[apparmor] cupsd profile: list of backends

Felix Geyer fgeyer at debian.org
Wed Aug 12 06:08:11 UTC 2015 

Hi,

On 11.08.2015 13:55, intrigeri wrote:
> Hi,
> 
> in usr.sbin.cupsd, in Debian and Ubuntu, we have:
> 
>   # backends which come with CUPS can be confined
>   /usr/lib/cups/backend/bluetooth ixr,
>   /usr/lib/cups/backend/dnssd ixr,
>   /usr/lib/cups/backend/http ixr,
>   /usr/lib/cups/backend/ipp ixr,
>   /usr/lib/cups/backend/lpd ixr,
>   /usr/lib/cups/backend/parallel ixr,
>   /usr/lib/cups/backend/serial ixr,
>   /usr/lib/cups/backend/snmp ixr,
>   /usr/lib/cups/backend/socket ixr,
>   /usr/lib/cups/backend/usb ixr,
>   # we treat cups-pdf specially, since it needs to write into /home
>   # and thus needs extra paranoia
>   /usr/lib/cups/backend/cups-pdf Px,
>   /usr/lib/cups/backend/usb ixr,
>   # we treat cups-pdf specially, since it needs to write into /home
>   # and thus needs extra paranoia
>   /usr/lib/cups/backend/cups-pdf Px,
>   # third party backends get no restrictions as they often need high
>   # privileges and this is beyond our control
>   /usr/lib/cups/backend/* Cx -> third_party,
> 
> Is there any process in place to update the list of
> *confined* backends?
> 
> On Debian Jessie and sid, in /usr/lib/cups/backend/ I also have four
> more files (including 3 symlinks) shipped by cups-daemon, namely:
> 
>    - http -> ipp
>    - https -> ipp
>    - ipps -> ipp
>    - ipp14
> 
> => in practice, the ipp backend will run mostly unconfined (under
> the third_party profile), whenever it's called
> /usr/lib/cups/backend/{http,https,ipps}, right? Ditto for ipp14.

The profile has this rule which takes preference over catch-all third_party rule:
/usr/lib/cups/backend/ipp ixr,

AppArmor follows symlinks so it will also apply the rule for http, https and ipps.

FWIW backend gutenprint52+usb is also installed by default (package printer-driver-gutenprint).

> If my understanding is right, I now have two questions:
> 
>    - short-term: shall we add these 4 backends to the profile?
>    - long-term: shall we regularly inspect the list of backends
>      shipped by cups-daemon, and update the profile accordingly?

That woud be good but you kind of need a compatible printer to test if the
backend works within the confinment.

Cheers,
Felix

More information about the AppArmor mailing list