Apparmor profile violated: cupsd does mknod on /var/cache/samba/gencache.tdb

Bug #1314160 reported by Bram Geron on 2014-04-29
56
This bug affects 11 people
Affects Status Importance Assigned to Milestone
cups (Ubuntu)
Undecided
Unassigned

Bug Description

When I print to my smb printer, I get a dbus notification of the following entries in my syslog:

    Apr 29 12:27:15 tinker kernel: [ 3359.467314] type=1400 audit(1398770835.923:150): apparmor="DENIED" operation="mknod" profile="/usr/sbin/cupsd" name="/var/cache/samba/gencache.tdb" pid=5747 comm="smb" requested_mask="c" denied_mask="c" fsuid=7 ouid=7
    Apr 29 12:27:15 tinker kernel: [ 3359.467453] type=1400 audit(1398770835.923:151): apparmor="DENIED" operation="mknod" profile="/usr/sbin/cupsd" name="/var/cache/samba/gencache.tdb" pid=5747 comm="smb" requested_mask="c" denied_mask="c" fsuid=7 ouid=7
    Apr 29 12:27:15 tinker kernel: [ 3359.469047] type=1400 audit(1398770835.923:152): apparmor="DENIED" operation="mknod" profile="/usr/sbin/cupsd" name="/var/cache/samba/gencache.tdb" pid=5747 comm="smb" requested_mask="c" denied_mask="c" fsuid=7 ouid=7

I get new entries every time I print. I'm running Ubuntu 14.04 with cups-daemon 1.7.2-0ubuntu1 on btrfs, fwiw.

I saw this replicated on http://www.dedoimedo.com/computers/ubuntu-trusty-tahr-laptop-ultrabook.html .

Till Kamppeter (till-kamppeter) wrote :

Is the problem only about having messages in syslog or are you actually not able to print? Do these messages cause any pop-ups on your screen? If you still can print and get no pop-ups it is a minor problem.

The profile is not violated by cupsd, but most probably by the /usr/lib/cups/backend/smb CUPS backend which is a part of Samba. Probably recently it got added a feature using the cache.

What has to be done to fix it is allowing access to /var/cache/samba/gencache.tdb in the AppArmor profile of cupsd.

Changed in cups (Ubuntu):
status: New → Incomplete
Bram Geron (bgeron) wrote :

Printing works as usual, it's just the messages. I get a popup in the top right corner, probably from apparmor-notify which I suspect I installed by hand a long time ago. When I relogin, I seem to get a notification that there have been apparmor violations.

Till Kamppeter (till-kamppeter) wrote :

Thank you very much, we will fix the AppArmor profile soon.

Changed in cups (Ubuntu):
status: Incomplete → Triaged
Till Kamppeter (till-kamppeter) wrote :

pitti, can you tell me which rule needs to get added to the AppArmor profile to fix this?

Martin Pitt (pitti) wrote :

I'm afraid I can't. I subscribed Jamie and Tyler as our resident AppArmor experts.

> requested_mask="c" denied_mask="c"

I'm afraid I don't know what "c" is, it's not documented in man 5 apparmor.d. Bram seems to suggest it's "mknod", but why would that apply to /var/cache/samba/gencache.tdb? That's certainly a regular file, not a device node. If cups were actually trying to mknod() something there, that'd be a bug.

Stefan Fleiter (stefan-fleiter) wrote :

This bug seems to prevent me from printing.
I saw this message in syslog, too and usr.sbin.cupsd Apparmor profile caused samba authentication errors:

E [15/Jan/2015:12:37:35 +0100] [Job 112] Session setup failed: NT_STATUS_UNSUCCESSFUL
E [15/Jan/2015:12:37:35 +0100] [Job 112] Session setup failed: NT_STATUS_LOGON_FAILURE
E [15/Jan/2015:12:37:35 +0100] [Job 112] Tree connect failed (NT_STATUS_ACCESS_DENIED)

After disabling the cups profile printing worked again.

Jamie Strandboge (jdstrand) wrote :

'c' corresponds to creat(). This requires the 'w' apparmor permission.

tags: added: aa-policy apparmor
Jamie Strandboge (jdstrand) wrote :

Does adding the following to /etc/apparmor.d/local/usr.sbin.cupsd fix the issue:
#include <abstractions/samba>

After making this change please do 'sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.cupsd' (or reboot) and try again.

Changed in cups (Ubuntu):
status: Triaged → Incomplete
Launchpad Janitor (janitor) wrote :

[Expired for cups (Ubuntu) because there has been no activity for 60 days.]

Changed in cups (Ubuntu):
status: Incomplete → Expired
Greg Bell (gbell-spamless) wrote :

Adding #include <abstractions/samba> does not fix it.

Stefan Taferner (taferner) wrote :

The bug is still present in 16.04.2

Add this line to /etc/apparmor.d/local/usr.sbin.cupsd:

/var/cache/samba/* w,

Then 'sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.cupsd'

The reason why including abstractions/samba does not work is because in abstractions/samba is the '*' missing.

Seth Arnold (seth-arnold) wrote :

Hi Till, can you give this another look?

What is cups doing with smb here? Does it make more sense to give write access to this entire directory as Stefan suggests or just to the specific /var/cache/samba/gencache.tdb that was in the original report?

Thanks

Changed in cups (Ubuntu):
status: Expired → New
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in cups (Ubuntu):
status: New → Confirmed
IC Raibow (icrbow) wrote :

Still present in 17.10. Adding permission from #11 appears to solve it.

Claudio Kuenzler (napsty) wrote :

Still present in 18.04.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers