cupsd cause apparmor denials for /etc/ld.so.preload

Bug #1571531 reported by George Shuklin on 2016-04-18
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Undecided
Unassigned

Bug Description

There is a constant flood of messages in dmesg:

[ 4431.638163] audit: type=1400 audit(1460962510.272:60): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10559 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 4431.661208] audit: type=1400 audit(1460962510.296:61): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 4431.661390] audit: type=1400 audit(1460962510.296:62): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 4431.661759] audit: type=1400 audit(1460962510.296:63): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
[ 4431.661936] audit: type=1400 audit(1460962510.296:64): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 4431.661937] audit: type=1400 audit(1460962510.296:65): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
[ 4431.662534] audit: type=1400 audit(1460962510.296:66): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
[ 5081.410342] audit: type=1400 audit(1460963160.033:67): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10810 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 5081.446507] audit: type=1400 audit(1460963160.069:68): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10815 comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: cups-daemon 2.1.3-4
ProcVersionSignature: Ubuntu 4.4.0-18.34-generic 4.4.6
Uname: Linux 4.4.0-18-generic x86_64
ApportVersion: 2.20.1-0ubuntu2
Architecture: amd64
CupsErrorLog:

CurrentDesktop: X-Cinnamon
Date: Mon Apr 18 10:56:37 2016
EcryptfsInUse: Yes
InstallationDate: Installed on 2013-07-19 (1003 days ago)
InstallationMedia: Xubuntu 13.04 "Raring Ringtail" - Release i386 (20130423.1)
Lpstat: device for Generic-PCL-5e: socket://192.168.1.100:9100
MachineType: LENOVO 4298R86
Papersize: a4
PpdFiles: Error: command ['fgrep', '-H', '*NickName', '/etc/cups/ppd/Generic-PCL-5e.ppd'] failed with exit code 2: grep: /etc/cups/ppd/Generic-PCL-5e.ppd: Permission denied
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-18-generic root=UUID=3d4ce850-6e8a-4cf5-9b82-fb135c22fe1e ro
SourcePackage: cups
UpgradeStatus: Upgraded to xenial on 2015-10-29 (171 days ago)
dmi.bios.date: 12/01/2011
dmi.bios.vendor: LENOVO
dmi.bios.version: 8DET56WW (1.26 )
dmi.board.asset.tag: Not Available
dmi.board.name: 4298R86
dmi.board.vendor: LENOVO
dmi.board.version: Not Available
dmi.chassis.asset.tag: No Asset Information
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: Not Available
dmi.modalias: dmi:bvnLENOVO:bvr8DET56WW(1.26):bd12/01/2011:svnLENOVO:pn4298R86:pvrThinkPadX220Tablet:rvnLENOVO:rn4298R86:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
dmi.product.name: 4298R86
dmi.product.version: ThinkPad X220 Tablet
dmi.sys.vendor: LENOVO
modified.conffile..etc.default.cups:
 # Cups configure options

 # LOAD_LP_MODULE: enable/disable to load "lp" parallel printer driver module
 # LOAD_LP_MODULE has migrated to /etc/modules-load.d/cups-filters.conf
 # LOAD_LP_MODULE=yes
mtime.conffile..etc.default.cups: 2014-03-12T15:11:15.740184

George Shuklin (george-shuklin) wrote :
Till Kamppeter (till-kamppeter) wrote :

Does this lead to any restriction or problem with printing? Or does printing work normally for you?

Changed in cups (Ubuntu):
status: New → Incomplete
George Shuklin (george-shuklin) wrote :

It cause significant message flood in dmesg.

dmesg |grep cupsd|wc -l
117

Changed in cups (Ubuntu):
status: Incomplete → New
summary: - cupds cause apparmor denials for /etc/ld.so.preload
+ cupsd cause apparmor denials for /etc/ld.so.preload
Martin (martin3000) wrote :

Same here....

Martin (martin3000) wrote :

It happened after I installed ESET Node32.

Till Kamppeter (till-kamppeter) wrote :

OdyX, Jamie, Marc, should we simply allow cupsd accessing /etc/ld.so.preload? Or are there any security reasons against it? If there are reasons against it, how can we silence these messages?

Jamie Strandboge (jdstrand) wrote :

/etc/ld.so.preload should be a site-specific file (ie, it shouldn't come from Ubuntu). I wouldn't want to break people by adding an explicit deny, but I'd prefer users encountering this to update their /etc/apparmor.d/local/usr.sbin.cupsd file to have:

/etc/ld.so.preload r,

Or if people just want to silence it and not allow it:

deny /etc/ld.so.preload r,

Then run: sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.cupsd
(note, that the file to apparmor_parser is not the one that was modified)

Seth Arnold (seth-arnold) wrote :

Jamie, note that we added /etc/ld.so.preload to <abstractions/base> in the upstream project:

http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3497

It's a pity AppArmor SRUs take so much effort. :(

Thanks

Till Kamppeter (till-kamppeter) wrote :

Seth, this means then that this is an AppArmor bug and not a CUPS bug.

Moving ...

affects: cups (Ubuntu) → apparmor (Ubuntu)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers