Bug#1110135: cups: apparmor profile is missing <abi/3.0> stanza

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1110135: cups: apparmor profile is missing <abi/3.0> stanza
From: Maximiliano <m.sandoval@proxmox.com>
Date: Wed, 30 Jul 2025 16:21:25 +0200
Message-id: <[🔎] 175388528518.442692.2419628096215484050.reportbug@haya.proxmox.com>
Reply-to: Maximiliano <m.sandoval@proxmox.com>, 1110135@bugs.debian.org

Package: cups
Version: 2.4.10-3
Severity: normal

Dear Maintainer,

When running kernel 6.14 in trixie one can see the following errors in the journal for cupsd:

kernel: audit: type=1400 audit(1753166958.042:270): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="/usr/sbin/cupsd" pid=32844 comm="cupsd" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
kernel: audit: type=1400 audit(1753166958.042:271): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="/usr/sbin/cupsd" pid=32844 comm="cupsd" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
kernel: audit: type=1400 audit(1753166958.042:272): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="/usr/sbin/cupsd" pid=32844 comm="cupsd" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
kernel: audit: type=1400 audit(1753166958.042:273): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="/usr/sbin/cupsd" pid=32844 comm="cupsd" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
kernel: audit: type=1400 audit(1753166958.042:274): apparmor="DENIED" operation="open" class="file" profile="/usr/sbin/cupsd" name="/etc/paperspecs" pid=32844 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
kernel: audit: type=1400 audit(1753166958.044:275): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="/usr/sbin/cupsd" pid=32844 comm="cupsd" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
kernel: audit: type=1400 audit(1753166958.045:276): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="/usr/sbin/cupsd" pid=32844 comm="cupsd" family="unix" sock_type="dgram" protocol=0 requested="create" denied="create" addr=none
kernel: audit: type=1400 audit(1753166958.046:277): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="/usr/sbin/cupsd" pid=32845 comm="dbus" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
kernel: audit: type=1400 audit(1753166958.046:278): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="/usr/sbin/cupsd" pid=32845 comm="dbus" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
kernel: audit: type=1400 audit(1753166958.046:279): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="/usr/sbin/cupsd" pid=32845 comm="dbus" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none

and for cups-browsed:

kernel: audit: type=1400 audit(1753775569.414:2708): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="/usr/sbin/cups-browsed" pid=58964 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none

The two cups profiles /etc/apparmor.d/{usr.sbin.cups-browsed,usr.sbin.cupsd} are missing a:

abi <abi/3.0>,

stanza at the start of the file. After adding that line and restarting the
services there are no more such errors.



-- System Information:
Debian Release: 13.0
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'testing-debug'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.14.8-2-pve (SMP w/24 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cups depends on:
ii  cups-client            2.4.10-3
ii  cups-common            2.4.10-3
ii  cups-core-drivers      2.4.10-3
ii  cups-daemon            2.4.10-3
ii  cups-filters           1.28.17-6
ii  cups-ppdc              2.4.10-3
ii  cups-server-common     2.4.10-3
ii  debconf [debconf-2.0]  1.5.91
ii  ghostscript            10.05.1~dfsg-1
ii  libavahi-client3       0.8-16
ii  libavahi-common3       0.8-16
ii  libc6                  2.41-11
ii  libcups2t64            2.4.10-3
ii  libgcc-s1              14.2.0-19
ii  libstdc++6             14.2.0-19
ii  libusb-1.0-0           2:1.0.28-1
ii  poppler-utils          25.03.0-5
ii  procps                 2:4.0.4-8

Versions of packages cups recommends:
ii  avahi-daemon  0.8-16
ii  colord        1.4.7-3

Versions of packages cups suggests:
pn  cups-bsd                                   <none>
pn  cups-pdf                                   <none>
pn  foomatic-db-compressed-ppds | foomatic-db  <none>
ii  smbclient                                  2:4.22.3+dfsg-4
ii  udev                                       257.7-1

-- debconf information excluded

Reply to:

Prev by Date: Bug#1109893: ipptool attributes
Next by Date: Bug#1110135: Acknowledgement (cups: apparmor profile is missing <abi/3.0> stanza)
Previous by thread: Bug#1109893: ipptool attributes
Next by thread: Bug#1110135: Acknowledgement (cups: apparmor profile is missing <abi/3.0> stanza)
Index(es):
- Date
- Thread