Bug#728709: cups-browsed: please include AppArmor profile
Package: cups-browsed
Version: 1.0.34-3
Severity: wishlist
Tags: patch
User: apparmor@packages.debian.org
Usertags: new-profile
Hi,
Please include an AppArmor profile for cups-browsed.
Since it's a network daemon that runs as root, it seems like a
good candidate for confining:
https://wiki.debian.org/AppArmor
I have tested it on a Debian unstable system without running into
a single issue.
Attached is a patch that adds this AppArmor support to cups-browsed.
Please consider applying it.
Note that enforcing AppArmor profiles is currently opt-in: applying
the attached does not change anything for users unless they enable
AppArmor system-wide themselves.
Thanks,
Felix
diff -Nru cups-filters-1.0.34/debian/apparmor/usr.sbin.cups-browsed cups-filters-1.0.34/debian/apparmor/usr.sbin.cups-browsed
--- cups-filters-1.0.34/debian/apparmor/usr.sbin.cups-browsed 1970-01-01 01:00:00.000000000 +0100
+++ cups-filters-1.0.34/debian/apparmor/usr.sbin.cups-browsed 2013-11-04 14:55:02.000000000 +0100
@@ -0,0 +1,12 @@
+#include <tunables/global>
+
+/usr/sbin/cups-browsed {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/cups-client>
+
+ /etc/cups/cups-browsed.conf r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.cups-browsed>
+}
diff -Nru cups-filters-1.0.34/debian/control cups-filters-1.0.34/debian/control
--- cups-filters-1.0.34/debian/control 2013-06-09 12:17:29.000000000 +0200
+++ cups-filters-1.0.34/debian/control 2013-11-04 14:38:41.000000000 +0100
@@ -13,6 +13,7 @@
cdbs (>= 0.4.93~),
debhelper (>= 9~),
dpkg-dev (>= 1.16.1~),
+ dh-apparmor,
pkg-config,
sharutils,
ghostscript (>= 9.02~),
diff -Nru cups-filters-1.0.34/debian/cups-browsed.install cups-filters-1.0.34/debian/cups-browsed.install
--- cups-filters-1.0.34/debian/cups-browsed.install 2013-06-04 14:56:47.000000000 +0200
+++ cups-filters-1.0.34/debian/cups-browsed.install 2013-11-04 14:47:20.000000000 +0100
@@ -1,2 +1,3 @@
usr/sbin/cups-browsed
etc/cups/cups-browsed.conf
+../apparmor/usr.sbin.cups-browsed etc/apparmor.d/
diff -Nru cups-filters-1.0.34/debian/rules cups-filters-1.0.34/debian/rules
--- cups-filters-1.0.34/debian/rules 2013-06-04 14:56:47.000000000 +0200
+++ cups-filters-1.0.34/debian/rules 2013-11-04 14:36:34.000000000 +0100
@@ -60,3 +60,6 @@
# Make the serial backend run as root, since /dev/ttyS* are
# root:dialout and thus not accessible as user lp
chmod 700 debian/$(cdbs_curpkg)/usr/lib/cups/backend/serial
+
+binary-post-install/cups-browsed::
+ dh_apparmor -pcups-browsed --profile-name=usr.sbin.cups-browsed
Reply to: