Bug#1016622: cups-browsed: apparmor profile generates needless noise about sys_nice

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1016622: cups-browsed: apparmor profile generates needless noise about sys_nice
From: Joel Ray Holveck <joelh@thor.piquan.org>
Date: Wed, 03 Aug 2022 18:41:47 -0700
Message-id: <[🔎] 165957730700.3860361.3789445400890478044.reportbug@thor.piquan.org>
Reply-to: Joel Ray Holveck <joelh@thor.piquan.org>, 1016622@bugs.debian.org

Package: cups-browsed
Version: 1.28.15-1
Severity: normal

Dear Maintainer,

We include an apparmor profile for cups_browsed that implicitly denies the SYS_NICE capability.  This capability isn't actually needed by cups-browsed, but is tested as part of startup.

I suggest we add a rule to debian/apparmor/usr.sbin.cups-browsed to mute the message: "deny capability sys_nice,"

One could argue that this should be fixed in the Linux kernel or apparmor, but for now it would be good to handle it in our apparmor profile to avoid user confusion.

I quote here a writeup I posted to a Launchpad bug discussing the problem: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1897369/comments/13

    This message doesn't seem to affect anything, from what I can tell. Here's a technical analysis.
    
    The system call, sched_setattr, is being made in glib's g_system_thread_get_scheduler_settings. It gets the current scheduling settings, and then tests to make sure it can set them on the same thread. This call is performed when the thread pool is being created, so that the initial scheduler settings can be recorded and applied to future threads. (If that's not possible, then glib has a different mechanism that it will use instead.)
    
    In the Linux kernel, __sched_setscheduler (which does the work for sched_setattr) tests to see if the user is trying to do anything that requires the SYS_NICE capability. There are several tests it runs, all wrapped together:
    
    /* Simplified version of the relevant kernel code */
    if (!capable(CAP_SYS_NICE)) {
      if (new_nice < old_nice)
        return -EPERM;
      if (is_rt_policy(new_policy)) {
        if (new_policy != old_policy)
          return -EPERM;
        if (new_priority > old_priority && new_priority > rlim_rtprio)
          return -EPERM;
      }
      if (is_dl_policy(new_policy))
        return -EPERM;
      /* and so on */
    }
    
    All these are guarded by one check to see if the process is allowed to make changes that require CAP_SYS_NICE. This capability check is performed regardless of whether the app actually is trying to do something that requires CAP_SYS_NICE. (In this case, it's not trying to, but the check is made regardless.)
    
    Ok, now we've outlined the components, so I'll paint the bigger picture. glib is testing to see if it can save and restore the scheduling parameters, albeit with no changes. The kernel checks to see if the process has the SYS_NICE capability. apparmor sees that the program doesn't have that capability, denies it, and logs an audit message. But the kernel continues, and determines that the program isn't trying to do anything that needs SYS_NICE after all. The kernel tells glib that everything is fine, and glib finishes setting up the thread pool.
    
    At no point does anything even attempt to make any actual changes to the scheduling parameters. cups_browsed doesn't want to renice itself. It's just that, as part of the startup process, the SYS_NICE capability is tested, even though it's ultimately not needed.
    
    Personally, I like Jamie's suggestion: mute the message using a "deny" rule, since it's understood and not causing any ill effects.
    
    If users want to do this before it gets integrated (and I suggest it gets upstreamed to Debian, where that file is introduced), then create a file named /etc/apparmor.d/local/usr.sbin.cups-browsed with the contents "deny capability sys_nice," (including the comma).

-- System Information:
Debian Release: bookworm/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.17.0-1-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cups-browsed depends on:
ii  cups-daemon          2.4.2-1
ii  init-system-helpers  1.64
ii  libavahi-client3     0.8-6
ii  libavahi-common3     0.8-6
ii  libavahi-glib1       0.8-6
ii  libc6                2.33-8
ii  libcups2             2.4.2-1
ii  libcupsfilters1      1.28.15-1
ii  libglib2.0-0         2.72.3-1
ii  libldap-2.5-0        2.5.12+dfsg-2
ii  lsb-base             11.2

Versions of packages cups-browsed recommends:
ii  avahi-daemon  0.8-6

cups-browsed suggests no packages.

-- no debconf information

Reply to:

Prev by Date: cups-bjnp_2.0.3-4_source.changes ACCEPTED into unstable
Next by Date: Bug#805357: cups-pdf: Print job with multiple input files doesn't work
Previous by thread: cups-bjnp_2.0.3-4_source.changes ACCEPTED into unstable
Next by thread: Bug#805357: cups-pdf: Print job with multiple input files doesn't work
Index(es):
- Date
- Thread