cupsd cause apparmor denials for /etc/ld.so.preload

Bug #1571531 reported by George Shuklin on 2016-04-18
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Undecided
Unassigned

Bug Description

There is a constant flood of messages in dmesg:

[ 4431.638163] audit: type=1400 audit(1460962510.272:60): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10559 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 4431.661208] audit: type=1400 audit(1460962510.296:61): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 4431.661390] audit: type=1400 audit(1460962510.296:62): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 4431.661759] audit: type=1400 audit(1460962510.296:63): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
[ 4431.661936] audit: type=1400 audit(1460962510.296:64): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 4431.661937] audit: type=1400 audit(1460962510.296:65): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
[ 4431.662534] audit: type=1400 audit(1460962510.296:66): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
[ 5081.410342] audit: type=1400 audit(1460963160.033:67): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10810 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 5081.446507] audit: type=1400 audit(1460963160.069:68): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10815 comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: cups-daemon 2.1.3-4
ProcVersionSignature: Ubuntu 4.4.0-18.34-generic 4.4.6
Uname: Linux 4.4.0-18-generic x86_64
ApportVersion: 2.20.1-0ubuntu2
Architecture: amd64
CupsErrorLog:

CurrentDesktop: X-Cinnamon
Date: Mon Apr 18 10:56:37 2016
EcryptfsInUse: Yes
InstallationDate: Installed on 2013-07-19 (1003 days ago)
InstallationMedia: Xubuntu 13.04 "Raring Ringtail" - Release i386 (20130423.1)
Lpstat: device for Generic-PCL-5e: socket://192.168.1.100:9100
MachineType: LENOVO 4298R86
Papersize: a4
PpdFiles: Error: command ['fgrep', '-H', '*NickName', '/etc/cups/ppd/Generic-PCL-5e.ppd'] failed with exit code 2: grep: /etc/cups/ppd/Generic-PCL-5e.ppd: Permission denied
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-18-generic root=UUID=3d4ce850-6e8a-4cf5-9b82-fb135c22fe1e ro
SourcePackage: cups
UpgradeStatus: Upgraded to xenial on 2015-10-29 (171 days ago)
dmi.bios.date: 12/01/2011
dmi.bios.vendor: LENOVO
dmi.bios.version: 8DET56WW (1.26 )
dmi.board.asset.tag: Not Available
dmi.board.name: 4298R86
dmi.board.vendor: LENOVO
dmi.board.version: Not Available
dmi.chassis.asset.tag: No Asset Information
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: Not Available
dmi.modalias: dmi:bvnLENOVO:bvr8DET56WW(1.26):bd12/01/2011:svnLENOVO:pn4298R86:pvrThinkPadX220Tablet:rvnLENOVO:rn4298R86:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
dmi.product.name: 4298R86
dmi.product.version: ThinkPad X220 Tablet
dmi.sys.vendor: LENOVO
modified.conffile..etc.default.cups:
 # Cups configure options

 # LOAD_LP_MODULE: enable/disable to load "lp" parallel printer driver module
 # LOAD_LP_MODULE has migrated to /etc/modules-load.d/cups-filters.conf
 # LOAD_LP_MODULE=yes
mtime.conffile..etc.default.cups: 2014-03-12T15:11:15.740184

George Shuklin (george-shuklin) wrote :
Till Kamppeter (till-kamppeter) wrote :

Does this lead to any restriction or problem with printing? Or does printing work normally for you?

Changed in cups (Ubuntu):
status: New → Incomplete
George Shuklin (george-shuklin) wrote :

It cause significant message flood in dmesg.

dmesg |grep cupsd|wc -l
117

Changed in cups (Ubuntu):
status: Incomplete → New
summary: - cupds cause apparmor denials for /etc/ld.so.preload
+ cupsd cause apparmor denials for /etc/ld.so.preload
Martin (martin3000) wrote :

Same here....

Martin (martin3000) wrote :

It happened after I installed ESET Node32.

Till Kamppeter (till-kamppeter) wrote :

OdyX, Jamie, Marc, should we simply allow cupsd accessing /etc/ld.so.preload? Or are there any security reasons against it? If there are reasons against it, how can we silence these messages?

