AppArmor rules for CUPS seems to be too restrictive

Bug #132969 reported by Alexander Nofftz on 2007-08-16
6
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Undecided
Unassigned
cupsys (Ubuntu)
Undecided
Martin Pitt

Bug Description

Binary package hint: cupsys

Seems that the AppArmor rules for CUPS are too restrictive:

$ tail /var/log/syslog
Aug 16 18:05:41 laotse kernel: [ 4350.136178] audit(1187280341.702:73): REJECTING x access to /usr/bin/env (sh(10382) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Aug 16 18:07:07 laotse kernel: [ 4435.343839] audit(1187280426.707:74): REJECTING x access to /usr/bin/printf (bash(10442) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Aug 16 18:07:07 laotse kernel: [ 4435.345857] audit(1187280426.707:75): REJECTING r access to /usr/bin/printf (bash(10442) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Aug 16 18:07:07 laotse kernel: [ 4435.348943] audit(1187280426.707:76): REJECTING x access to /bin/cat (bash(10443) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Aug 16 18:07:07 laotse kernel: [ 4435.350137] audit(1187280426.707:77): REJECTING r access to /bin/cat (bash(10443) profile /usr/sbin/cupsd active /usr/sbin/cupsd)

After adding this lines to /etc/apparmor.d/usr.sbin.cupd everything works for me:

  /etc/papersize r,
  /usr/bin/printf ixr,
  /bin/cat ixr,
  /usr/bin/env ixr,
  /usr/bin/

Im using a Kyrocera FS-1010 (PostScript Laser Printer).

description: updated
Changed in apparmor:
status: New → Confirmed
Changed in cupsys:
status: New → Confirmed
description: updated
description: updated
Matt Zimmerman (mdz) wrote :

I see some errors as well, though I think it is perfectly reasonable to prevent cups from accessing these:

Aug 16 15:55:15 localhost kernel: [11674.312000] audit(1187276115.276:13): REJECTING access to capability 'dac_override' (cupsd(11088) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Aug 16 15:55:15 localhost kernel: [11674.312000] audit(1187276115.276:14): REJECTING access to capability 'dac_read_search' (cupsd(11088) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Aug 16 15:55:18 localhost kernel: [11676.852000] audit(1187276117.776:15): REJECTING w access to /etc/printcap (cupsd(11088) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Aug 16 15:55:18 localhost kernel: [11677.248000] audit(1187276118.276:16): REJECTING w access to /dev/tty (cupsd(11088) profile /usr/sbin/cupsd active /usr/sbin/cupsd)

Stefan Fleiter (stefan-fleiter) wrote :

I have the rejection which is triggered by having installed the package resolvconf:
Aug 17 22:59:50 localhost kernel: [ 1820.513089] audit(1187384389.891:25):
REJECTING r access to /var/run/resolvconf/resolv.conf (cupsd(13070) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Should this be allowed for all packages which may use DNS?

On Fri, Aug 17, 2007 at 11:27:12PM -0000, Stefan Fleiter wrote:
> I have the rejection which is triggered by having installed the package resolvconf:
> Aug 17 22:59:50 localhost kernel: [ 1820.513089] audit(1187384389.891:25):
> REJECTING r access to /var/run/resolvconf/resolv.conf (cupsd(13070) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
> Should this be allowed for all packages which may use DNS?
>
This has already been reported and added to the nameservice abstractions.

--
Mathias

Martin Pitt (pitti) wrote :

The messages in Alexander's original post are already fixed in the latest cups. Keeping open for the /etc/printcap issue, cups should be able to write that.

Changed in apparmor:
status: Confirmed → Invalid
Changed in cupsys:
assignee: nobody → pitti
status: Confirmed → In Progress
Martin Pitt (pitti) wrote :

cupsys (1.3.0-3ubuntu1) gutsy; urgency=low

  * Merge bugfixes from Debian.
  * debian/local/apparmor-profile: Allow dac_override for now; this is
    slightly nasty, but cups chowns a lot of files (e. g. in
    /var/spool/cups/tmp) to 'lp' and thus cannot read/write them any more
    afterwards. Since we confine file access pretty tightly, this should not
    be much of a problem. (LP: #133015)
  * debian/local/apparmor-profile: cupsd should manage /etc/printcap.
    (LP: #132969)

cupsys (1.3.0-3) unstable; urgency=low

  [ Martin Pitt ]
  * debian/control: Allow 'ghostscript' as alternative dependency to gs-esp.
  * debian/cupsys.dirs: Create /usr/lib/cups/backend/ (regression from the big
    debian/rules cleanup). (closes: #438432)
  * debian/cupsys.preinst: Bump the version comparison for the file owner
    cleanup, since some log files were still left as owned by 'cupsys' until
    #437536 was fixed.
  * debian/cupsys-common.files: Do not install the .po files, cups does not
    use them at runtime. (closes: #438625)

  [ Till Kamppeter ]
  * debian/local/postscript.ppd: New generic PostScript PPD file for
    unknown PostScript printers added.

 -- Martin Pitt <email address hidden> Tue, 21 Aug 2007 07:48:34 +0200

Changed in cupsys:
status: In Progress → Fix Released

Administration through the web interface (http://localhost:631/) is no longer possible.

/var/log/messages has this line (as well as others):

Sep 18 23:39:01 Scooby-Doo kernel: [ 1014.585666] audit(1190155141.275:4): operation="inode_permission" requested_mask="x" denied_mask="x" name="/usr/lib/cups/cgi-bin/printers.cgi" pid=6989 profile="/usr/sbin/cupsd"

Changed in cupsys:
status: Fix Released → Confirmed
Stefan Fleiter (stefan-fleiter) wrote :

Verified fixed with cupsys 1.3.2-1ubuntu1.

Changed in cupsys:
status: Confirmed → Fix Released

fyi I just came across this problem - it does not look solved to me

[13091.864000] audit(1198502239.097:13): type=1503 operation="inode_permission" requested_mask="rw" denied_mask="rw" name="/dev/tty" pid=10801 profile="/usr/sbin/cupsd"

nazgul@dragonscale:~$ dpkg -l cupsys*
+++-=====================-=====================-==========================================================
ii cupsys 1.3.2-1ubuntu7.1 Common UNIX Printing System(tm) - server
ii cupsys-bsd 1.3.2-1ubuntu7.1 Common UNIX Printing System(tm) - BSD commands
ii cupsys-client 1.3.2-1ubuntu7.1 Common UNIX Printing System(tm) - client programs (SysV)
ii cupsys-common 1.3.2-1ubuntu7.1 Common UNIX Printing System(tm) - common files
ii cupsys-driver-gimppri 5.0.1-0ubuntu8 printer drivers for CUPS
un cupsys-driver-gimppri <keine> (keine Beschreibung vorhanden)
ii cupsys-driver-gutenpr 5.0.1-0ubuntu8 printer drivers for CUPS

purging /etc/cups/ did remedy - ignore last comment

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers