[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1019270: cups-browsed: Query to /proc/sys/net/ipv6/conf/all/disable_ipv6 blocked by AppArmor, spamming syslog

Control: tags -1 +patch
X-Debbugs-CC: alteholz@debian.org till.kamppeter@gmail.com

Dear Debian cups-filters maintainers,

On Tue, 06 Sep 2022 13:08:34 -0400 Boyuan Yang <byang@debian.org> wrote:
> Package: cups-browsed
> Version: 1.28.16-1
> Severity: normal
> 
> Dear Debian cups-filters packagers,
> 
> On my current Debian/Sid system (as of Sep 2022), the syslog keeps
printing
> the following messages:
> 
> kernel: audit: type=1400 audit(1662483939.030:193): apparmor="DENIED"
> operation="open" profile="/usr/sbin/cups-browsed"
> name="/proc/sys/net/ipv6/conf/all/disable_ipv6" pid=3336 comm="cups-
browsed"
> requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> 
> kernel: audit: type=1400 audit(1662483939.030:194): apparmor="DENIED"
> operation="open" profile="/usr/sbin/cups-browsed"
> name="/proc/sys/net/ipv6/conf/all/disable_ipv6" pid=3336 comm="cups-
browsed"
> requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> 
> audit[3336]: AVC apparmor="DENIED" operation="open"
profile="/usr/sbin/cups-
> browsed" name="/proc/sys/net/ipv6/conf/all/disable_ipv6" pid=3336
> comm="cups-browsed" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> 
> audit[3336]: AVC apparmor="DENIED" operation="open"
profile="/usr/sbin/cups-
> browsed" name="/proc/sys/net/ipv6/conf/all/disable_ipv6" pid=3336
> comm="cups-browsed" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> 
> 
> 
> These logs keeps spam my syslog. Please consider looking into it and
adjust
> AppArmor profile or cups-browsed program accordingly.

Since cups-browsed only needs to read
/proc/sys/net/ipv6/conf/all/disable_ipv6 to determine whether ipv6 is
disabled, I believe this request should be allowed by AppArmor.

As a result, I am attaching the following one-liner patch (see attachment).
Please consider applying it to avoid spamming syslog journal.



--- a/debian/apparmor/usr.sbin.cups-browsed
+++ b/debian/apparmor/usr.sbin.cups-browsed
@@ -17,6 +17,9 @@
   /var/log/cups/* rw,
   /tmp/** rw,
 
+  # Allow reading system ipv6 status
+  /proc/sys/net/ipv6/conf/all/disable_ipv6 r,
+
   # Courtesy to the Debian Edu team...
   /etc/cups/cups-browsed-debian-edu.conf r,



It would be really benificial if this fix could enter upcoming Debian 12.
Please let me know if you have any questions. Thanks!

Best Regards,
Boyuan Yang

From c257243882c2f6ab3ceaea7ec99a462f53fb0e1c Mon Sep 17 00:00:00 2001
From: Boyuan Yang <byang@debian.org>
Date: Sun, 30 Oct 2022 00:50:55 -0400
Subject: [PATCH] debian/apparmor/: Allow reading disable_ipv6 file under /proc

Otherwise syslog is spammed by repeated AppArmor denial:

    apparmor="DENIED" operation="open" profile="/usr/sbin/cups-browsed"
    name="/proc/sys/net/ipv6/conf/all/disable_ipv6" pid=61278
    comm="cups-browsed" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

This patch would Closes: #1019270.
---
 debian/apparmor/usr.sbin.cups-browsed | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/debian/apparmor/usr.sbin.cups-browsed b/debian/apparmor/usr.sbin.cups-browsed
index 9c2dbff..cab1cd0 100644
--- a/debian/apparmor/usr.sbin.cups-browsed
+++ b/debian/apparmor/usr.sbin.cups-browsed
@@ -17,6 +17,9 @@
   /var/log/cups/* rw,
   /tmp/** rw,
 
+  # Allow reading system ipv6 status
+  /proc/sys/net/ipv6/conf/all/disable_ipv6 r,
+
   # Courtesy to the Debian Edu team...
   /etc/cups/cups-browsed-debian-edu.conf r,
 
-- 
2.37.2

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: