[apparmor] cupsd profile: list of backends

[intrigeri]

Hi,

in usr.sbin.cupsd, in Debian and Ubuntu, we have:

  # backends which come with CUPS can be confined
  /usr/lib/cups/backend/bluetooth ixr,
  /usr/lib/cups/backend/dnssd ixr,
  /usr/lib/cups/backend/http ixr,
  /usr/lib/cups/backend/ipp ixr,
  /usr/lib/cups/backend/lpd ixr,
  /usr/lib/cups/backend/parallel ixr,
  /usr/lib/cups/backend/serial ixr,
  /usr/lib/cups/backend/snmp ixr,
  /usr/lib/cups/backend/socket ixr,
  /usr/lib/cups/backend/usb ixr,
  # we treat cups-pdf specially, since it needs to write into /home
  # and thus needs extra paranoia
  /usr/lib/cups/backend/cups-pdf Px,
  /usr/lib/cups/backend/usb ixr,
  # we treat cups-pdf specially, since it needs to write into /home
  # and thus needs extra paranoia
  /usr/lib/cups/backend/cups-pdf Px,
  # third party backends get no restrictions as they often need high
  # privileges and this is beyond our control
  /usr/lib/cups/backend/* Cx -> third_party,

Is there any process in place to update the list of
*confined* backends?

On Debian Jessie and sid, in /usr/lib/cups/backend/ I also have four
more files (including 3 symlinks) shipped by cups-daemon, namely:

   - http -> ipp
   - https -> ipp
   - ipps -> ipp
   - ipp14

=> in practice, the ipp backend will run mostly unconfined (under
the third_party profile), whenever it's called
/usr/lib/cups/backend/{http,https,ipps}, right? Ditto for ipp14.

If my understanding is right, I now have two questions:

   - short-term: shall we add these 4 backends to the profile?
   - long-term: shall we regularly inspect the list of backends
     shipped by cups-daemon, and update the profile accordingly?

Cheers,
-- 
intrigeri