Bug#728709: cups-browsed: please include AppArmor profile

To: submit@bugs.debian.org
Subject: Bug#728709: cups-browsed: please include AppArmor profile
From: Felix Geyer <fgeyer@debian.org>
Date: Mon, 04 Nov 2013 15:47:34 +0100
Message-id: <[🔎] be20d10665939417d4f801fb1009171a@fobos.de>
Reply-to: Felix Geyer <fgeyer@debian.org>, 728709@bugs.debian.org

Package: cups-browsed
Version: 1.0.34-3
Severity: wishlist
Tags: patch
User: apparmor@packages.debian.org
Usertags: new-profile

Hi,

Please include an AppArmor profile for cups-browsed.

Since it's a network daemon that runs as root, it seems like a
good candidate for confining:
https://wiki.debian.org/AppArmor

I have tested it on a Debian unstable system without running into
a single issue.

Attached is a patch that adds this AppArmor support to cups-browsed.
Please consider applying it.

Note that enforcing AppArmor profiles is currently opt-in: applying
the attached does not change anything for users unless they enable
AppArmor system-wide themselves.

Thanks,
Felix

diff -Nru cups-filters-1.0.34/debian/apparmor/usr.sbin.cups-browsed cups-filters-1.0.34/debian/apparmor/usr.sbin.cups-browsed
--- cups-filters-1.0.34/debian/apparmor/usr.sbin.cups-browsed	1970-01-01 01:00:00.000000000 +0100
+++ cups-filters-1.0.34/debian/apparmor/usr.sbin.cups-browsed	2013-11-04 14:55:02.000000000 +0100
@@ -0,0 +1,12 @@
+#include <tunables/global>
+
+/usr/sbin/cups-browsed {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/cups-client>
+
+  /etc/cups/cups-browsed.conf r,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.cups-browsed>
+}
diff -Nru cups-filters-1.0.34/debian/control cups-filters-1.0.34/debian/control
--- cups-filters-1.0.34/debian/control	2013-06-09 12:17:29.000000000 +0200
+++ cups-filters-1.0.34/debian/control	2013-11-04 14:38:41.000000000 +0100
@@ -13,6 +13,7 @@
  cdbs (>= 0.4.93~),
  debhelper (>= 9~),
  dpkg-dev (>= 1.16.1~),
+ dh-apparmor,
  pkg-config,
  sharutils,
  ghostscript (>= 9.02~),
diff -Nru cups-filters-1.0.34/debian/cups-browsed.install cups-filters-1.0.34/debian/cups-browsed.install
--- cups-filters-1.0.34/debian/cups-browsed.install	2013-06-04 14:56:47.000000000 +0200
+++ cups-filters-1.0.34/debian/cups-browsed.install	2013-11-04 14:47:20.000000000 +0100
@@ -1,2 +1,3 @@
 usr/sbin/cups-browsed
 etc/cups/cups-browsed.conf
+../apparmor/usr.sbin.cups-browsed etc/apparmor.d/
diff -Nru cups-filters-1.0.34/debian/rules cups-filters-1.0.34/debian/rules
--- cups-filters-1.0.34/debian/rules	2013-06-04 14:56:47.000000000 +0200
+++ cups-filters-1.0.34/debian/rules	2013-11-04 14:36:34.000000000 +0100
@@ -60,3 +60,6 @@
 	# Make the serial backend run as root, since /dev/ttyS* are
 	# root:dialout and thus not accessible as user lp
 	chmod 700 debian/$(cdbs_curpkg)/usr/lib/cups/backend/serial
+
+binary-post-install/cups-browsed::
+	dh_apparmor -pcups-browsed --profile-name=usr.sbin.cups-browsed

Reply to:

Prev by Date: Processed: notfound 640674 in 2.3.2-9, notfixed 640848 in 2.11-20080614-3, notfound 641026 in 2.3.2-9 ...
Next by Date: Processed: notfound 606027 in 1:0.4.11-1, notfixed 606027 in 0.4.11-1, fixed 606027 in 1:0.4.11-1 ...
Previous by thread: Processed: notfound 640674 in 2.3.2-9, notfixed 640848 in 2.11-20080614-3, notfound 641026 in 2.3.2-9 ...
Next by thread: Bug#728709: cups-browsed: please include AppArmor profile
Index(es):
- Date
- Thread