Samba AppArmor Profile
Ubuntu comes with the AppArmor security module, which provides mandatory access controls. The default AppArmor profile for Samba may need to be adapted to your configuration. More details on using AppArmor can be found here.
There are default AppArmor profiles for
/usr/sbin/nmbd, the Samba daemon binaries, as part of the
apparmor-profiles package. To install the package, from a terminal prompt enter:
$ sudo apt install apparmor-profiles apparmor-utils
This package contains profiles for several other binaries.
By default the profiles for smbd and nmbd are in complain mode allowing Samba to work without modifying the profile, and only logging errors. There is no need to add exceptions for the shares, as the
smbd service unit takes care of doing that automatically via a helper script.
This is what an
ALLOWED message looks like. It means that, were the profile not in
complain mode, this action would have been denied instead (formatted into multiple lines here for better visibility):
Jun 30 14:41:09 ubuntu kernel: [ 621.478989] audit: type=1400 audit(1656600069.123:418): apparmor="ALLOWED" operation="exec" profile="smbd" name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=4122 comm="smbd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd"
To place the profile into enforce mode and reload it, run:
$ sudo aa-enforce /usr/sbin/smbd $ sudo apparmor_parser -r -W -T /etc/apparmor.d/usr.sbin.smbd
It’s advisable to monitor
audit entries that contain apparmor
DENIED messages, or
/var/log/audit/audit.log if you are running the
auditd daemon. Actions blocked by apparmor may surface as odd or unrelated errors in the application.