[apparmor] Bug#914370: cups-daemon: AppArmor profile allows cupsd to create setuid binaries under /etc

[intrigeri]

Hi John & others,

John Johansen:
> Policy can be adjusted to include trap profiles that will attach
> to binaries executed out of these directories. The trap profile
> can grant limited to no permissions.
> [...]
> short term: confine users & a trap profile(s) on the /etc/cups dir

I was not able to find any reference to the "trap profile" idea
in our documentation. Could you please point me in the right
direction? Thanks in advance!

Cheers,
-- 
intrigeri