Package: cups-daemon Version: 1.7.5-3 Severity: normal Tags: patch X-Debbugs-Cc: Debian AppArmor team <pkg-apparmor-t...@lists.alioth.debian.org>
Hi, since the upgrade to 1.7.5-3, the /etc/apparmor.d/usr.sbin.cupsd profile doesn't parse on sid anymore, and is thus entirely disabled. That's because it contains rules that depend: * to be useful: on kernel patches that were not submitted to Linux mainline yet * to parse at all, regardless of the kernel's AppArmor feature: on AppArmor 2.9 userspace (unreleased yet), that is able to ignore rules the kernel doesn't support The attached patch fixes this. Of course, the resulting profile is less strict than it could be, but oh well, at least it will be enabled. Cheers, -- intrigeri
--- /etc/apparmor.d/usr.sbin.cupsd.orig 2014-09-30 13:04:05.000000000 +0200 +++ /etc/apparmor.d/usr.sbin.cupsd 2014-10-01 21:03:01.191242269 +0200 @@ -141,7 +141,6 @@ # silence noise deny /etc/udev/udev.conf r, - signal (receive, send) peer=third_party, profile third_party { # third party backends, filters, and drivers get relatively no restrictions # as they often need high privileges, are unpredictable or otherwise beyond @@ -150,10 +149,6 @@ capability, audit deny capability mac_admin, network, - dbus, - signal, - ptrace, - unix, } # Site-specific additions and overrides. See local/README for details.