--- Begin Message ---
Package: cups
Version: 2.2.2-1
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu zesty ubuntu-patch
Dear Maintainer,
In Ubuntu, the attached patch was applied to achieve the following:
* debian/local/apparmor-profile:
- allow cupsd and cups-pdf to communicate via Unix sockets (LP: #1675503)
- adjust cups-pdf log location
- allow cups-pdf to read /etc/cups/ppd/*.ppd
- silence noisy denials for cupsd occasionally trying to send signals to
unconfined
- allow capability wake_alarm (seen in LP: 1641985)
Thanks for considering the patch.
-- System Information:
Debian Release: stretch/sid
APT prefers xenial-updates
APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.10.0-14-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru cups-2.2.2/debian/local/apparmor-profile cups-2.2.2/debian/local/apparmor-profile
--- cups-2.2.2/debian/local/apparmor-profile 2017-01-18 06:29:38.000000000 -0600
+++ cups-2.2.2/debian/local/apparmor-profile 2017-03-23 14:08:30.000000000 -0500
@@ -22,8 +22,12 @@
capability setgid,
capability setuid,
capability audit_write,
+ capability wake_alarm,
deny capability block_suspend,
+ # noisy
+ deny signal (send) set=("term") peer=unconfined,
+
# nasty, but we limit file access pretty tightly, and cups chowns a
# lot of files to 'lp' which it cannot read/write afterwards any
# more
@@ -87,9 +91,14 @@
/usr/lib/cups/backend/snmp ixr,
/usr/lib/cups/backend/socket ixr,
/usr/lib/cups/backend/usb ixr,
+
# we treat cups-pdf specially, since it needs to write into /home
# and thus needs extra paranoia
/usr/lib/cups/backend/cups-pdf Px,
+
+ # allow communicating with cups-pdf via Unix sockets
+ unix peer=(label=/usr/lib/cups/backend/cups-pdf),
+
# third party backends get no restrictions as they often need high
# privileges and this is beyond our control
/usr/lib/cups/backend/* Cx -> third_party,
@@ -178,6 +187,9 @@
capability dac_override,
capability dac_read_search,
+ # allow communicating with cupsd via Unix sockets
+ unix peer=(label=/usr/sbin/cupsd),
+
@{PROC}/*/auxv r,
/{usr/,}bin/dash ixr,
@@ -185,13 +197,14 @@
/{usr/,}bin/cp ixr,
/etc/papersize r,
/etc/cups/cups-pdf.conf r,
+ /etc/cups/ppd/*.ppd r,
@{HOME}/PDF/ rw,
@{HOME}/PDF/* rw,
/usr/bin/gs ixr,
/usr/lib/cups/backend/cups-pdf mr,
/usr/lib/ghostscript/** mr,
/usr/share/** r,
- /var/log/cups/cups-pdf_log w,
+ /var/log/cups/cups-pdf*_log w,
/var/spool/cups/** r,
/var/spool/cups-pdf/** rw,
}
--- End Message ---
--- Begin Message ---
Source: cups
Source-Version: 2.2.2-2
We believe that the bug you reported is fixed in the latest version of
cups, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 858571@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Didier Raboud <odyx@debian.org> (supplier of updated cups package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 23 Mar 2017 22:32:26 +0100
Source: cups
Binary: libcups2 libcupsimage2 libcupscgi1 libcupsmime1 libcupsppdc1 cups cups-core-drivers cups-daemon cups-client cups-ipp-utils libcups2-dev libcupsimage2-dev cups-bsd cups-common cups-server-common cups-ppdc
Architecture: source
Version: 2.2.2-2
Distribution: experimental
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Didier Raboud <odyx@debian.org>
Description:
cups - Common UNIX Printing System(tm) - PPD/driver support, web interfa
cups-bsd - Common UNIX Printing System(tm) - BSD commands
cups-client - Common UNIX Printing System(tm) - client programs (SysV)
cups-common - Common UNIX Printing System(tm) - common files
cups-core-drivers - Common UNIX Printing System(tm) - driverless printing
cups-daemon - Common UNIX Printing System(tm) - daemon
cups-ipp-utils - Common UNIX Printing System(tm) - IPP developer/admin utilities
cups-ppdc - Common UNIX Printing System(tm) - PPD manipulation utilities
cups-server-common - Common UNIX Printing System(tm) - server common files
libcups2 - Common UNIX Printing System(tm) - Core library
libcups2-dev - Common UNIX Printing System(tm) - Development files CUPS library
libcupscgi1 - Common UNIX Printing System(tm) - CGI library
libcupsimage2 - Common UNIX Printing System(tm) - Raster image library
libcupsimage2-dev - Common UNIX Printing System(tm) - Development files CUPS image li
libcupsmime1 - Common UNIX Printing System(tm) - MIME library
libcupsppdc1 - Common UNIX Printing System(tm) - PPD manipulation library
Closes: 858341 858571
Changes:
cups (2.2.2-2) experimental; urgency=medium
.
