On Wed 17 Aug 2022 at 20:47:24 +0200, Christian Boltz wrote: > Hello, > > denials for capabilty net_admin are often a sign that a service uses > systemd libraries on startup, and these systemd libraries do funny[tm] > things. In these cases the net_admin capability is not really needed. > > See https://bugzilla.opensuse.org/show_bug.cgi?id=1196850#c3 for the > technical details. (Yes, I'm aware that this bugreport is for Samba, not > cups - but I'm somewhat sure that cups uses the same systemd libraries > on startup.) > > I have to admit that I'm only a cups user, but I'd be surprised if it > really needs capability net_admin.
In capabilities(7) network-related operations for CAP_NET_ADMIN include bind to any address for transparent proxying; enabling multicasting; I am not sue these are the relevant operations in this case but I am suue that Debian 11 introduced ipp-usb as a recommended package for cups-daemon. ipp-usb effectively implements a HTTP reverse proxy: https://github.com/OpenPrinting/ipp-usb Twp clues? Putting them together I purged ipp-usb and the deniel for capabilty net_admin disappears from the journal when cups is restarted. Perhaps this could be tested by others? > To find out if it's really needed or just "systemd noise", can you please > explicitely deny net_admin and test if printing still works? To do this, > add > deny capability net_admin, > to /etc/apparmor.d/local/usr.sbin.cupsd This will a) deny it and b) > silence the logging. Then reload the profile with > systemctl reload apparmor > > I'd also recommend to > aa-enforce cupsd > (in theory deny rules get enforced even in complain mode, but better > safe than sorry) > > > If printing doesn't work with the deny rule added, please try if it > works if you allow the capability: > capability net_admin, > (and remove the deny rule). I don't notice any degradation in printing to printers over the network. USB printing (using IPP-over-USB) wasn't tested, but has always worked for me in the past. My tentative conclusion is that cupsd's desire to access capabilty net_admin is legitimate. OTOH, denying it doesn't appear to affect my printing here, but more testing is needed Cheers, Brian.