blob: 5ad91941d44730b31b50a5f5c61e47efecaff568 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
#!/bin/bash
# update apparmor profile sniplet based on samba configuration
#
# This script creates and updates a profile sniplet with permissions for all
# samba shares, except
# - paths with variables (anything containing a % sign)
# - "/" - if someone is insane enough to share his complete filesystem, he'll have
# to modify the apparmor profile himself
# (c) Christian Boltz 2011-2019
# This script is licensed under the GPL v2 or, at your choice, any later version.
# exit silently - used if no profile update is needed
silentexit() {
# echo "$@"
exit 0
}
# exit with an error message
verboseexit() {
echo "$@" >&2
exit 1
}
# if you change this script, _always_ update the version to force an update of the profile sniplet
versionstring="${0##*/} 1.2+deb"
aastatus="/usr/sbin/aa-status"
aaparser="/sbin/apparmor_parser"
loadedprofiles="/sys/kernel/security/apparmor/profiles"
smbconf="/etc/samba/smb.conf"
smbd_profile="/etc/apparmor.d/usr.sbin.smbd"
profilesniplet="/etc/apparmor.d/samba/smbd-shares"
tmp_profilesniplet="/etc/apparmor.d/samba/smbd-shares.new"
# test -x "$aastatus" || silentexit "apparmor not installed"
# "$aastatus" --enabled || silentexit "apparmor not loaded (or not running as root)"
test -e "$loadedprofiles" || silentexit "apparmor not loaded"
test -d "/etc/apparmor.d/samba" || silentexit "directory for samba profile snippet doesn't exist"
test -r "$loadedprofiles" || verboseexit "no read permissions for $loadedprofiles - not running as root?"
widelinks=$(testparm -s --parameter-name "wide links" 2>/dev/null)
test "$widelinks" == "Yes" && {
echo "[$(date '+%Y/%m/%d %T')] $(basename $0)"
echo ' WARNING: "wide links" enabled. You might need to modify the smbd apparmor profile manually.'
} >> /var/log/samba/log.smbd
grep -q "$versionstring" "$profilesniplet" && {
test "$smbconf" -nt "$profilesniplet" || silentexit "smb.conf is older than the AppArmor profile sniplet"
}
{
echo "# autogenerated by $versionstring at samba start - do not edit!"
echo ""
testparm -s 2>/dev/null |sed -n '/^[ \t]*path[ \t]*=[ \t]*[^% \t]\{2,\}/ s�^[ \t]*path[ \t]*=[ \t]*\([^%]*\)$�"\1/" rk,\n"\1/**" rwkl,�p'
} > "$tmp_profilesniplet"
diff "$profilesniplet" "$tmp_profilesniplet" >/dev/null && {
rm -f "$tmp_profilesniplet"
touch "$profilesniplet" # update timestamp - otherwise we'll have to check again on the next run
silentexit "profile sniplet unchanged"
}
mv -f "$tmp_profilesniplet" "$profilesniplet"
grep -q '^/usr/sbin/smbd (\|^smbd (' /sys/kernel/security/apparmor/profiles || silentexit "smbd profile not loaded"
echo "Reloading updated AppArmor profile for Samba..."
# reload profile
"$aaparser" -r "$smbd_profile"
|
