--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: cups-browsed: please include AppArmor profile
- From: Felix Geyer <fgeyer@debian.org>
- Date: Mon, 04 Nov 2013 15:47:34 +0100
- Message-id: <be20d10665939417d4f801fb1009171a@fobos.de>
Package: cups-browsed
Version: 1.0.34-3
Severity: wishlist
Tags: patch
User: apparmor@packages.debian.org
Usertags: new-profile
Hi,
Please include an AppArmor profile for cups-browsed.
Since it's a network daemon that runs as root, it seems like a
good candidate for confining:
https://wiki.debian.org/AppArmor
I have tested it on a Debian unstable system without running into
a single issue.
Attached is a patch that adds this AppArmor support to cups-browsed.
Please consider applying it.
Note that enforcing AppArmor profiles is currently opt-in: applying
the attached does not change anything for users unless they enable
AppArmor system-wide themselves.
Thanks,
Felix
diff -Nru cups-filters-1.0.34/debian/apparmor/usr.sbin.cups-browsed cups-filters-1.0.34/debian/apparmor/usr.sbin.cups-browsed
--- cups-filters-1.0.34/debian/apparmor/usr.sbin.cups-browsed 1970-01-01 01:00:00.000000000 +0100
+++ cups-filters-1.0.34/debian/apparmor/usr.sbin.cups-browsed 2013-11-04 14:55:02.000000000 +0100
@@ -0,0 +1,12 @@
+#include <tunables/global>
+
+/usr/sbin/cups-browsed {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/cups-client>
+
+ /etc/cups/cups-browsed.conf r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.cups-browsed>
+}
diff -Nru cups-filters-1.0.34/debian/control cups-filters-1.0.34/debian/control
--- cups-filters-1.0.34/debian/control 2013-06-09 12:17:29.000000000 +0200
+++ cups-filters-1.0.34/debian/control 2013-11-04 14:38:41.000000000 +0100
@@ -13,6 +13,7 @@
cdbs (>= 0.4.93~),
debhelper (>= 9~),
dpkg-dev (>= 1.16.1~),
+ dh-apparmor,
pkg-config,
sharutils,
ghostscript (>= 9.02~),
diff -Nru cups-filters-1.0.34/debian/cups-browsed.install cups-filters-1.0.34/debian/cups-browsed.install
--- cups-filters-1.0.34/debian/cups-browsed.install 2013-06-04 14:56:47.000000000 +0200
+++ cups-filters-1.0.34/debian/cups-browsed.install 2013-11-04 14:47:20.000000000 +0100
@@ -1,2 +1,3 @@
usr/sbin/cups-browsed
etc/cups/cups-browsed.conf
+../apparmor/usr.sbin.cups-browsed etc/apparmor.d/
diff -Nru cups-filters-1.0.34/debian/rules cups-filters-1.0.34/debian/rules
--- cups-filters-1.0.34/debian/rules 2013-06-04 14:56:47.000000000 +0200
+++ cups-filters-1.0.34/debian/rules 2013-11-04 14:36:34.000000000 +0100
@@ -60,3 +60,6 @@
# Make the serial backend run as root, since /dev/ttyS* are
# root:dialout and thus not accessible as user lp
chmod 700 debian/$(cdbs_curpkg)/usr/lib/cups/backend/serial
+
+binary-post-install/cups-browsed::
+ dh_apparmor -pcups-browsed --profile-name=usr.sbin.cups-browsed
--- End Message ---
--- Begin Message ---
Source: cups-filters
Source-Version: 1.0.42-2
We believe that the bug you reported is fixed in the latest version of
cups-filters, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 728709@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Didier Raboud <odyx@debian.org> (supplier of updated cups-filters package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 10 Dec 2013 15:01:49 +0100
Source: cups-filters
Binary: libcupsfilters1 libfontembed1 cups-filters libcupsfilters-dev libfontembed-dev cups-browsed
Architecture: source amd64
Version: 1.0.42-2
Distribution: unstable
Urgency: low
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Didier Raboud <odyx@debian.org>
Description:
cups-browsed - OpenPrinting CUPS Filters - cups-browsed
cups-filters - OpenPrinting CUPS Filters
libcupsfilters-dev - OpenPrinting CUPS Filters - Development files for the library
libcupsfilters1 - OpenPrinting CUPS Filters - Shared library
libfontembed-dev - OpenPrinting CUPS Filters - Development files for font embed libr
libfontembed1 - OpenPrinting CUPS Filters - Font Embed Shared library
Closes: 718895 728709 731611 731658
Changes:
cups-filters (1.0.42-2) unstable; urgency=low
.
[ Didier Raboud ]
* Switch avahi LSB Required-{Start,Stop} dependencies to be
avahi-daemon; also bump package relationship to >= 0.6.31-3~
(Closes: #731611)
* Add Debian-specific more lightweight default testpage in svg;
convert it at build-time with rsvg-convert, hence add librsvg2-bin
in Build-Depends. Thanks to Stefan Nagy (Closes: #718895)
* Make all Ubuntu derivatives use Ubuntu material through dpkg-vendor
--derives-from instead of --is
* Backport upstream patch to fix kFreeBSD FTBFS due to conflicting
PATH_MAX defintions. Thanks to Peter Green (Closes: #731658)
.
