Bug#1100755: /etc/apparmor.d/usr.sbin.cupsd: cups-daemon: Apparmor profile blocks reading /etc/paperspecs

To: Debian Bug Tracking System <1100755@bugs.debian.org>
Subject: Bug#1100755: /etc/apparmor.d/usr.sbin.cupsd: cups-daemon: Apparmor profile blocks reading /etc/paperspecs
From: Graham Cobb <g+debian@cobb.uk.net>
Date: Fri, 08 Aug 2025 17:02:00 +0100
Message-id: <[🔎] 175466892083.1498772.18422312845176357338.reportbug@black.home.cobb.me.uk>
Reply-to: Graham Cobb <g+debian@cobb.uk.net>, 1100755@bugs.debian.org
References: <174229060126.17500.5547263570122114567.reportbug@eriador.bigon.be>

Package: cups
Version: 2.4.10-3
Followup-For: Bug #1100755

And not just /etc/paperspecs, also /etc/magic:

Aug  8 16:40:38 black kernel: audit: type=1400 audit(1754667638.473:153): apparmor="DENIED" operation="open" class="file" profile="/u
sr/sbin/cupsd" name="/etc/magic" pid=1493317 comm="file" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
Aug  8 16:40:40 black kernel: audit: type=1400 audit(1754667640.065:154): apparmor="DENIED" operation="open" class="file" profile="/u
sr/sbin/cupsd" name="/etc/paperspecs" pid=1493323 comm="gs" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
Aug  8 16:40:40 black kernel: audit: type=1400 audit(1754667640.065:155): apparmor="DENIED" operation="open" class="file" profile="/u
sr/sbin/cupsd" name="/etc/paperspecs" pid=1493323 comm="gs" requested_mask="r" denied_mask="r" fsuid=7 ouid=0

And usb (I assume this is for access to my label printer which is not currently plugged in):

Aug  8 16:31:53 black kernel: audit: type=1400 audit(1754667113.317:151): apparmor="DENIED" operation="capable" class="cap" profile="
/usr/sbin/cupsd" pid=1487315 comm="usb" capability=21  capname="sys_admin"

And something to do with network???

Aug  8 15:17:42 black kernel: audit: type=1400 audit(1754662662.427:150): apparmor="DENIED" operation="capable" class="cap" profile="
/usr/sbin/cupsd" pid=1446620 comm="cupsd" capability=12  capname="net_admin"

Hints on how to tell apparmor to handleallow these as well would be useful.


-- System Information:
Debian Release: 13.0
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.12.32-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_IE.utf8, LC_CTYPE=en_IE.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_IE.utf8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cups depends on:
ii  cups-client            2.4.10-3
ii  cups-common            2.4.10-3
ii  cups-core-drivers      2.4.10-3
ii  cups-daemon            2.4.10-3
ii  cups-filters           1.28.17-6
ii  cups-ppdc              2.4.10-3
ii  cups-server-common     2.4.10-3
ii  debconf [debconf-2.0]  1.5.91
ii  ghostscript            10.05.1~dfsg-1
ii  libavahi-client3       0.8-16
ii  libavahi-common3       0.8-16
ii  libc6                  2.41-8
ii  libcups2t64            2.4.10-3
ii  libgcc-s1              14.2.0-19
ii  libstdc++6             14.2.0-19
ii  libusb-1.0-0           2:1.0.28-1
ii  poppler-utils          25.03.0-4
ii  procps                 2:4.0.4-8

Versions of packages cups recommends:
ii  avahi-daemon  0.8-16
ii  colord        1.4.7-3

Versions of packages cups suggests:
ii  cups-bsd     2.4.10-3
pn  cups-pdf     <none>
ii  foomatic-db  20230202-1
ii  smbclient    2:4.22.2+dfsg-1
ii  udev         257.6-1

-- Configuration Files:
/etc/default/cups changed:


-- debconf-show failed

Reply to:

Prev by Date: Bug#1110407: marked as done (hplip: CVE-2025-43023)
Next by Date: Processing of sane-airscan_0.99.36-2_source.changes
Previous by thread: Tu factura de electricidad de Iberdrola esta lista - 4028150
Next by thread: Processing of sane-airscan_0.99.36-2_source.changes
Index(es):
- Date
- Thread