Package: cups-daemon Version: 2.3.3op2-3+deb11u1 Severity: normal Tags: patch
Dear Maintainer, * What led up to the situation? unable to print with smbspool_krb5_backend * What exactly did you do (or not do) that was effective (or ineffective)? add entry in cups apparmor profile * What was the outcome of this action? success -- System Information: Debian Release: 11.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads) Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), LANGUAGE=fr_BE:fr Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages cups-daemon depends on: ii adduser 3.118 ii bc 1.07.1-2+b2 ii init-system-helpers 1.60 ii libavahi-client3 0.8-5 ii libavahi-common3 0.8-5 ii libc6 2.31-13+deb11u2 ii libcups2 2.3.3op2-3+deb11u1 ii libdbus-1-3 1.12.20-2 ii libgssapi-krb5-2 1.18.3-6+deb11u1 ii libpam0g 1.4.0-9+deb11u1 ii libpaper1 1.1.28+b1 ii libsystemd0 247.3-6 ii lsb-base 11.1.0 ii procps 2:3.3.17-5 ii ssl-cert 1.1.0+nmu1 Versions of packages cups-daemon recommends: ii avahi-daemon 0.8-5 ii colord 1.4.5-3 ii cups-browsed 1.28.7-1 ii ipp-usb 0.9.17-3+b4 Versions of packages cups-daemon suggests: ii cups 2.3.3op2-3+deb11u1 ii cups-bsd 2.3.3op2-3+deb11u1 ii cups-client 2.3.3op2-3+deb11u1 ii cups-common 2.3.3op2-3+deb11u1 ii cups-filters 1.28.7-1 pn cups-pdf <none> ii cups-ppdc 2.3.3op2-3+deb11u1 ii cups-server-common 2.3.3op2-3+deb11u1 ii foomatic-db-compressed-ppds [foomatic-db] 20200820-1 ii ghostscript 9.53.3~dfsg-7+deb11u1 ii poppler-utils 20.09.0-3.1 ii smbclient 2:4.13.5+dfsg-2 ii udev 247.3-6 -- Configuration Files: /etc/apparmor.d/usr.sbin.cupsd changed: /usr/sbin/cupsd flags=(attach_disconnected) { #include <abstractions/base> #include <abstractions/bash> #include <abstractions/authentication> #include <abstractions/dbus> #include <abstractions/fonts> #include <abstractions/nameservice> #include <abstractions/perl> #include <abstractions/user-tmp> capability chown, capability fowner, capability fsetid, capability kill, capability net_bind_service, capability setgid, capability setuid, capability audit_write, capability wake_alarm, deny capability block_suspend, # noisy deny signal (send) set=("term") peer=unconfined, # nasty, but we limit file access pretty tightly, and cups chowns a # lot of files to 'lp' which it cannot read/write afterwards any # more capability dac_override, capability dac_read_search, # the bluetooth backend needs this network bluetooth, # the dnssd backend uses those network x25 seqpacket, network ax25 dgram, network netrom seqpacket, network rose dgram, network ipx dgram, network appletalk dgram, network econet dgram, network ash dgram, # CUPS is of systemd service type "notify" now, meaning that cupsd notifies # systemd when it is up and running, give CUPS access to systemd's # notification socket /run/systemd/notify w, /{usr/,}bin/bash ixr, /{usr/,}bin/dash ixr, /{usr/,}bin/hostname ixr, /dev/lp* rw, deny /dev/tty rw, # silence noise /dev/ttyS* rw, /dev/ttyUSB* rw, /dev/usb/lp* rw, /dev/bus/usb/ r, /dev/bus/usb/** rw, /dev/parport* rw, /etc/cups/ rw, /etc/cups/** rw, /etc/cups/interfaces/* ixrw, /etc/foomatic/* r, /etc/gai.conf r, /etc/papersize r, /etc/pnm2ppa.conf r, /etc/printcap rwl, /etc/ssl/** r, @{PROC}/net/ r, @{PROC}/net/* r, @{PROC}/sys/dev/parport/** r, @{PROC}/*/net/ r, @{PROC}/*/net/** r, @{PROC}/*/auxv r, @{PROC}/sys/crypto/** r, /sys/** r, /usr/bin/* ixr, /usr/sbin/* ixr, /{usr/,}bin/* ixr, /{usr/,}sbin/* ixr, /usr/lib/** rm, # backends which come with CUPS can be confined /usr/lib/cups/backend/bluetooth ixr, /usr/lib/cups/backend/dnssd ixr, /usr/lib/cups/backend/http ixr, /usr/lib/cups/backend/ipp ixr, /usr/lib/cups/backend/lpd ixr, /usr/lib/cups/backend/mdns ixr, /usr/lib/cups/backend/parallel ixr, /usr/lib/cups/backend/serial