Bug#1019270: cups-browsed: Query to /proc/sys/net/ipv6/conf/all/disable_ipv6 blocked by AppArmor, spamming syslog

To: 1019270@bugs.debian.org
Subject: Bug#1019270: cups-browsed: Query to /proc/sys/net/ipv6/conf/all/disable_ipv6 blocked by AppArmor, spamming syslog
From: Boyuan Yang <byang@debian.org>
Date: Sun, 04 Dec 2022 12:53:07 -0500
Message-id: <[🔎] 8dd159cc1e36e198afd953823e7d33c32ee27178.camel@debian.org>
Reply-to: Boyuan Yang <byang@debian.org>, 1019270@bugs.debian.org
In-reply-to: <548f4713531dea12b332759800b0b176d62a8a57.camel@debian.org>
References: <de7e04055d964cf5145cbcd0fccd91062b007931.camel@debian.org> <548f4713531dea12b332759800b0b176d62a8a57.camel@debian.org> <de7e04055d964cf5145cbcd0fccd91062b007931.camel@debian.org>

X-Debbugs-CC: alteholz@debian.org till.kamppeter@gmail.com

Hi,

Any update on this patch? If allowed, I can offer a deferred NMU with this
targeted bugfix.

Thanks,
Boyuan Yang



On Sun, 30 Oct 2022 00:56:47 -0400 Boyuan Yang <byang@debian.org> wrote:
> Control: tags -1 +patch
> X-Debbugs-CC: alteholz@debian.org till.kamppeter@gmail.com
> 
> Dear Debian cups-filters maintainers,
> 
> On Tue, 06 Sep 2022 13:08:34 -0400 Boyuan Yang <byang@debian.org> wrote:
> > Package: cups-browsed
> > Version: 1.28.16-1
> > Severity: normal
> > 
> > Dear Debian cups-filters packagers,
> > 
> > On my current Debian/Sid system (as of Sep 2022), the syslog keeps
> printing
> > the following messages:
> > 
> > kernel: audit: type=1400 audit(1662483939.030:193): apparmor="DENIED"
> > operation="open" profile="/usr/sbin/cups-browsed"
> > name="/proc/sys/net/ipv6/conf/all/disable_ipv6" pid=3336 comm="cups-
> browsed"
> > requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> > 
> > kernel: audit: type=1400 audit(1662483939.030:194): apparmor="DENIED"
> > operation="open" profile="/usr/sbin/cups-browsed"
> > name="/proc/sys/net/ipv6/conf/all/disable_ipv6" pid=3336 comm="cups-
> browsed"
> > requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> > 
> > audit[3336]: AVC apparmor="DENIED" operation="open"
> profile="/usr/sbin/cups-
> > browsed" name="/proc/sys/net/ipv6/conf/all/disable_ipv6" pid=3336
> > comm="cups-browsed" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> > 
> > audit[3336]: AVC apparmor="DENIED" operation="open"
> profile="/usr/sbin/cups-
> > browsed" name="/proc/sys/net/ipv6/conf/all/disable_ipv6" pid=3336
> > comm="cups-browsed" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> > 
> > 
> > 
> > These logs keeps spam my syslog. Please consider looking into it and
> adjust
> > AppArmor profile or cups-browsed program accordingly.
> 
> Since cups-browsed only needs to read
> /proc/sys/net/ipv6/conf/all/disable_ipv6 to determine whether ipv6 is
> disabled, I believe this request should be allowed by AppArmor.
> 
> As a result, I am attaching the following one-liner patch (see
attachment).
> Please consider applying it to avoid spamming syslog journal.
> 
> 
> 
> --- a/debian/apparmor/usr.sbin.cups-browsed
> +++ b/debian/apparmor/usr.sbin.cups-browsed
> @@ -17,6 +17,9 @@
>    /var/log/cups/* rw,
>    /tmp/** rw,
>  
> +  # Allow reading system ipv6 status
> +  /proc/sys/net/ipv6/conf/all/disable_ipv6 r,
> +
>    # Courtesy to the Debian Edu team...
>    /etc/cups/cups-browsed-debian-edu.conf r,
>

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Bug#1019270: cups-browsed: Query to /proc/sys/net/ipv6/conf/all/disable_ipv6 blocked by AppArmor, spamming syslog
  - From: Thorsten Alteholz <debian@alteholz.de>

Next by Date: Bug#1019270: cups-browsed: Query to /proc/sys/net/ipv6/conf/all/disable_ipv6 blocked by AppArmor, spamming syslog
Next by thread: Bug#1019270: cups-browsed: Query to /proc/sys/net/ipv6/conf/all/disable_ipv6 blocked by AppArmor, spamming syslog
Index(es):
- Date
- Thread