@reliable-robin-22 this specific message is almost certainly unrelated
to whatever problem you're facing. There's millions of people using
Ubuntu and surely several of them print from time to time. (I may only
print once a year, but it does work for me. :)
You should open a new bug report and
2023 - August
This problem persists, and it makes impossible to use a printer in
Ubuntu (!)
Thanks,
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups-filters in Ubuntu.
https://bugs.launchpad.net/bugs/1897369
Title:
apparmor:
This is not a disconnect between the capability framework (which is
integrated into the LSM), nor the devs who implemented AppArmor.
Calls to capable() can have side effects, it is an LSM hook and linux
capabilities are implemented as an LSM module that is stacked with the
other LSMs. So if an
> Should that be fixed in the Linux kernel, or at least reported to the
developers?
tl;dr: I don't have insight to the relevant community, but it may be
worth reporting to either the kernel community or the apparmor devs.
Context: I'm just a random user who did the analysis, not an Ubuntu or
> All these are guarded by one check to see if the process is allowed to
> make changes that require CAP_SYS_NICE. This capability check is
> performed regardless of whether the app actually is trying to do
> something that requires CAP_SYS_NICE. (In this case, it's not trying to,
> but the check
** Changed in: cups-filters (Debian)
Status: Unknown => New
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups-filters in Ubuntu.
https://bugs.launchpad.net/bugs/1897369
Title:
apparmor: Allow cups-browsed to change nice
Joel, thank you very much for your analysis and for posting Debian bug
#1016622, as the fix has to be applied in the Debian package.
** Package changed: cups (Ubuntu) => cups-filters (Ubuntu)
** Changed in: cups-filters (Ubuntu)
Status: Confirmed => Triaged
** Bug watch added: Debian Bug
This message doesn't seem to affect anything, from what I can tell.
Here's a technical analysis.
The system call, sched_setattr, is being made in glib's
g_system_thread_get_scheduler_settings. It gets the current scheduling
settings, and then tests to make sure it can set them on the same
Apparmor audit message.
** Attachment added: "Apparmor audit message"
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1897369/+attachment/5581262/+files/Apparmor%20audit%20message
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to
I have 33 denied messages that increase in number every time I reboot.
** Attachment added: "Apparmor rsys log d"
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1897369/+attachment/5581261/+files/Apparmor%20rsys%20log%20d
--
You received this bug notification because you are a member
** Attachment added: "Apparmor kernal log"
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1897369/+attachment/5581260/+files/Apparmor%20kernal%20log
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
It may also be an option to set the desired scheduling parameters via
systemd.exec(5) parameters instead of asking the daemon to do the
changes itself.
Thanks
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
** Changed in: cups (Ubuntu)
Importance: Undecided => Low
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1897369
Title:
apparmor: Allow cups-browsed to change nice value
I have searched the code of cups-browsed and libcupsfilters and did not
find any call of the mentioned functions which require CAP_SYS_NICE.
Most probably some of the library functions cups-browsed is using
contains such calls.
As cups-browsed works correctly I suggest to add the "deny capability
Till, it allows quite a few things (from man capabilities):
CAP_SYS_NICE
* Raise process nice value (nice(2), setpriority(2)) and change the
nice value for arbitrary processes;
* set real-time scheduling policies for calling process, and set
scheduling
Anyone of the security team, does allowing the "sys_nice" capability for
cups-browsed cause any possible security risk?
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1897369
Title:
I did not have anything to control the priority in the source code of
cups-browsed, I also did not find anything in the packaging of cups-
filters. I also do not see any security risk in priority changing, it
can only make the system faster or slower.
Perhaps systemd does the nice level change?
Thank you for your bug report
Till, do you know what impact that priority change failing has? Could
you check with the security team if that call should be allowed by
default in the cups profile?
** Changed in: cups (Ubuntu)
Assignee: (unassigned) => Till Kamppeter (till-kamppeter)
--
You
On my system, I have a consistent Deny on cups-browsed --capable, one
example from 281300Z November 2020 being:
Nov 28 13:00:24 hotrodgpc-desktop kernel: [ 52.928672] audit:
type=1400 audit(1606597224.111:54): apparmor="DENIED"
operation="capable" profile="/usr/sbin/cups-browsed" pid=1496 comm
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: cups (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1897369
>From the manual page capabilities(7):
CAP_SYS_NICE
* Lower the process nice value (nice(2), setpriority(2)) and
change the nice value for arbitrary processes;
* set real-time scheduling policies for calling process, and set
21 matches
Mail list logo