Bug#1060378: cups-daemon: apparmor denies net_admin capability

To: 1060378@bugs.debian.org
Subject: Bug#1060378: cups-daemon: apparmor denies net_admin capability
From: intrigeri <intrigeri@debian.org>
Date: Thu, 10 Oct 2024 18:28:04 +0200
Message-id: <[🔎] 874j5jdisr.fsf@manticora>
Reply-to: intrigeri <intrigeri@debian.org>, 1060378@bugs.debian.org
In-reply-to: <170487947036.175550.17977798924345683256.reportbug@eriador.bigon.be>
References: <170487947036.175550.17977798924345683256.reportbug@eriador.bigon.be> <170487947036.175550.17977798924345683256.reportbug@eriador.bigon.be>

Hi,

Laurent Bigonville (2024-01-10):
> I see a lot of denials from apparmor regarding net_admin capability:
>
> type=AVC msg=audit(1704872737.703:1422): apparmor="DENIED" operation="capable" class="cap" profile="/usr/sbin/cupsd" pid=149384 comm="cupsd" capability=12  capname="net_admin"
>
> Not too sure what part requires it, but I guess it should be either
> allowed or the audit trail should be suppressed

Yep.

After a quick scan of the last bug report about this
(https://bugs.debian.org/980974), I understand the conclusion was that
this access could be legitimate for 2 candidate reasons:

 - running cupsd via systemd triggers this, "caused by setsockopt(2)
   with option SO_SNDBUFFORCE"
 - ipp-usb does network stuff that may require net_admin

This suggests we should allow net_admin.

And it looks like that bug was closed merely because someone shared
how they *silenced the audit trail locally*, which sounds like
a misunderstanding to me.

Could perhaps the maintainers take another look at #980974
and check if my conclusions make sense?

If they do, see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980974#15

Thanks,
-- 
intrigeri

Reply to:

Prev by Date: Bug#1079457: cups: Dependencies prevent installation
Next by Date: Bug#1084863: cannot install gnome, missing provides?
Previous by thread: Bug#1079457: cups: Dependencies prevent installation
Next by thread: Bug#1084195: CUPSv3
Index(es):
- Date
- Thread