Project

General

Profile

Bug #15030

Update list of backends in the usr.sbin.cups AppArmor profile (2019 edition)

Added by intrigeri about 2 years ago. Updated 7 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
12/09/2017
Due date:
% Done:

100%

Feature Branch:
bugfix/15030-update-cups-apparmor-profile
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

1. Check that the list of backends we ship in /usr/lib/cups/backend are all listed in the (patched) /etc/apparmor.d/usr.sbin.cups:

  • backends shipped in the cups-daemon package should have ixr
  • other backends should have Cx -> third_party

2. Create a ticket to do the same next year.


Related issues

Related to Tails - Bug #9963: cupsd AppArmor profile fails to parse on Jessie Resolved 08/11/2015
Related to Tails - Bug #15029: Check list of backends in the usr.sbin.cups AppArmor profile (2018 edition) Resolved 12/09/2017
Related to Tails - Bug #16745: Update the list of backends in the usr.sbin.cups AppArmor profile (Bullseye edition) Confirmed
Blocks Tails - Feature #16209: Core work: Foundations Team Confirmed

Associated revisions

Revision e18fd8b5 (diff)
Added by intrigeri 7 months ago

AppArmor: allow cups-brf, driverless, and gutenprint53+usb backends (refs: #15030)

Technically, cups-brf and driverless are not third-party and should be confined
more strictly with "ixr", under the cupsd profile. But I don't know how to to
test these backends and confining them more strictly may break them.

Anyway, that's an upstream matter: the purpose of our Tails-specific patch is to
replace the third party backends /usr/lib/cups/backend/* catch all rule, that
doesn't work for us, and not to keep the list of backends which come with CUPS
up-to-date.

Revision abac83c3
Added by anonym 7 months ago

Merge remote-tracking branch 'origin/bugfix/15030-update-cups-apparmor-profile' into feature/buster

Fix-committed: #15030

History

#1 Updated by intrigeri about 2 years ago

This is not on our 2019 roadmap but it shall be done in 2019 as per updated Foundations Team mission. Once we have a target version in 2019 I'll move it there.

#2 Updated by intrigeri about 2 years ago

  • Related to Bug #9963: cupsd AppArmor profile fails to parse on Jessie added

#3 Updated by intrigeri almost 2 years ago

  • Related to Bug #15029: Check list of backends in the usr.sbin.cups AppArmor profile (2018 edition) added

#4 Updated by intrigeri 9 months ago

  • Target version changed from 2019 to Tails_3.14

#5 Updated by intrigeri 9 months ago

#6 Updated by intrigeri 9 months ago

I'll do that early April, directly on feature/buster.

#7 Updated by intrigeri 8 months ago

  • Target version changed from Tails_3.14 to Tails_4.0

#8 Updated by intrigeri 7 months ago

  • Related to Bug #16745: Update the list of backends in the usr.sbin.cups AppArmor profile (Bullseye edition) added

#9 Updated by intrigeri 7 months ago

  • Subject changed from Check list of backends in the usr.sbin.cups AppArmor profile (2019 edition) to Update list of backends in the usr.sbin.cups AppArmor profile (2019 edition)
  • Status changed from Confirmed to In Progress
  • Type of work changed from Research to Code

intrigeri wrote:

1. Check that the list of backends we ship in /usr/lib/cups/backend are all listed in the (patched) /etc/apparmor.d/usr.sbin.cups:

  • backends shipped in the cups-daemon package should have ixr
  • other backends should have Cx -> third_party

Missing: cups-brf, driverless, gutenprint53+usb.

2. Create a ticket to do the same next year.

#16745 (I've switched to per-Debian-cycle check instead of yearly, seems good enough)

#10 Updated by intrigeri 7 months ago

  • Feature Branch set to bugfix/15030-update-cups-apparmor-profile

#11 Updated by intrigeri 7 months ago

  • Assignee deleted (intrigeri)
  • QA Check set to Ready for QA

#12 Updated by anonym 7 months ago

  • Assignee set to anonym

#13 Updated by anonym 7 months ago

  • Status changed from In Progress to 11
  • Assignee deleted (anonym)
  • % Done changed from 0 to 100
  • QA Check changed from Ready for QA to Pass

LGTM!

#14 Updated by intrigeri 7 months ago

  • Status changed from 11 to Resolved

Also available in: Atom PDF