[apparmor] Bug#914370: cups-daemon: AppArmor profile allows cupsd to create setuid binaries under /etc
Christian Boltz
debian-bugs at cboltz.de
Sun Jan 27 15:49:26 UTC 2019
Hello,
Am Sonntag, 27. Januar 2019, 15:01:40 CET schrieb intrigeri:
> John Johansen:
> > Policy can be adjusted to include trap profiles that will attach
> > to binaries executed out of these directories. The trap profile
> > can grant limited to no permissions.
> > [...]
> > short term: confine users & a trap profile(s) on the /etc/cups dir
>
> I was not able to find any reference to the "trap profile" idea
> in our documentation. Could you please point me in the right
> direction? Thanks in advance!
My guess is that John meant something like that:
/etc/cups/** Cx -> trap,
profile trap {
# intentionally left empty
}
Regards,
Christian Boltz
--
Seriously? If you accused me of verbally abusing the _feature_
(or rather its implementation), I would understand. But I'm not
aware of verbally abusing _people_ (or at least not here, but I
hope you don't really have a microphone near my desk).
[Michal Kubecek in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20190127/10c5451c/attachment.sig>
More information about the AppArmor
mailing list