apparmor denial of CUPS

Bug #1660316 reported by Dag Bjerkeli on 2017-01-30
44
This bug affects 8 people
Affects Status Importance Assigned to Milestone
cups (Ubuntu)
Undecided
Unassigned

Bug Description

Printing is enabled when doing sudo aa-complain cupsd

Here is an extract of /var/log/syslog:

Jan 30 12:41:59 dag-TS-P500 kernel: [ 868.929457] audit: type=1400 audit(1485776519.269:37): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=6932 comm="apparmor_parser"
Jan 30 12:41:59 dag-TS-P500 kernel: [ 868.929744] audit: type=1400 audit(1485776519.269:38): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd" pid=6932 comm="apparmor_parser"
Jan 30 12:41:59 dag-TS-P500 kernel: [ 868.945422] audit: type=1400 audit(1485776519.285:39): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd//third_party" pid=6932 comm="apparmor_parser"
Jan 30 12:42:10 dag-TS-P500 kernel: [ 879.817070] audit: type=1400 audit(1485776530.158:40): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=6941 comm="apparmor_parser"
Jan 30 12:42:10 dag-TS-P500 kernel: [ 879.817342] audit: type=1400 audit(1485776530.158:41): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd" pid=6941 comm="apparmor_parser"
Jan 30 12:42:10 dag-TS-P500 kernel: [ 879.837254] audit: type=1400 audit(1485776530.178:42): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd//third_party" pid=6941 comm="apparmor_parser"
Jan 30 12:42:16 dag-TS-P500 zeitgeist-datah[3706]: downloads-directory-provider.vala:120: Couldn't process /home/dag/.glvndcEQzqA: Error when getting information for file '/home/dag/.glvndcEQzqA': No such file or directory
Jan 30 12:42:23 dag-TS-P500 dbus[996]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service'
Jan 30 12:42:23 dag-TS-P500 systemd[1]: Starting Hostname Service...
Jan 30 12:42:24 dag-TS-P500 dbus[996]: [system] Successfully activated service 'org.freedesktop.hostname1'
Jan 30 12:42:24 dag-TS-P500 systemd[1]: Started Hostname Service.
Jan 30 12:42:26 dag-TS-P500 kernel: [ 895.746636] audit: type=1400 audit(1485776546.086:43): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=6967 comm="lpd" capability=12 capname="net_admin"
Jan 30 12:42:54 dag-TS-P500 systemd[1]: Starting Cleanup of Temporary Directories...
Jan 30 12:42:54 dag-TS-P500 systemd-tmpfiles[6973]: [/usr/lib/tmpfiles.d/var.conf:14] Duplicate line for path "/var/log", ignoring.
Jan 30 12:42:54 dag-TS-P500 systemd[1]: Started Cleanup of Temporary Directories.
Jan 30 12:44:03 dag-TS-P500 dbus-daemon[2707]: Activating service name='com.ubuntu.OneConf'
Jan 30 12:44:03 dag-TS-P500 dbus-daemon[2707]: Successfully activated service 'com.ubuntu.OneConf'
Jan 30 12:44:03 dag-TS-P500 com.ubuntu.OneConf[2707]: WARNING:oneconf.hosts:Error in loading other_hosts file: [Errno 2] No such file or directory: '/home/dag/.cache/oneconf/d2fc3bf30c9f4976b441a8f14de53bda/other_hosts'
Jan 30 12:44:23 dag-TS-P500 dbus-daemon[2707]: Activating service name='com.ubuntu.sso'
Jan 30 12:44:24 dag-TS-P500 dbus-daemon[2707]: Successfully activated service 'com.ubuntu.sso'
Jan 30 12:45:51 dag-TS-P500 kernel: [ 1100.685842] audit: type=1400 audit(1485776751.028:44): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=7024 comm="apparmor_parser"
Jan 30 12:45:51 dag-TS-P500 kernel: [ 1100.686099] audit: type=1400 audit(1485776751.028:45): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd" pid=7024 comm="apparmor_parser"
Jan 30 12:45:51 dag-TS-P500 kernel: [ 1100.700446] audit: type=1400 audit(1485776751.044:46): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd//third_party" pid=7024 comm="apparmor_parser"
Jan 30 12:45:57 dag-TS-P500 kernel: [ 1106.940891] audit: type=1400 audit(1485776757.284:47): apparmor="ALLOWED" operation="capable" profile="/usr/sbin/cupsd" pid=7031 comm="lpd" capability=12 capname="net_admin"
Jan 30 12:45:57 dag-TS-P500 kernel: [ 1106.940938] audit: type=1400 audit(1485776757.284:48): apparmor="ALLOWED" operation="capable" profile="/usr/sbin/cupsd" pid=7031 comm="lpd" capability=12 capname="net_admin"