ixr, /usr/lib/cups/backend/snmp ixr, /usr/lib/cups/backend/socket ixr, /usr/lib/cups/backend/usb ixr, # we treat cups-pdf specially, since it needs to write into /home # and thus needs extra paranoia /usr/lib/cups/backend/cups-pdf Px, # allow communicating with cups-pdf via Unix sockets unix peer=(label=/usr/lib/cups/backend/cups-pdf), # third party backends get no restrictions as they often need high # privileges and this is beyond our control /usr/lib/cups/backend/* Cx -> third_party, /usr/lib/x86_64-linux-gnu/samba/smbspool_krb5_wrapper Cx -> third_party, /usr/lib/cups/cgi-bin/* ixr, /usr/lib/cups/daemon/* ixr, /usr/lib/cups/monitor/* ixr, /usr/lib/cups/notifier/* ixr, # filters and drivers (PPD generators) are always run as non-root, # and there are a lot of third-party drivers which we cannot predict /usr/lib/cups/filter/** Cxr -> third_party, /usr/lib/cups/driver/* Cxr -> third_party, /usr/local/** rm, /usr/local/lib/cups/** rix, /usr/share/** r, /{,var/}run/** rm, /{,var/}run/avahi-daemon/socket rw, deny /{,var/}run/samba/ rw, /{,var/}run/samba/** rw, /var/cache/samba/*.tdb r, /var/{cache,lib}/samba/printing/printers.tdb r, /{,var/}run/cups/ rw, /{,var/}run/cups/** rw, /var/cache/cups/ rw, /var/cache/cups/** rwk, /var/log/cups/ rw, /var/log/cups/* rw, /var/spool/cups/ rw, /var/spool/cups/** rw, # third-party printer drivers; no known structure here /opt/** rix, # FIXME: no policy ATM for hplip and Brother drivers /usr/bin/hpijs Cx -> third_party, /usr/Brother/** Cx -> third_party, # Kerberos authentication /etc/krb5.conf r, deny /etc/krb5.conf w, /etc/krb5.keytab rk, /etc/cups/krb5.keytab rwk, /tmp/krb5cc* k, # likewise authentication /etc/likewise r, /etc/likewise/* r, # silence noise deny /etc/udev/udev.conf r, signal peer=/usr/sbin/cupsd//third_party, unix peer=(label=/usr/sbin/cupsd//third_party), profile third_party flags=(attach_disconnected) { # third party backends, filters, and drivers get relatively no restrictions # as they often need high privileges, are unpredictable or otherwise beyond # our control file, capability, audit deny capability mac_admin, network, dbus, signal, ptrace, unix, } # Site-specific additions and overrides. See local/README for details. #include <local/usr.sbin.cupsd> } /usr/lib/cups/backend/cups-pdf { #include <abstractions/base> #include <abstractions/fonts> #include <abstractions/nameservice> #include <abstractions/user-tmp> capability chown, capability fowner, capability fsetid, capability setgid, capability setuid, # unfortunate, but required for when $HOME is 700 capability dac_override, capability dac_read_search, # allow communicating with cupsd via Unix sockets unix peer=(label=/usr/sbin/cupsd), @{PROC}/*/auxv r, /{usr/,}bin/dash ixr, /{usr/,}bin/bash ixr, /{usr/,}bin/cp ixr, /etc/papersize r, /etc/cups/cups-pdf.conf r, /etc/cups/ppd/*.ppd r, /usr/bin/gs ixr, /usr/lib/cups/backend/cups-pdf mr, /usr/lib/ghostscript/** mr, /usr/share/** r, /var/log/cups/cups-pdf*_log w, /var/spool/cups/** r, /var/spool/cups-pdf/** rw, # allow read and write on almost anything in @{HOME} (lenient, but # private-files-strict is in effect), to support customized "Out" # setting in cups-pdf.conf (Debian#940578) #include <abstractions/private-files-strict> @{HOME}/[^.]*/{,**/} rw, @{HOME}/[^.]*/** rw, } -- no debconf information
--- usr.sbin.cupsd.ori 2021-05-27 00:00:00.000000000 +0200 +++ /etc/apparmor.d/usr.sbin.cupsd 2021-11-02 13:50:43.305613824 +0100 @@ -109,6 +109,7 @@ # third party backends get no restrictions as they often need high # privileges and this is beyond our control /usr/lib/cups/backend/* Cx -> third_party, + /usr/lib/x86_64-linux-gnu/samba/smbspool_krb5_wrapper Cx -> third_party, /usr/lib/cups/cgi-bin/* ixr, /usr/lib/cups/daemon/* ixr,