[Desktop-packages] [Bug 1897369] Re: apparmor: Allow cups-browsed to change nice value (CAP_SYS_NICE)

Tue, 01 Dec 2020 07:12:16 -0800 

Till, it allows quite a few things (from man capabilities):

CAP_SYS_NICE
       * Raise  process nice value (nice(2), setpriority(2)) and change the
         nice value for arbitrary processes;
       * set real-time scheduling policies for  calling  process,  and  set
         scheduling   policies   and  priorities  for  arbitrary  processes
         (sched_setscheduler(2), sched_setparam(2), sched_setattr(2));
       * set CPU affinity for arbitrary processes (sched_setaffinity(2));
       * set I/O scheduling class and priority for arbitrary processes (io‐
         prio_set(2));
       * apply  migrate_pages(2) to arbitrary processes and allow processes
         to be migrated to arbitrary nodes;
       * apply move_pages(2) to arbitrary processes;
       * use the MPOL_MF_MOVE_ALL flag with mbind(2) and move_pages(2).

cups-browsed is probably just trying to renice itself, which isn't
terrible for it to try, but it probably fails gracefully with this just
being noise. If it does fail gracefully, you could consider an explicit
deny rule to silence the log. Eg:

  deny capability sys_nice,

That said, we've normally allowed system policy (ie, those shipped in
debs) to use sys_nice if they have a legitimate use case for it.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1897369

Title:
  apparmor: Allow cups-browsed to change nice value (CAP_SYS_NICE)

Status in cups package in Ubuntu:
  Confirmed

Bug description:
  In Ubuntu 20.04.1 with *cups-browsed* 1.27.4-1, apparmor prevents
  `/usr/sbin/cups-browsed` to change its nice value.

      $ sudo dmesg | grep apparmor
      [541870.509461] audit: type=1400 audit(1600898428.089:60): 
apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" 
pid=62030 comm="cups-browsed" capability=23  capname="sys_nice"
      [628298.779668] audit: type=1400 audit(1600984854.115:61): 
apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" 
pid=66850 comm="cups-browsed" capability=23  capname="sys_nice"
      [714667.424963] audit: type=1400 audit(1601071220.527:62): 
apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" 
pid=76828 comm="cups-browsed" capability=23  capname="sys_nice"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1897369/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to