[apparmor] [patch] smbd profile needs capability sys_admin
Steve Beattie
steve at nxnw.org
Wed Apr 13 18:50:04 UTC 2016
On Sun, Mar 20, 2016 at 07:20:11PM +0100, Christian Boltz wrote:
> Hello,
>
> smbd stores ACLS in the security.NTACL namespace, which means it needs
> capability sys_admin.
>
> References: https://bugzilla.opensuse.org/show_bug.cgi?id=964971
> http://samba-technical.samba.narkive.com/eHtOW8DE/nt-acls-using-the-security-namespace-for-ntacl-considered-improper
>
> I propose this patch for trunk, 2.10 and 2.9.
>
>
> [ profiles-smbd-cap-sys_admin.diff ]
>
> === modified file 'profiles/apparmor.d/usr.sbin.smbd'
> --- profiles/apparmor.d/usr.sbin.smbd 2015-02-28 20:35:18 +0000
> +++ profiles/apparmor.d/usr.sbin.smbd 2016-02-11 17:51:14 +0000
> @@ -17,6 +17,7 @@
> capability net_bind_service,
> capability setgid,
> capability setuid,
> + capability sys_admin, # needed to store ACLS in the security.NTACL namespace
> capability sys_resource,
> capability sys_tty_config,
I see Seth has merged the branch from Simon that includes this to
trunk, so it may as well go to 2.10 and 2.9 as well:
Acked-by: Steve Beattie <steve at nxnw.org> for those branches.
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160413/2e96aa30/attachment.pgp>
More information about the AppArmor
mailing list