Jamie Strandboge (jdstrand) wrote :

/etc/ld.so.preload should be a site-specific file (ie, it shouldn't come from Ubuntu). I wouldn't want to break people by adding an explicit deny, but I'd prefer users encountering this to update their /etc/apparmor.d/local/usr.sbin.cupsd file to have:

/etc/ld.so.preload r,

Or if people just want to silence it and not allow it:

deny /etc/ld.so.preload r,

Then run: sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.cupsd
(note, that the file to apparmor_parser is not the one that was modified)

Seth Arnold (seth-arnold) wrote :

Jamie, note that we added /etc/ld.so.preload to <abstractions/base> in the upstream project:

http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3497

It's a pity AppArmor SRUs take so much effort. :(

Thanks

Till Kamppeter (till-kamppeter) wrote :

Seth, this means then that this is an AppArmor bug and not a CUPS bug.

Moving ...

affects: cups (Ubuntu) → apparmor (Ubuntu)
Download full text (84.0 KiB)

Estou com o mesmo problema no Ubuntu 18.10 Cosmic apos instalação do Eset para Linux 4.90

I'm having the same problem with Ubuntu 18.10 Cosmic after installing Eset for Linux 4.90

Segue os logs:

09/11/2018 00:14:11 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
09/11/2018 00:13:40 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
09/11/2018 00:00:56 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
09/11/2018 00:00:25 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
09/11/2018 00:00:25 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
09/11/2018 00:00:25 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
09/11/2018 00:00:25 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
09/11/2018 00:00:25 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
09/11/2018 00:00:25 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
09/11/2018 00:00:25 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
09/11/2018 00:00:25 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
09/11/2018 00:00:25 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
09/11/2018 00:00:25 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
08/11/2018 23:15:51 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
08/11/2018 23:15:20 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
08/11/2018 23:15:00 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
08/11/2018 23:14:35 Media control access Cannot unblock removable media (org.freedesktop.udisks2.filesystem-mount)
08/11/2018 22:43:48 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
08/11/2018 22:43:17 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
08/11/2018 22:42:54 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
08/11/2018 22:42:33 Media control access Cannot unblock removable media (org.freedesktop.udisks2.filesystem-mount)
08/11/2018 22:41:30 ESET Daemon Cannot read from socket: Connection reset by peer
08/11/2018 22:41:29 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
08/11/2018 22:33:06 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
08/11/2018 22:32:35 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
08/11/2018 21:34:46 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
08/11/2018 21:34:15 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
08/11/2018 20:36:26 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
08/11/2018 20:35:55 Preload library access control Cannot con...

Seth Arnold (seth-arnold) wrote :

Edson, you have a different issue.

If you want to use ESET then you should add:

  /tmp/esets.sock rw,

to the /etc/apparmor.d/abstractions/base file and run:

sudo systemctl reload apparmor

Thanks

Hello Seth Arnold

How do I run this: "/tmp/esets.sock rw" since Eset is already installed?

The same happens to this: to the /etc/apparmor.d/abstractions/base file and run:

This I run it: sudo systemctl reload apparmor

I am a beginner and linux and if this happens the error messages will disappear from the startup and Eset Antivirus for linux version 4.90?

Grateful for the attention

Edson Santos

************************************
Hello Seth Arnold

Como eu executo isso: " /tmp/esets.sock rw " uma vez que o Eset já está instalado?

O mesmos se da a este: to the /etc/apparmor.d/abstractions/base file and run:

Este eu seu executar: sudo systemctl reload apparmor

Sou iniciante e linux e se realizar este procedientos as mensagens de erro vao sumir da inicialização e do Eset Antivirus para linux versão 4.90?

Grato pela atenção

Edson Santos

On Sat, Nov 10, 2018 at 06:35:10PM -0000, Edson José dos Santos wrote:
> How do I run this: "/tmp/esets.sock rw" since Eset is already installed?
>
> The same happens to this: to the /etc/apparmor.d/abstractions/base file
> and run:
>
> This I run it: sudo systemctl reload apparmor
>
> I am a beginner and linux and if this happens the error messages will
> disappear from the startup and Eset Antivirus for linux version 4.90?

Hello Edson,

Use your favourite text editor (as root) to modify
/etc/apparmor.d/abstractions/base

Add at the end of the file this line:

  /tmp/esets.sock rw,

Be sure to keep the comma.

Save the file, then run:

sudo systemctl reload apparmor

This will at least allow all confined processes that use this abstraction
to communicate with the antivirus daemon. There may be confined processes
on your system that don't use this file, but this should get many of them.

If the ESET code injected into every process on your system requires
further resources, you may need to make more modifications.

Thanks

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers