Project

General

Profile

Bug #9963

cupsd AppArmor profile fails to parse on Jessie

Added by intrigeri about 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
08/11/2015
Due date:
% Done:

100%

Feature Branch:
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

# apparmor_parser -K -r usr.sbin.cupsd 
profile has merged rule with conflicting x modifiers
ERROR processing regexs for profile /usr/sbin/cupsd, failed to load

That's caused by our aliases => we need to patch it like we already do for other ones.


Related issues

Related to Tails - Bug #11699: Our modifications to the AppArmor profile for cupsd need updating for Stretch Resolved 08/23/2016
Related to Tails - Bug #15029: Check list of backends in the usr.sbin.cups AppArmor profile (2018 edition) Resolved 12/09/2017
Related to Tails - Bug #15030: Update list of backends in the usr.sbin.cups AppArmor profile (2019 edition) Resolved 12/09/2017

Associated revisions

Revision cea3a0c3 (diff)
Added by intrigeri about 4 years ago

apparmor-adjust-cupsd-profile.diff: adjust to parse fine on current Jessie.

Closes: #9963

More specifically:

a) avoid "conflicting x modifiers" for /usr/bin/hpijs, by modifying the
/usr/bin/* rule to not match it;
b) add missing backends to the list of confined ones, and:
asked how we can better maintain this list :
https://lists.ubuntu.com/archives/apparmor/2015-August/008463.html
c) to avoid "conflicting x modifiers", replaced glob that matches
all remaining backends by a hard-coded list of third-party ones
we ship;
d) Added a note to the RM role duties to sanity check these two lists.

Also, add the attach_disconnected flag to the third_party local profile in
there, as was done in sid already, and is needed for it to work under systemd
(this patch already did that for /usr/sbin/cupsd).

History

#1 Updated by intrigeri about 4 years ago

This "fixes" the parsing, which should help pinpoint the actual problem:

--- usr.sbin.cupsd.orig    2015-08-11 09:47:34.000000000 +0000
+++ usr.sbin.cupsd    2015-08-11 10:43:35.384000000 +0000
@@ -92,18 +92,18 @@
   /usr/lib/cups/backend/cups-pdf Px,
   # third party backends get no restrictions as they often need high
   # privileges and this is beyond our control
-  /usr/lib/cups/backend/* Cx -> third_party,
+#   /usr/lib/cups/backend/* Cx -> third_party,

-  /usr/lib/cups/cgi-bin/* ixr,
-  /usr/lib/cups/daemon/* ixr,
-  /usr/lib/cups/monitor/* ixr,
-  /usr/lib/cups/notifier/* ixr,
+#   /usr/lib/cups/cgi-bin/* ixr,
+#   /usr/lib/cups/daemon/* ixr,
+#   /usr/lib/cups/monitor/* ixr,
+#   /usr/lib/cups/notifier/* ixr,
   # filters and drivers (PPD generators) are always run as non-root,
   # and there are a lot of third-party drivers which we cannot predict
-  /usr/lib/cups/filter/** Cxr -> third_party,
-  /usr/lib/cups/driver/* Cxr -> third_party,
+#   /usr/lib/cups/filter/** Cxr -> third_party,
+#   /usr/lib/cups/driver/* Cxr -> third_party,
   /usr/local/** rm,
-  /usr/local/lib/cups/** rix,
+#   /usr/local/lib/cups/** rix,
   /usr/share/** r,
   /{,var/}run/** rm,
   /{,var/}run/avahi-daemon/socket rw,
@@ -124,8 +124,8 @@
   /opt/** rix,

   # FIXME: no policy ATM for hplip and Brother drivers
-  /usr/bin/hpijs Cx -> third_party,
-  /usr/Brother/** Cx -> third_party,
+#   /usr/bin/hpijs Cx -> third_party,
+#   /usr/Brother/** Cx -> third_party,

   # Kerberos authentication
   /etc/krb5.conf r,

#2 Updated by intrigeri about 4 years ago

  • Status changed from Confirmed to Resolved
  • % Done changed from 0 to 100

#4 Updated by intrigeri about 4 years ago

  • Assignee deleted (intrigeri)

#6 Updated by intrigeri about 3 years ago

  • Related to Bug #11699: Our modifications to the AppArmor profile for cupsd need updating for Stretch added

#7 Updated by intrigeri almost 2 years ago

  • Related to Bug #15029: Check list of backends in the usr.sbin.cups AppArmor profile (2018 edition) added

#8 Updated by intrigeri almost 2 years ago

  • Related to Bug #15030: Update list of backends in the usr.sbin.cups AppArmor profile (2019 edition) added

Also available in: Atom PDF