Ubuntu
cups package

apparmor denial of CUPS

Bug #1660316 reported by Dag Bjerkeli
46
This bug affects 8 people
Affects Status Importance Assigned to Milestone
cups (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Printing is enabled when doing sudo aa-complain cupsd

Here is an extract of /var/log/syslog:

Jan 30 12:41:59 dag-TS-P500 kernel: [ 868.929457] audit: type=1400 audit(1485776519.269:37): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=6932 comm="apparmor_parser"
Jan 30 12:41:59 dag-TS-P500 kernel: [ 868.929744] audit: type=1400 audit(1485776519.269:38): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd" pid=6932 comm="apparmor_parser"
Jan 30 12:41:59 dag-TS-P500 kernel: [ 868.945422] audit: type=1400 audit(1485776519.285:39): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd//third_party" pid=6932 comm="apparmor_parser"
Jan 30 12:42:10 dag-TS-P500 kernel: [ 879.817070] audit: type=1400 audit(1485776530.158:40): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=6941 comm="apparmor_parser"
Jan 30 12:42:10 dag-TS-P500 kernel: [ 879.817342] audit: type=1400 audit(1485776530.158:41): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd" pid=6941 comm="apparmor_parser"
Jan 30 12:42:10 dag-TS-P500 kernel: [ 879.837254] audit: type=1400 audit(1485776530.178:42): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd//third_party" pid=6941 comm="apparmor_parser"
Jan 30 12:42:16 dag-TS-P500 zeitgeist-datah[3706]: downloads-directory-provider.vala:120: Couldn't process /home/dag/.glvndcEQzqA: Error when getting information for file '/home/dag/.glvndcEQzqA': No such file or directory
Jan 30 12:42:23 dag-TS-P500 dbus[996]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service'
Jan 30 12:42:23 dag-TS-P500 systemd[1]: Starting Hostname Service...
Jan 30 12:42:24 dag-TS-P500 dbus[996]: [system] Successfully activated service 'org.freedesktop.hostname1'
Jan 30 12:42:24 dag-TS-P500 systemd[1]: Started Hostname Service.
Jan 30 12:42:26 dag-TS-P500 kernel: [ 895.746636] audit: type=1400 audit(1485776546.086:43): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=6967 comm="lpd" capability=12 capname="net_admin"
Jan 30 12:42:54 dag-TS-P500 systemd[1]: Starting Cleanup of Temporary Directories...
Jan 30 12:42:54 dag-TS-P500 systemd-tmpfiles[6973]: [/usr/lib/tmpfiles.d/var.conf:14] Duplicate line for path "/var/log", ignoring.
Jan 30 12:42:54 dag-TS-P500 systemd[1]: Started Cleanup of Temporary Directories.
Jan 30 12:44:03 dag-TS-P500 dbus-daemon[2707]: Activating service name='com.ubuntu.OneConf'
Jan 30 12:44:03 dag-TS-P500 dbus-daemon[2707]: Successfully activated service 'com.ubuntu.OneConf'
Jan 30 12:44:03 dag-TS-P500 com.ubuntu.OneConf[2707]: WARNING:oneconf.hosts:Error in loading other_hosts file: [Errno 2] No such file or directory: '/home/dag/.cache/oneconf/d2fc3bf30c9f4976b441a8f14de53bda/other_hosts'
Jan 30 12:44:23 dag-TS-P500 dbus-daemon[2707]: Activating service name='com.ubuntu.sso'
Jan 30 12:44:24 dag-TS-P500 dbus-daemon[2707]: Successfully activated service 'com.ubuntu.sso'
Jan 30 12:45:51 dag-TS-P500 kernel: [ 1100.685842] audit: type=1400 audit(1485776751.028:44): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=7024 comm="apparmor_parser"
Jan 30 12:45:51 dag-TS-P500 kernel: [ 1100.686099] audit: type=1400 audit(1485776751.028:45): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd" pid=7024 comm="apparmor_parser"
Jan 30 12:45:51 dag-TS-P500 kernel: [ 1100.700446] audit: type=1400 audit(1485776751.044:46): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd//third_party" pid=7024 comm="apparmor_parser"
Jan 30 12:45:57 dag-TS-P500 kernel: [ 1106.940891] audit: type=1400 audit(1485776757.284:47): apparmor="ALLOWED" operation="capable" profile="/usr/sbin/cupsd" pid=7031 comm="lpd" capability=12 capname="net_admin"
Jan 30 12:45:57 dag-TS-P500 kernel: [ 1106.940938] audit: type=1400 audit(1485776757.284:48): apparmor="ALLOWED" operation="capable" profile="/usr/sbin/cupsd" pid=7031 comm="lpd" capability=12 capname="net_admin"

