Bug#858571: marked as done (cups: Sync Ubuntu AppArmor profile from zesty)

To: Didier Raboud <odyx@debian.org>
Subject: Bug#858571: marked as done (cups: Sync Ubuntu AppArmor profile from zesty)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Thu, 23 Mar 2017 22:06:06 +0000
Message-id: <[🔎] handler.858571.D858571.149030664816272.ackdone@bugs.debian.org>
References: <E1crApz-000GYW-Cj@fasolo.debian.org> <[🔎] 149029904138.15799.2886188663261657210.reportbug@localhost>

Your message dated Thu, 23 Mar 2017 22:04:07 +0000
with message-id <E1crApz-000GYW-Cj@fasolo.debian.org>
and subject line Bug#858571: fixed in cups 2.2.2-2
has caused the Debian Bug report #858571,
regarding cups: Sync Ubuntu AppArmor profile from zesty
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
858571: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858571
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: cups: Sync Ubuntu AppArmor profile from zesty
From: Jamie Strandboge <jamie@ubuntu.com>
Date: Thu, 23 Mar 2017 14:57:21 -0500
Message-id: <[🔎] 149029904138.15799.2886188663261657210.reportbug@localhost>

Package: cups
Version: 2.2.2-1
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu zesty ubuntu-patch

Dear Maintainer,

In Ubuntu, the attached patch was applied to achieve the following:

  * debian/local/apparmor-profile:
    - allow cupsd and cups-pdf to communicate via Unix sockets (LP: #1675503)
    - adjust cups-pdf log location
    - allow cups-pdf to read /etc/cups/ppd/*.ppd
    - silence noisy denials for cupsd occasionally trying to send signals to
      unconfined
    - allow capability wake_alarm (seen in LP: 1641985)

Thanks for considering the patch.


-- System Information:
Debian Release: stretch/sid
  APT prefers xenial-updates
  APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.10.0-14-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru cups-2.2.2/debian/local/apparmor-profile cups-2.2.2/debian/local/apparmor-profile
--- cups-2.2.2/debian/local/apparmor-profile	2017-01-18 06:29:38.000000000 -0600
+++ cups-2.2.2/debian/local/apparmor-profile	2017-03-23 14:08:30.000000000 -0500
@@ -22,8 +22,12 @@
   capability setgid,
   capability setuid,
   capability audit_write,
+  capability wake_alarm,
   deny capability block_suspend,
 
+  # noisy
+  deny signal (send) set=("term") peer=unconfined,
+
   # nasty, but we limit file access pretty tightly, and cups chowns a
   # lot of files to 'lp' which it cannot read/write afterwards any
   # more
@@ -87,9 +91,14 @@
   /usr/lib/cups/backend/snmp ixr,
   /usr/lib/cups/backend/socket ixr,
   /usr/lib/cups/backend/usb ixr,
+
   # we treat cups-pdf specially, since it needs to write into /home
   # and thus needs extra paranoia
   /usr/lib/cups/backend/cups-pdf Px,
+
+  # allow communicating with cups-pdf via Unix sockets
+  unix peer=(label=/usr/lib/cups/backend/cups-pdf),
+
   # third party backends get no restrictions as they often need high
   # privileges and this is beyond our control
   /usr/lib/cups/backend/* Cx -> third_party,
@@ -178,6 +187,9 @@
   capability dac_override,
   capability dac_read_search,
 
+  # allow communicating with cupsd via Unix sockets
+  unix peer=(label=/usr/sbin/cupsd),
+
   @{PROC}/*/auxv r,
 
   /{usr/,}bin/dash ixr,
@@ -185,13 +197,14 @@
   /{usr/,}bin/cp ixr,
   /etc/papersize r,
   /etc/cups/cups-pdf.conf r,
+  /etc/cups/ppd/*.ppd r,
   @{HOME}/PDF/ rw,
   @{HOME}/PDF/* rw,
   /usr/bin/gs ixr,
   /usr/lib/cups/backend/cups-pdf mr,
   /usr/lib/ghostscript/** mr,
   /usr/share/** r,
-  /var/log/cups/cups-pdf_log w,
+  /var/log/cups/cups-pdf*_log w,
   /var/spool/cups/** r,
   /var/spool/cups-pdf/** rw,
 }

--- End Message ---

--- Begin Message ---

To: 858571-close@bugs.debian.org
Subject: Bug#858571: fixed in cups 2.2.2-2
From: Didier Raboud <odyx@debian.org>
Date: Thu, 23 Mar 2017 22:04:07 +0000
Message-id: <E1crApz-000GYW-Cj@fasolo.debian.org>

Source: cups
Source-Version: 2.2.2-2

We believe that the bug you reported is fixed in the latest version of
cups, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 858571@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Didier Raboud <odyx@debian.org> (supplier of updated cups package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 23 Mar 2017 22:32:26 +0100
Source: cups
Binary: libcups2 libcupsimage2 libcupscgi1 libcupsmime1 libcupsppdc1 cups cups-core-drivers cups-daemon cups-client cups-ipp-utils libcups2-dev libcupsimage2-dev cups-bsd cups-common cups-server-common cups-ppdc
Architecture: source
Version: 2.2.2-2
Distribution: experimental
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Didier Raboud <odyx@debian.org>
Description:
 cups       - Common UNIX Printing System(tm) - PPD/driver support, web interfa
 cups-bsd   - Common UNIX Printing System(tm) - BSD commands
 cups-client - Common UNIX Printing System(tm) - client programs (SysV)
 cups-common - Common UNIX Printing System(tm) - common files
 cups-core-drivers - Common UNIX Printing System(tm) - driverless printing
 cups-daemon - Common UNIX Printing System(tm) - daemon
 cups-ipp-utils - Common UNIX Printing System(tm) - IPP developer/admin utilities
 cups-ppdc  - Common UNIX Printing System(tm) - PPD manipulation utilities
 cups-server-common - Common UNIX Printing System(tm) - server common files
 libcups2   - Common UNIX Printing System(tm) - Core library
 libcups2-dev - Common UNIX Printing System(tm) - Development files CUPS library
 libcupscgi1 - Common UNIX Printing System(tm) - CGI library
 libcupsimage2 - Common UNIX Printing System(tm) - Raster image library
 libcupsimage2-dev - Common UNIX Printing System(tm) - Development files CUPS image li
 libcupsmime1 - Common UNIX Printing System(tm) - MIME library
 libcupsppdc1 - Common UNIX Printing System(tm) - PPD manipulation library
Closes: 858341 858571
Changes:
 cups (2.2.2-2) experimental; urgency=medium
 .
   * Use /run instead of /var/run everywhere meaningful
     (Closes: #858341)
     * /run/cups:
       - in debian/rules; pass --with-rundir=/run/cups
       - update cups.init
     * /run/cups/cupsd.pid:
       - update cups.init
       - update pidfile.patch
     * /run/cups/printcap:
       - in debian/rules; update --with-printcap
       - update cups-daemon postinst
     * /run/cups/cups.sock:
       - update cups postinst and postrm for the lpadmin calls
       - update the autopkgtest for the lpadmin call
       - update the libcups2 example script
       - update the upstart script
     * /run/cups/certs:
       - update cups.init
       - update the upstart script
     Thanks-To: Russell Coker <russell@coker.com.au>
 .
    [ Jamie Strandboge ]
    * Update debian/local/apparmor-profile (Closes: #858571)
       - allow cupsd and cups-pdf to communicate via Unix sockets (LP: #1675503)
       - adjust cups-pdf log location
       - allow cups-pdf to read /etc/cups/ppd/*.ppd
       - silence noisy denials for cupsd occasionally trying to send signals to
         unconfined
       - allow capability wake_alarm (seen in LP: 1641985)
Checksums-Sha1:
 1104f4ac9451025dca786bec282dea59e4544891 3396 cups_2.2.2-2.dsc
 dce4fd21cc5ec5658f361a5ac29916cb33f4e39b 358948 cups_2.2.2-2.debian.tar.xz
 d8413c4443d88151466bb52dde2ea2ca27a16f92 8762 cups_2.2.2-2_source.buildinfo
Checksums-Sha256:
 227c2c05843d186cd61677963e66e9b5894fb890ac5c39651567c761e33d15a6 3396 cups_2.2.2-2.dsc
 074620cdb5e8f5ed308a31605a7974cc3bf0069c0fd6554a42957eda79bd554b 358948 cups_2.2.2-2.debian.tar.xz
 a6f46f044fa855f554e7252a9879d53ed043df590a229a0b34429a0f6f0a345d 8762 cups_2.2.2-2_source.buildinfo
Files:
 fded0857e0bfdf916142768891e12c8e 3396 net optional cups_2.2.2-2.dsc
 d42a82a86fc167c65b2da4cfd11debde 358948 net optional cups_2.2.2-2.debian.tar.xz
 7b6b6a8e87751e5b4a8fd2ec66370459 8762 net optional cups_2.2.2-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEe+WPIRpjNw1/GSB7i8+nHsoWNFUFAljUQGsACgkQi8+nHsoW
NFX5/gv+N10N1ssa41JJtSYXTYD/L6jhxCvLLYGSa8k4JnBs70XhAM00I/6kW5es
Cup2mdpwbuBB5+ZsMoKfkYBavNut5HqmO3IE9kaAYuWX/agOitO/v3zcG/h46R0f
wN6qbw2cqEz9GmQqcw7/y6qbDTUr2TQ+e6mZDCOlFN0eDdoUQHvOLVh8Itq7Mb+u
fI2ignGgeJueVQSOwKBH3JerdJCcaGU40zqGpKLVVy6LBxIeZbUSTiYszQ0AuMIA
10otq6vEoYR4gjvGdmI9QefbPY05QYoD4IBvxHJo6bHa5S7w/A2cgL1skgo0P9Jl
xo3tHOMMd2rh+FPpJh9/rg+uj4DzjpgHY+RUkOKtVRejk1539pQYC14yl21ghJQe
dUaowo99qHWKPw2NJwTACdXrX//yDHpBdtoGJYWqvyPqSQp6HNlanGdjmU2zJ1Lz
E9Kq6jHAAdhT7yklbV/Bli40DZVsjCRbWIAMAl+Fz3kQFdsru+db9VrTUX8XDGty
iHLjQA7E
=xxbk
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

References:
- Bug#858571: cups: Sync Ubuntu AppArmor profile from zesty
  - From: Jamie Strandboge <jamie@ubuntu.com>

Prev by Date: Processed: tagging 858570
Next by Date: Bug#858341: marked as done (cups-daemon: please usr /run instead of /var/run)
Previous by thread: Bug#858571: cups: Sync Ubuntu AppArmor profile from zesty
Next by thread: Processed: tagging 858570
Index(es):
- Date
- Thread