[ Felix Geyer ]
* Include AppArmor profile (Closes: #728709)
Checksums-Sha1:
297fcd4c8a5f8d16e48db2c1efb1e253bcbe46e3 2612 cups-filters_1.0.42-2.dsc
f1ac496d30dacb12cf65ea12820a3dda73b8ca40 70010 cups-filters_1.0.42-2.debian.tar.gz
e215538ad05bd5d651d544f7210413865828ec3d 87104 libcupsfilters1_1.0.42-2_amd64.deb
4bc448ce607be9722191e34b5514495de82674a6 62156 libfontembed1_1.0.42-2_amd64.deb
718aacbfd73d8c1284cef4397faa91c4d10abd0e 333950 cups-filters_1.0.42-2_amd64.deb
911cd75cf73c80067913bd8dcc3d4f6b025ad5c4 93198 libcupsfilters-dev_1.0.42-2_amd64.deb
bc50955a1511083404d1466bcbdc2a1d7f1d7da9 65058 libfontembed-dev_1.0.42-2_amd64.deb
b26924879460f25857500cc934e1f05221927838 60680 cups-browsed_1.0.42-2_amd64.deb
Checksums-Sha256:
918c276047d349c01e0b2c69882a91fc7d643c41c610f869dae3b0fb38ab07fd 2612 cups-filters_1.0.42-2.dsc
4a46af034e00667344ddf844a11b76182d6f27f0c745207c0e0789eeaa1c9885 70010 cups-filters_1.0.42-2.debian.tar.gz
041c0d40245a666974e2ed9272ad18c89877df9ddc0901bc3e9643af1d3bf694 87104 libcupsfilters1_1.0.42-2_amd64.deb
8ded36f953e28e32ba84594b9c999b2599915ec10f92f0812c7d1053b49169ae 62156 libfontembed1_1.0.42-2_amd64.deb
358c8f883e7dfe89b00cd2cd3c84f021b0153e37830d1f9cb9db3ca9d2cd513a 333950 cups-filters_1.0.42-2_amd64.deb
349ad67cc5a5bc5e01075ccddf51d23f39cb90e736465ad4ef97249cc781ba0b 93198 libcupsfilters-dev_1.0.42-2_amd64.deb
09349dcba887cbd09b904a91fbd8695cf27ea657786a2feaa6473a49da98f27d 65058 libfontembed-dev_1.0.42-2_amd64.deb
818cd048ffcf80c872b5c1a082ec4eabc8aa0305021b9fc213248838792d48ce 60680 cups-browsed_1.0.42-2_amd64.deb
Files:
5635cfe3924fe522216dfbf92e5d0cf8 2612 net optional cups-filters_1.0.42-2.dsc
cba7001ab5bcd6566e279bfe53d0bf35 70010 net optional cups-filters_1.0.42-2.debian.tar.gz
ab9778e3d78dea3b8dce18c0185a1e22 87104 libs optional libcupsfilters1_1.0.42-2_amd64.deb
2d2917672c1e6bc1c7e3eabc519b2dcd 62156 libs optional libfontembed1_1.0.42-2_amd64.deb
842eb2522a9911211ee0e9d0a9c36df0 333950 net optional cups-filters_1.0.42-2_amd64.deb
b8b73d1b26e4094c36e1895960a01733 93198 libdevel optional libcupsfilters-dev_1.0.42-2_amd64.deb
351ae8712034a56b14058adb6bf200fc 65058 libdevel optional libfontembed-dev_1.0.42-2_amd64.deb
324b7548ccefe4b689b88083688fb484 60680 net optional cups-browsed_1.0.42-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQGcBAEBCAAGBQJSpyFpAAoJEIvPpx7KFjRV/DkL/AyfbjJ+9KFnGH9QwJbJxuSk
lc/1zTRE4Z9w/aOJHJhO+AIcH5pn7WR5/lGie9QlpZbYcL4GYedwXlrCpMqeWpN0
puN8O5R8LPFeCHl0rvbsZCCI3k/hx62WSzUF1rAFRLr+GnyfA4hJWAKwFPeDwX7z
PUvBhO5u0yOHq75Dn+v7kqPvXjry7NfxeOL+QpWUuT8l7vdzJYi4E2CfiwqrZI6f
Pvet3NR4TUjaiQpGREYhqfd/dMRSsg1lyWJZwyBtqoBtVvI8VPZy0GBMXxvRdp5n
b/mwNWcaT+SERLiMAPX7AuxTDDuMfukVlP4bqCU87rd7nf6W/o6DSFqxwVQgoVIs
HkF/DVUkB7neWy+qVAmtTQCcHGKRgr3O0ghg9RSs6uRZI+w1+88TYY8GMPgTgwK6
0Iiy26d1JdfxGqh4VeNIoHfDkNXf84Wx1jv2+rbEXMbDWQ6Alfl5Jxj2caG73ODc
sOP/GKOnKNadC37g/tf0bTKNo2dXjnHyU4WlYF7/bQ==
=dtv/
-----END PGP SIGNATURE-----
--- End Message ---