ProblemType: Bug
DistroRelease: Ubuntu 16.10
Package: cups 2.2.0-2
ProcVersionSignature: Ubuntu 4.8.0-34.36-generic 4.8.11
Uname: Linux 4.8.0-34-generic x86_64
NonfreeKernelModules: nvidia_uvm nvidia_drm nvidia_modeset nvidia
ApportVersion: 2.20.3-0ubuntu8.2
Architecture: amd64
CupsErrorLog: E [30/Jan/2017:12:31:00 +0100] [cups-deviced] PID 6055 (gutenprint52+usb) stopped with status 1!
Date: Mon Jan 30 13:11:33 2017
InstallationDate: Installed on 2016-02-22 (342 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021)
Lpstat:
 device for KONICA-MINOLTA-C650-Series: dnssd://KONICA%20MINOLTA%20bizhub%20C550(59%3AE0%3A41)._pdl-datastream._tcp.local/
 device for Minolta-C308: lpd://KMB43113/print
MachineType: LENOVO 30A7000
Papersize: a4
PpdFiles:
 KONICA-MINOLTA-C650-Series: KONICA MINOLTA C550 PS(P)
 Minolta-C308: KONICA MINOLTA C658SeriesPS(P)
ProcEnviron:
 LANGUAGE=nb_NO:nb:no_NO:no:nn_NO:nn:en
 TERM=xterm-256color
 PATH=(custom, no user)
 LANG=nb_NO.UTF-8
 SHELL=/bin/bash
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.8.0-34-generic root=UUID=f08f9ac3-36ef-4526-abb9-482ff984a4e0 ro quiet splash
SourcePackage: cups
UpgradeStatus: Upgraded to yakkety on 2016-11-29 (61 days ago)
dmi.bios.date: 04/25/2016
dmi.bios.vendor: LENOVO
dmi.bios.version: A4KT87AUS
dmi.board.name: 102F
dmi.board.vendor: LENOVO
dmi.board.version: SDK0K17763 WIN 1801920343506
dmi.chassis.type: 7
dmi.chassis.vendor: To Be Filled By O.E.M.
dmi.chassis.version: To Be Filled By O.E.M.
dmi.modalias: dmi:bvnLENOVO:bvrA4KT87AUS:bd04/25/2016:svnLENOVO:pn30A7000:pvrLenovoProduct:rvnLENOVO:rn102F:rvrSDK0K17763WIN1801920343506:cvnToBeFilledByO.E.M.:ct7:cvrToBeFilledByO.E.M.:
dmi.product.name: 30A7000
dmi.product.version: Lenovo Product
dmi.sys.vendor: LENOVO

Revision history for this message
Dag Bjerkeli (dag-e) wrote :
Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

Which print queue failed with active AppArmor? KONICA-MINOLTA-C650-Series or Minolta-C308 or both?

Changed in cups (Ubuntu):
status: New → Incomplete
Revision history for this message
Dag Bjerkeli (dag-e) wrote :

This was raised from the C308 printer, which I just had installed. The C650 was the old printer that we got, and I _think_ printing was working on that machine.

Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

According to this line

Jan 30 12:42:26 dag-TS-P500 kernel: [ 895.746636] audit: type=1400 audit(1485776546.086:43): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=6967 comm="lpd" capability=12 capname="net_admin"

the CUPS "lpd" bacjend (/usr/lib/cups/backend/lpd) needs the "net_admin" capability. xnox, slangasek, could you tell me where it is best to add this capability in /etc/apparmor.d/usr.sbin.cupsd? Thanks.

Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

Sorry, picked up the wrong names.

Jamie, Marc, could you help me concerning how to add the "net_admin" capability to the "lpd" CUPS backend (see previous comment)?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

net_admin is a very powerful capability. What is lpd trying to do?

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for cups (Ubuntu) because there has been no activity for 60 days.]

Changed in cups (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

I do not exactly why lpadmin needs this capability, I even do not know which actions are covered by net_admin. What I know about the LPD backend is that it accesses the printer through port 515 and it is possible that the backend accesses the printer via SNMP in addition.

Revision history for this message
Dag Bjerkeli (dag-e) wrote :

Meanwhile I've upgraded the computer to 17.04, but I have not checked the presence of the bug after the upgrade. I will check tomorrow when I get access to the computer.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

@Till, see 'man 7 capabilities' for what net_admin grants. We need to understand why the access is needed before granting it.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

In the meantime, users can workaround this by adjusting /etc/apparmor.d/local/usr.sbin.cupsd to have:

 capability net_admin,

and then reloading the profile with:

$ sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.cupsd

Revision history for this message
Dag Bjerkeli (dag-e) wrote :

I finally got to check the status of this on Ubuntu 17.04. Same computer but upgraded ubuntu.
Print from LibreOffice gave this in log (dmesg):
[491184.232027] audit: type=1400 audit(1496903835.766:41): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=21237 comm="lpd" capability=12 capname="net_admin"

Applying the workaround resulted in no apperrors in dmesg.

Revision history for this message
Jon Schewe (jpschewe) wrote :

I'm seeing this in Ubuntu 18.04 as well. I have 2 printers configured an HP LaserJet p4015 and a Canon ImageRunner C5030.

kernel: [35100.990629] audit: type=1400 audit(1536755161.327:158): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=15321 comm="cupsd" capability=12 capname="net_admin"

Revision history for this message
Robert Dinse (nanook) wrote :

I'm seeing this in 19.10 as well. Good to know it's gone for at least two years without being
fixed, way to go Canonical!

Revision history for this message
Arie Skliarouk (skliarie) wrote :

Looks like the same error in ubuntu 20.04:

Jun 5 00:00:07 cmdesk01 kernel: [4025941.209572] audit: type=1400 audit(1591304407.264:388): apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=1792223 comm="cups-browsed" capability=23 capname="sys_nice"

Revision history for this message
Claudio Kuenzler (napsty) wrote :

Same happens in 18.04 (Linux Mint 19.3). Needed to manually add the net_admin caps as mentioned by Jamie.

Revision history for this message
Paul Menzel (paulmenzel) wrote :

@skliarie, your pasted log message is actually a different issue, and I just reported https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1897369 for it.

Revision history for this message
Joe Henley (joehenley) wrote :

Like napsty above, I'm using LM 19.3. I fixed the problem with printing by adding the "net_admin caps" correction, per Jamie. That worked fine, but now the default media player in LM 19.3 won't play mpg4 video files. If I remove the "net_admin caps" correction, the ability to play mpg4 files is restored. Suggestions? Thanks!

Joe Henley

Revision history for this message
John Johansen (jjohansen) wrote :

Where/what file are you adding net_admin caps too? I would not expect modifying the cups profile to affect the default media player.

Can you look for apparmor="DENIED" messages in your log?

Revision history for this message
Daniel Richard G. (skunk) wrote :

Reopening this issue as I am still observing the net_admin denial in jammy.

Changed in cups (Ubuntu):
status: Expired → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.