Call for testing: new cupsys packages with AppArmor profile

Till Kamppeter till.kamppeter at gmail.com
Thu Aug 2 17:42:31 BST 2007 

I have now merged these changes into my CUPS 1.3.0-RC2 packages. So you 
can test the AppArmored CUPS 1.3.0-RC2 now, too. Get the packages from

http://www.linux-foundation.org/~till/tmp/ubuntu/gutsy/cupsys13/

and the binary packages from

http://www.linux-foundation.org/~till/tmp/ubuntu/gutsy/cupsys13/binary/

Proceed with the testing like Martin Pitt already described. Especially 
report back the logs of AppArmor if you use the new authentication and 
networking features of CUPS 1.3.x.

    Till

Martin Pitt wrote:
> Hello everyone,
> 
> Martin Pitt [2007-08-02 12:15 -0000]:
>>  cupsys (1.2.12-1ubuntu2) gutsy; urgency=low
>>  .
>>    * Drop our derooting changes. It still has some regressions, and with
>>      upstream not even acknowledging the need for improving cupsys' security we
>>      will sit on this forever. (LP: #119289, LP: #129634)
>>    [...]
>>    * Add debian/local/apparmor-profile: AppArmor profile for cupsys, to replace
>>      the former derooting patches. This uses complain mode for now, until we
>>      got some more testing. Install it to /etc/apparmor.d/usr.sbin.cupsd in
>>      debian/rules and reload apparmor in debian/cupsys.postinst on configure.
> 
> I just did quite a major change to cupsys. Our derooting patches
> will probably never make it upstream [1], and our patches still
> imposed some functional regressions compared to the upstream variant.
> Since we have AppArmor by default now, it is much easier and more
> flexible (albeit much less secure, unfortunately, but still good
> enough IMHO) to replace all of that mess with a profile.
> 
> This version ships one by default now. I do not want to ship gutsy
> final with the profile in complaint mode, though, so I would like to
> collect some feedback about this before flipping it to 'enforce' by
> default.
> 
> So please put it into enforce mode yourself with
> 
>   sudo aa-enforce cupsd
> 
> and check if your printing tasks still work normally. If not, I
> appreciate a bug report with the following:
> 
>   /etc/cups/cupsd.conf
>   /etc/cups/printers.conf
>   /var/log/cups/error_log
> 
>   output of "grep audit.*cupsd /var/log/kern.log"
> 
> If all goes well, I'll flip the complaint->enforce switch after Tribe
> 4, to get some more widespread testing.
> 
> The current profile is not yet perfect, of course, but it makes basic
> things work for me (USB printer, detection, job control, web
> interface, etc.). All suggestions welcome, of course!
> 
> Thank you in advance,
> 
> Martin
> 
> [1] Upstream basically denies that it is a problem to have a daemon
> running as root which listens to the network and does an awful lot of
> string and file processing and calling of external programs and
> libraries.
>

More information about the ubuntu-devel mailing list