* Use /run instead of /var/run everywhere meaningful
(Closes: #858341)
* /run/cups:
- in debian/rules; pass --with-rundir=/run/cups
- update cups.init
* /run/cups/cupsd.pid:
- update cups.init
- update pidfile.patch
* /run/cups/printcap:
- in debian/rules; update --with-printcap
- update cups-daemon postinst
* /run/cups/cups.sock:
- update cups postinst and postrm for the lpadmin calls
- update the autopkgtest for the lpadmin call
- update the libcups2 example script
- update the upstart script
* /run/cups/certs:
- update cups.init
- update the upstart script
Thanks-To: Russell Coker <russell@coker.com.au>
.
[ Jamie Strandboge ]
* Update debian/local/apparmor-profile (Closes: #858571)
- allow cupsd and cups-pdf to communicate via Unix sockets (LP: #1675503)
- adjust cups-pdf log location
- allow cups-pdf to read /etc/cups/ppd/*.ppd
- silence noisy denials for cupsd occasionally trying to send signals to
unconfined
- allow capability wake_alarm (seen in LP: 1641985)
Checksums-Sha1:
1104f4ac9451025dca786bec282dea59e4544891 3396 cups_2.2.2-2.dsc
dce4fd21cc5ec5658f361a5ac29916cb33f4e39b 358948 cups_2.2.2-2.debian.tar.xz
d8413c4443d88151466bb52dde2ea2ca27a16f92 8762 cups_2.2.2-2_source.buildinfo
Checksums-Sha256:
227c2c05843d186cd61677963e66e9b5894fb890ac5c39651567c761e33d15a6 3396 cups_2.2.2-2.dsc
074620cdb5e8f5ed308a31605a7974cc3bf0069c0fd6554a42957eda79bd554b 358948 cups_2.2.2-2.debian.tar.xz
a6f46f044fa855f554e7252a9879d53ed043df590a229a0b34429a0f6f0a345d 8762 cups_2.2.2-2_source.buildinfo
Files:
fded0857e0bfdf916142768891e12c8e 3396 net optional cups_2.2.2-2.dsc
d42a82a86fc167c65b2da4cfd11debde 358948 net optional cups_2.2.2-2.debian.tar.xz
7b6b6a8e87751e5b4a8fd2ec66370459 8762 net optional cups_2.2.2-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEe+WPIRpjNw1/GSB7i8+nHsoWNFUFAljUQGsACgkQi8+nHsoW
NFX5/gv+N10N1ssa41JJtSYXTYD/L6jhxCvLLYGSa8k4JnBs70XhAM00I/6kW5es
Cup2mdpwbuBB5+ZsMoKfkYBavNut5HqmO3IE9kaAYuWX/agOitO/v3zcG/h46R0f
wN6qbw2cqEz9GmQqcw7/y6qbDTUr2TQ+e6mZDCOlFN0eDdoUQHvOLVh8Itq7Mb+u
fI2ignGgeJueVQSOwKBH3JerdJCcaGU40zqGpKLVVy6LBxIeZbUSTiYszQ0AuMIA
10otq6vEoYR4gjvGdmI9QefbPY05QYoD4IBvxHJo6bHa5S7w/A2cgL1skgo0P9Jl
xo3tHOMMd2rh+FPpJh9/rg+uj4DzjpgHY+RUkOKtVRejk1539pQYC14yl21ghJQe
dUaowo99qHWKPw2NJwTACdXrX//yDHpBdtoGJYWqvyPqSQp6HNlanGdjmU2zJ1Lz
E9Kq6jHAAdhT7yklbV/Bli40DZVsjCRbWIAMAl+Fz3kQFdsru+db9VrTUX8XDGty
iHLjQA7E
=xxbk
-----END PGP SIGNATURE-----
--- End Message ---