[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#763673: /etc/apparmor.d/usr.sbin.cupsd AppArmor profile doesn't parse (depends on unreleased AppArmor 2.9 parser)



Package: cups-daemon
Version: 1.7.5-3
Severity: normal
Tags: patch
X-Debbugs-Cc: Debian AppArmor team <pkg-apparmor-team@lists.alioth.debian.org>

Hi,

since the upgrade to 1.7.5-3, the /etc/apparmor.d/usr.sbin.cupsd
profile doesn't parse on sid anymore, and is thus entirely disabled.
That's because it contains rules that depend:

  * to be useful: on kernel patches that were not submitted to Linux
    mainline yet

  * to parse at all, regardless of the kernel's AppArmor feature: on
    AppArmor 2.9 userspace (unreleased yet), that is able to ignore
    rules the kernel doesn't support

The attached patch fixes this. Of course, the resulting profile is
less strict than it could be, but oh well, at least it will
be enabled.

Cheers,
--
intrigeri

--- /etc/apparmor.d/usr.sbin.cupsd.orig	2014-09-30 13:04:05.000000000 +0200
+++ /etc/apparmor.d/usr.sbin.cupsd	2014-10-01 21:03:01.191242269 +0200
@@ -141,7 +141,6 @@
   # silence noise
   deny /etc/udev/udev.conf r,
 
-  signal (receive, send) peer=third_party,
   profile third_party {
     # third party backends, filters, and drivers get relatively no restrictions
     # as they often need high privileges, are unpredictable or otherwise beyond
@@ -150,10 +149,6 @@
     capability,
     audit deny capability mac_admin,
     network,
-    dbus,
-    signal,
-    ptrace,
-    unix,
   }
 
   # Site-specific additions and overrides. See local/README for details.

Reply to: