Bug#858571: cups: Sync Ubuntu AppArmor profile from zesty

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#858571: cups: Sync Ubuntu AppArmor profile from zesty
From: Jamie Strandboge <jamie@ubuntu.com>
Date: Thu, 23 Mar 2017 14:57:21 -0500
Message-id: <[🔎] 149029904138.15799.2886188663261657210.reportbug@localhost>
Reply-to: Jamie Strandboge <jamie@ubuntu.com>, 858571@bugs.debian.org

Package: cups
Version: 2.2.2-1
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu zesty ubuntu-patch

Dear Maintainer,

In Ubuntu, the attached patch was applied to achieve the following:

  * debian/local/apparmor-profile:
    - allow cupsd and cups-pdf to communicate via Unix sockets (LP: #1675503)
    - adjust cups-pdf log location
    - allow cups-pdf to read /etc/cups/ppd/*.ppd
    - silence noisy denials for cupsd occasionally trying to send signals to
      unconfined
    - allow capability wake_alarm (seen in LP: 1641985)

Thanks for considering the patch.


-- System Information:
Debian Release: stretch/sid
  APT prefers xenial-updates
  APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.10.0-14-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru cups-2.2.2/debian/local/apparmor-profile cups-2.2.2/debian/local/apparmor-profile
--- cups-2.2.2/debian/local/apparmor-profile	2017-01-18 06:29:38.000000000 -0600
+++ cups-2.2.2/debian/local/apparmor-profile	2017-03-23 14:08:30.000000000 -0500
@@ -22,8 +22,12 @@
   capability setgid,
   capability setuid,
   capability audit_write,
+  capability wake_alarm,
   deny capability block_suspend,
 
+  # noisy
+  deny signal (send) set=("term") peer=unconfined,
+
   # nasty, but we limit file access pretty tightly, and cups chowns a
   # lot of files to 'lp' which it cannot read/write afterwards any
   # more
@@ -87,9 +91,14 @@
   /usr/lib/cups/backend/snmp ixr,
   /usr/lib/cups/backend/socket ixr,
   /usr/lib/cups/backend/usb ixr,
+
   # we treat cups-pdf specially, since it needs to write into /home
   # and thus needs extra paranoia
   /usr/lib/cups/backend/cups-pdf Px,
+
+  # allow communicating with cups-pdf via Unix sockets
+  unix peer=(label=/usr/lib/cups/backend/cups-pdf),
+
   # third party backends get no restrictions as they often need high
   # privileges and this is beyond our control
   /usr/lib/cups/backend/* Cx -> third_party,
@@ -178,6 +187,9 @@
   capability dac_override,
   capability dac_read_search,
 
+  # allow communicating with cupsd via Unix sockets
+  unix peer=(label=/usr/sbin/cupsd),
+
   @{PROC}/*/auxv r,
 
   /{usr/,}bin/dash ixr,
@@ -185,13 +197,14 @@
   /{usr/,}bin/cp ixr,
   /etc/papersize r,
   /etc/cups/cups-pdf.conf r,
+  /etc/cups/ppd/*.ppd r,
   @{HOME}/PDF/ rw,
   @{HOME}/PDF/* rw,
   /usr/bin/gs ixr,
   /usr/lib/cups/backend/cups-pdf mr,
   /usr/lib/ghostscript/** mr,
   /usr/share/** r,
-  /var/log/cups/cups-pdf_log w,
+  /var/log/cups/cups-pdf*_log w,
   /var/spool/cups/** r,
   /var/spool/cups-pdf/** rw,
 }

Reply to:

Follow-Ups:
- Bug#858571: marked as done (cups: Sync Ubuntu AppArmor profile from zesty)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#858570: cups-filters: FTBFS: file goo/gmem.h is missing
Next by Date: Bug#858350: ghostscript: CVE-2017-7207
Previous by thread: Bug#858570: cups-filters: FTBFS: file goo/gmem.h is missing
Next by thread: Bug#858571: marked as done (cups: Sync Ubuntu AppArmor profile from zesty)
Index(es):
- Date
- Thread