null |sed -n '/^[ \t]*path[ \t]*=[ \t]*[^% \t]\{2,\}/ s§^[ \t]*path[ \t]*=[ \t]*\([^%]*\)$§"\1/"   rk,\n"\1/**" rwkl,§p'
} > "$tmp_profilesniplet"

diff "$profilesniplet" "$tmp_profilesniplet" >/dev/null && {
	rm -f "$tmp_profilesniplet"
	touch "$profilesniplet" # update timestamp - otherwise we'll have to check again on the next run
	silentexit "profile sniplet unchanged"
}

mv -f "$tmp_profilesniplet" "$profilesniplet"

grep -q '^/usr/sbin/smbd (\|^smbd (' /sys/kernel/security/apparmor/profiles || silentexit "smbd profile not loaded"

echo "Reloading updated AppArmor profile for Samba..."

# reload profile
"$aaparser" -r "$smbd_profile"