Public bug reported: The gnutls library has an optional configuration file in /etc/gnutls/config. This file is not shipped by the Ubuntu packaging, but it can be created by an user wanting to configure certain aspects of gnutls.
When the file exists, gnutls functions might trigger an access to it, and this is happening with cups in my system: jul 23 14:44:35 nsnx2 kernel: audit: type=1400 audit(1690134275.356:574): apparmor="DENIED" operation="open" class="file" profile="/usr/sbin/cupsd" name="/etc/gnutls/config" pid=11222 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 jul 23 14:44:35 nsnx2 kernel: audit: type=1400 audit(1690134275.376:576): apparmor="DENIED" operation="open" class="file" profile="/usr/sbin/cups-browsed" name="/etc/gnutls/config" pid=11224 comm="cups-browsed" requested_mask="r" denied_mask="r" fsuid=121 ouid=0 $ l /etc/gnutls/config -rw-r--r-- 1 root root 38 jun 15 18:44 /etc/gnutls/config $ apt-cache policy cups cups: Installed: 2.4.2-3ubuntu2.2 Candidate: 2.4.2-3ubuntu2.2 Version table: 2.4.2-3ubuntu2.3 100 100 http://br.archive.ubuntu.com/ubuntu lunar-proposed/main amd64 Packages *** 2.4.2-3ubuntu2.2 500 500 http://br.archive.ubuntu.com/ubuntu lunar-updates/main amd64 Packages ** Affects: cups (Ubuntu) Importance: Undecided Status: New ** Description changed: The gnutls library has an optional configuration file in /etc/gnutls/config. This file is not shipped by the Ubuntu packaging, but it can be created by an user wanting to configure certain aspects of gnutls. When the file exists, gnutls functions might trigger an access to it, and this is happening with cups in my system: jul 23 14:44:35 nsnx2 audit[11222]: AVC apparmor="DENIED" operation="open" class="file" profile="/usr/sbin/cupsd" name="/etc/gnutls/config" pid=11222 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 - $ l /etc/gnutls/config + jul 23 14:44:35 nsnx2 kernel: audit: type=1400 + audit(1690134275.376:576): apparmor="DENIED" operation="open" + class="file" profile="/usr/sbin/cups-browsed" name="/etc/gnutls/config" + pid=11224 comm="cups-browsed" requested_mask="r" denied_mask="r" + fsuid=121 ouid=0 + + + $ l /etc/gnutls/config -rw-r--r-- 1 root root 38 jun 15 18:44 /etc/gnutls/config - $ apt-cache policy cups cups: - Installed: 2.4.2-3ubuntu2.2 - Candidate: 2.4.2-3ubuntu2.2 - Version table: - 2.4.2-3ubuntu2.3 100 - 100 http://br.archive.ubuntu.com/ubuntu lunar-proposed/main amd64 Packages - *** 2.4.2-3ubuntu2.2 500 - 500 http://br.archive.ubuntu.com/ubuntu lunar-updates/main amd64 Packages + Installed: 2.4.2-3ubuntu2.2 + Candidate: 2.4.2-3ubuntu2.2 + Version table: + 2.4.2-3ubuntu2.3 100 + 100 http://br.archive.ubuntu.com/ubuntu lunar-proposed/main amd64 Packages + *** 2.4.2-3ubuntu2.2 500 + 500 http://br.archive.ubuntu.com/ubuntu lunar-updates/main amd64 Packages ** Description changed: The gnutls library has an optional configuration file in /etc/gnutls/config. This file is not shipped by the Ubuntu packaging, but it can be created by an user wanting to configure certain aspects of gnutls. When the file exists, gnutls functions might trigger an access to it, and this is happening with cups in my system: - jul 23 14:44:35 nsnx2 audit[11222]: AVC apparmor="DENIED" - operation="open" class="file" profile="/usr/sbin/cupsd" - name="/etc/gnutls/config" pid=11222 comm="cupsd" requested_mask="r" - denied_mask="r" fsuid=0 ouid=0 + jul 23 14:44:35 nsnx2 kernel: audit: type=1400 + audit(1690134275.356:574): apparmor="DENIED" operation="open" + class="file" profile="/usr/sbin/cupsd" name="/etc/gnutls/config" + pid=11222 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 jul 23 14:44:35 nsnx2 kernel: audit: type=1400 audit(1690134275.376:576): apparmor="DENIED" operation="open" class="file" profile="/usr/sbin/cups-browsed" name="/etc/gnutls/config" pid=11224 comm="cups-browsed" requested_mask="r" denied_mask="r" fsuid=121 ouid=0 - $ l /etc/gnutls/config -rw-r--r-- 1 root root 38 jun 15 18:44 /etc/gnutls/config $ apt-cache policy cups cups: Installed: 2.4.2-3ubuntu2.2 Candidate: 2.4.2-3ubuntu2.2 Version table: 2.4.2-3ubuntu2.3 100 100 http://br.archive.ubuntu.com/ubuntu lunar-proposed/main amd64 Packages *** 2.4.2-3ubuntu2.2 500 500 http://br.archive.ubuntu.com/ubuntu lunar-updates/main amd64 Packages -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/2028459 Title: cups apparmor: read access to /etc/gnutls/config Status in cups package in Ubuntu: New Bug description: The gnutls library has an optional configuration file in /etc/gnutls/config. This file is not shipped by the Ubuntu packaging, but it can be created by an user wanting to configure certain aspects of gnutls. When the file exists, gnutls functions might trigger an access to it, and this is happening with cups in my system: jul 23 14:44:35 nsnx2 kernel: audit: type=1400 audit(1690134275.356:574): apparmor="DENIED" operation="open" class="file" profile="/usr/sbin/cupsd" name="/etc/gnutls/config" pid=11222 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 jul 23 14:44:35 nsnx2 kernel: audit: type=1400 audit(1690134275.376:576): apparmor="DENIED" operation="open" class="file" profile="/usr/sbin/cups-browsed" name="/etc/gnutls/config" pid=11224 comm="cups-browsed" requested_mask="r" denied_mask="r" fsuid=121 ouid=0 $ l /etc/gnutls/config -rw-r--r-- 1 root root 38 jun 15 18:44 /etc/gnutls/config $ apt-cache policy cups cups: Installed: 2.4.2-3ubuntu2.2 Candidate: 2.4.2-3ubuntu2.2 Version table: 2.4.2-3ubuntu2.3 100 100 http://br.archive.ubuntu.com/ubuntu lunar-proposed/main amd64 Packages *** 2.4.2-3ubuntu2.2 500 500 http://br.archive.ubuntu.com/ubuntu lunar-updates/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/2028459/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