ProblemType: Bug
DistroRelease: Ubuntu 16.10
Package: cups 2.2.0-2
ProcVersionSignature: Ubuntu 4.8.0-34.36-generic 4.8.11
Uname: Linux 4.8.0-34-generic x86_64
NonfreeKernelModules: nvidia_uvm nvidia_drm nvidia_modeset nvidia
ApportVersion: 2.20.3-0ubuntu8.2
Architecture: amd64
CupsErrorLog: E [30/Jan/2017:12:31:00 +0100] [cups-deviced] PID 6055 (gutenprint52+usb) stopped with status 1!
Date: Mon Jan 30 13:11:33 2017
InstallationDate: Installed on 2016-02-22 (342 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021)
Lpstat:
 device for KONICA-MINOLTA-C650-Series: dnssd://KONICA%20MINOLTA%20bizhub%20C550(59%3AE0%3A41)._pdl-datastream._tcp.local/
 device for Minolta-C308: lpd://KMB43113/print
MachineType: LENOVO 30A7000
Papersize: a4
PpdFiles:
 KONICA-MINOLTA-C650-Series: KONICA MINOLTA C550 PS(P)
 Minolta-C308: KONICA MINOLTA C658SeriesPS(P)
ProcEnviron:
 LANGUAGE=nb_NO:nb:no_NO:no:nn_NO:nn:en
 TERM=xterm-256color
 PATH=(custom, no user)
 LANG=nb_NO.UTF-8
 SHELL=/bin/bash
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.8.0-34-generic root=UUID=f08f9ac3-36ef-4526-abb9-482ff984a4e0 ro quiet splash
SourcePackage: cups
UpgradeStatus: Upgraded to yakkety on 2016-11-29 (61 days ago)
dmi.bios.date: 04/25/2016
dmi.bios.vendor: LENOVO
dmi.bios.version: A4KT87AUS
dmi.board.name: 102F
dmi.board.vendor: LENOVO
dmi.board.version: SDK0K17763 WIN 1801920343506
dmi.chassis.type: 7
dmi.chassis.vendor: To Be Filled By O.E.M.
dmi.chassis.version: To Be Filled By O.E.M.
dmi.modalias: dmi:bvnLENOVO:bvrA4KT87AUS:bd04/25/2016:svnLENOVO:pn30A7000:pvrLenovoProduct:rvnLENOVO:rn102F:rvrSDK0K17763WIN1801920343506:cvnToBeFilledByO.E.M.:ct7:cvrToBeFilledByO.E.M.:
dmi.product.name: 30A7000
dmi.product.version: Lenovo Product
dmi.sys.vendor: LENOVO

Dag Bjerkeli (dag-e) wrote :
Till Kamppeter (till-kamppeter) wrote :

Which print queue failed with active AppArmor? KONICA-MINOLTA-C650-Series or Minolta-C308 or both?

Changed in cups (Ubuntu):
status: New → Incomplete
Dag Bjerkeli (dag-e) wrote :

This was raised from the C308 printer, which I just had installed. The C650 was the old printer that we got, and I _think_ printing was working on that machine.

Till Kamppeter (till-kamppeter) wrote :

According to this line

Jan 30 12:42:26 dag-TS-P500 kernel: [ 895.746636] audit: type=1400 audit(1485776546.086:43): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=6967 comm="lpd" capability=12 capname="net_admin"

the CUPS "lpd" bacjend (/usr/lib/cups/backend/lpd) needs the "net_admin" capability. xnox, slangasek, could you tell me where it is best to add this capability in /etc/apparmor.d/usr.sbin.cupsd? Thanks.

Till Kamppeter (till-kamppeter) wrote :

Sorry, picked up the wrong names.

Jamie, Marc, could you help me concerning how to add the "net_admin" capability to the "lpd" CUPS backend (see previous comment)?

Jamie Strandboge (jdstrand) wrote :

net_admin is a very powerful capability. What is lpd trying to do?

Launchpad Janitor (janitor) wrote :

[Expired for cups (Ubuntu) because there has been no activity for 60 days.]

Changed in cups (Ubuntu):
status: Incomplete → Expired
Till Kamppeter (till-kamppeter) wrote :

I do not exactly why lpadmin needs this capability, I even do not know which actions are covered by net_admin. What I know about the LPD backend is that it accesses the printer through port 515 and it is possible that the backend accesses the printer via SNMP in addition.

Dag Bjerkeli (dag-e) wrote :

Meanwhile I've upgraded the computer to 17.04, but I have not checked the presence of the bug after the upgrade. I will check tomorrow when I get access to the computer.

Jamie Strandboge (jdstrand) wrote :

@Till, see 'man 7 capabilities' for what net_admin grants. We need to understand why the access is needed before granting it.

Jamie Strandboge (jdstrand) wrote :

In the meantime, users can workaround this by adjusting /etc/apparmor.d/local/usr.sbin.cupsd to have:

 capability net_admin,

and then reloading the profile with:

$ sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.cupsd

Dag Bjerkeli (dag-e) wrote :

I finally got to check the status of this on Ubuntu 17.04. Same computer but upgraded ubuntu.
Print from LibreOffice gave this in log (dmesg):
[491184.232027] audit: type=1400 audit(1496903835.766:41): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=21237 comm="lpd" capability=12 capname="net_admin"

Applying the workaround resulted in no apperrors in dmesg.

Jon Schewe (jpschewe) wrote :

I'm seeing this in Ubuntu 18.04 as well. I have 2 printers configured an HP LaserJet p4015 and a Canon ImageRunner C5030.

kernel: [35100.990629] audit: type=1400 audit(1536755161.327:158): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=15321 comm="cupsd" capability=12 capname="net_admin"

Robert Dinse (nanook) wrote :

I'm seeing this in 19.10 as well. Good to know it's gone for at least two years without being
fixed, way to go Canonical!

Arie Skliarouk (skliarie) wrote :

Looks like the same error in ubuntu 20.04:

Jun 5 00:00:07 cmdesk01 kernel: [4025941.209572] audit: type=1400 audit(1591304407.264:388): apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=1792223 comm="cups-browsed" capability=23 capname="sys_nice"

Claudio Kuenzler (napsty) wrote :

Same happens in 18.04 (Linux Mint 19.3). Needed to manually add the net_admin caps as mentioned by Jamie.

Paul Menzel (paulmenzel) wrote :

@skliarie, your pasted log message is actually a different issue, and I just reported https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1897369 for it.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers