cupsd is not allowed to access /var/cache/samba/gencache.tdb by apparmor

Bug #1371097 reported by Theodotos Andreou on 2014-09-18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
cups (Ubuntu)
Jamie Strandboge

Bug Description

For some reason /usr/sbin/cupsd tries to access /var/cache/samba/gencache.tdb. I have a printer setup via samba so that may be the reason.

The apparmor profile for cupsd does not allow this. I get this error in the logs:

 kernel: [284527.967015] type=1400 audit(1411040510.770:103): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/var/cache/samba/gencache.tdb" pid=1722 comm="smb" requested_mask="r" denied_mask="r" fsuid=7 ouid=0

A listing of the apparmor profile (/etc/apparmor.d/usr.sbin.cupsd) is here:

The file /etc/apparmor.d/usr.sbin.cupsd belongs to the cups-daemon package

The system silently fails to print from GUI. The fanny part is that I printed something successfully the day I set the printer up (yesterday).

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: cups-daemon 1.7.2-0ubuntu1.2
ProcVersionSignature: Ubuntu 3.13.0-35.62-generic
Uname: Linux 3.13.0-35-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.14.1-0ubuntu3.4
Architecture: amd64

Date: Thu Sep 18 15:27:52 2014
InstallationDate: Installed on 2014-09-01 (17 days ago)
InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2)
Lpstat: device for SRB01PR001: smb://
MachineType: Apple Inc. MacPro5,1
Papersize: a4
PpdFiles: SRB01PR001: HP Color LaserJet CP3505 Postscript (recommended)
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.13.0-35-generic.efi.signed root=/dev/mapper/ubuntu--vg-root ro quiet splash vt.handoff=7
SourcePackage: cups
UpgradeStatus: No upgrade log present (probably fresh install) 10/07/10
dmi.bios.vendor: Apple Inc.
dmi.bios.version: MP51.88Z.007F.B03.1010071432
dmi.board.asset.tag: 0 Mac-F221BEC8
dmi.board.vendor: Apple Inc.
dmi.chassis.type: 7
dmi.chassis.vendor: Apple Inc.
dmi.chassis.version: Mac-F221BEC8
dmi.modalias: dmi:bvnAppleInc.:bvrMP51.88Z.007F.B03.1010071432:bd10/07/10:svnAppleInc.:pnMacPro5,1:pvr0.0:rvnAppleInc.:rnMac-F221BEC8:rvr:cvnAppleInc.:ct7:cvrMac-F221BEC8: MacPro5,1
dmi.product.version: 0.0
dmi.sys.vendor: Apple Inc.
 # Cups configure options

 # LOAD_LP_MODULE: enable/disable to load "lp" parallel printer driver module
 # LOAD_LP_MODULE has migrated to /etc/modules-load.d/cups-filters.conf
mtime.conffile..etc.default.cups: 2014-07-23T01:20:18

Theodotos Andreou (theodotos) wrote :
Till Kamppeter (till-kamppeter) wrote :

pitti, can you have a look what is missing here in the AppArmor profile? Thanks.

Martin Pitt (pitti) wrote :

I have no idea what that file is, but reading it seems quite save. So just add

  /var/cache/samba/*.tdb r,

where the other samba related permissions are.

Changed in cups (Ubuntu):
status: New → Triaged
no longer affects: samba (Ubuntu)
Theodotos Andreou (theodotos) wrote :

Hi Martin,

I added the following lines at the end of /etc.apparmor.d/usr.sbin.cupsd:

  # cupsd needs access to /var/cache/samba/gencache.tdb

  /var/cache/samba/*.tdb r,

Restarted the computer and I still get:

Cups thinks that everything is OK:

localhost - - [19/Sep/2014:14:04:52 +0300] "POST /printers/SRB01PR001 HTTP/1.1" 200 259046 Print-Job successful-ok

Theodotos Andreou [2014-09-19 11:11 -0000]:
> Restarted the computer and I still get:

That might not be enough. Can you please try

  sudo /etc/init.d/apparmor teardown
  sudo /etc/init.d/apparmor start

after the profile update (well, you already made that)? That should
rebuild the binary apparmor profiles.

If that doesn't help either, I'm afraid I don't know either; that's a
question for the AppArmor folks then.

Theodotos Andreou (theodotos) wrote :

The teardown option did the trick!

Thanks Martin!

Theodotos Andreou (theodotos) wrote :

Should I prepare a patch?

Changed in cups (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Triaged → In Progress
Changed in cups (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cups - 1.7.5-2ubuntu1

cups (1.7.5-2ubuntu1) utopic; urgency=medium

  * debian/local/apparmor-profile:
    - move Ux to Cx -> third_party and provie a third_party child profile. In
      this manner, we can add some modest confinement (can't change MAC
      policy, change_profile or mount) but more importantly it allows us to
      specify peer=third_party to restrict where the strictly confined cups
      process can send signals (LP: #1370930)
    - allow r of /var/cache/samba/*.tdb (LP: #1371097)
    - allow r of /var/{cache,lib}/samba/printing/printers.tdb
 -- Jamie Strandboge <email address hidden> Wed, 24 Sep 2014 11:24:03 -0500

Changed in cups (Ubuntu):
status: Fix Committed → Fix Released
TEN (launchpad-20-ten) wrote :

Probably triggered by some recent package update,
Ubuntu 14.04.3 LTS 3.13.0-61-generic #100-Ubuntu SMP Wed Jul 29 11:21:34 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
reports in /var/log/kern.log:

type=1400 audit(1439324668.029:103): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/var/cache/samba/gencache.tdb" pid=1019 comm="smb" requested_mask="r" denied_mask="r" fsuid=7 ouid=0

The above message can be prevented by this addition to /etc/apparmor.d/usr.sbin.cupsd from bug 1371097 after the following comment:

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.cupsd>

  /var/cache/samba/*.tdb r,

However, another error follows, also repeatedly:

type=1400 audit(1439325510.504:68): apparmor="DENIED" operation="signal" profile="/usr/sbin/cupsd" pid=952 comm="cupsd" requested_mask="send" denied_mask="send" signal=term peer="unconfined"

For this one, suggestions not directly applicable to LTS seem to be made in bug 1370930 with a fix for other versions.
How can this best be applied to also fix Ubuntu 14.04.3 ?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers