Bug#1119797: cups-daemon: Apparmor profile blocks spawning Electron (missing "userns_create" permission)

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1119797: cups-daemon: Apparmor profile blocks spawning Electron (missing "userns_create" permission)
From: Asger Hautop Drewsen <asger@tyilo.com>
Date: Fri, 31 Oct 2025 14:49:29 +0100
Message-id: <[🔎] 176191856936.3509.2439153684674483043.reportbug@debian13.debian13>
Reply-to: Asger Hautop Drewsen <asger@tyilo.com>, 1119797@bugs.debian.org

Package: cups-daemon
Version: 2.4.10-3+deb13u1
Severity: normal
Tags: patch
X-Debbugs-Cc: asger@tyilo.com

Dear Maintainer,

We have a proprietary cups backend that spawns an Electron-based application when it is printed to.

This doesn't currently work as that requires the "userns_create" AppArmor permission,
but cups-daemon's AppArmor config doesn't allow this for the "third_party" profile.

Adding "userns_create" to the "third_party" profile in /etc/apparmor.d/usr.sbin.cupsd fixes the problem.

Kind regards,
Asger Hautop Drewsen

-- System Information:
Debian Release: 13.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.48+deb13-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cups-daemon depends on:
ii  adduser                    3.152
ii  bc                         1.07.1-4
ii  init-system-helpers        1.69~deb13u1
ii  libavahi-client3           0.8-16
ii  libavahi-common3           0.8-16
ii  libc6                      2.41-12
ii  libcups2t64                2.4.10-3+deb13u1
ii  libdbus-1-3                1.16.2-2
ii  libgssapi-krb5-2           1.21.3-5
ii  libpam0g                   1.7.0-5
ii  libpaper2                  2.2.5-0.3+b2
ii  libsystemd0                257.8-1~deb13u2
ii  procps                     2:4.0.4-9
ii  ssl-cert                   1.1.3
ii  sysvinit-utils [lsb-base]  3.14-4

Versions of packages cups-daemon recommends:
ii  avahi-daemon  0.8-16
ii  colord        1.4.7-3
ii  cups-browsed  1.28.17-6
ii  ipp-usb       0.9.23-2+b7

Versions of packages cups-daemon suggests:
ii  cups                                       2.4.10-3+deb13u1
ii  cups-bsd                                   2.4.10-3+deb13u1
ii  cups-client                                2.4.10-3+deb13u1
ii  cups-common                                2.4.10-3+deb13u1
ii  cups-filters                               1.28.17-6
pn  cups-pdf                                   <none>
ii  cups-ppdc                                  2.4.10-3+deb13u1
ii  cups-server-common                         2.4.10-3+deb13u1
pn  foomatic-db-compressed-ppds | foomatic-db  <none>
ii  ghostscript                                10.05.1~dfsg-1+deb13u1
ii  poppler-utils                              25.03.0-5
ii  smbclient                                  2:4.22.4+dfsg-1~deb13u1
ii  udev                                       257.8-1~deb13u2

-- Configuration Files:
/etc/apparmor.d/usr.sbin.cupsd changed [not included]

-- no debconf information

Reply to:

Follow-Ups:
- Bug#1119797: Typo in fix
  - From: Asger Hautop Drewsen <asger@tyilo.com>
- Bug#1119797: Typo v2
  - From: Asger Hautop Drewsen <asger@tyilo.com>

Prev by Date: Bug#1119722: libcupsfilters: debian-adds-quilt-control-dir (lintian warning)
Next by Date: Bug#1119797: Typo in fix
Previous by thread: Bug#1119722: libcupsfilters: debian-adds-quilt-control-dir (lintian warning)
Next by thread: Bug#1119797: Typo in fix
Index(es):
- Date
- Thread