diff options
author | Till Kamppeter <till.kamppeter@gmail.com> | 2014-10-26 18:52:06 +0100 |
---|---|---|
committer | Till Kamppeter <till.kamppeter@gmail.com> | 2014-10-26 18:52:06 +0100 |
commit | 14c1ca45e4d7ec44bbaa3f435dc515df4b925524 (patch) | |
tree | 7a5f7bba4e26dc8129a88c4de4a62371f90b21c6 | |
parent | c325f4a207bf2eee04de93719924f682f5a9d817 (diff) | |
download | cups-14c1ca45e4d7ec44bbaa3f435dc515df4b925524.tar.gz |
Merged in more Ubuntu-specific AppArmor profile changes:
- Fix peer on signal rule to use /usr/sbin/cupsd//third_party
(LP: #1376611)
- Temporarily use attach_disconnected to work around LP: #1373070. This
should be undone once 1373070 is properly fixed
- Allow all signals to /usr/sbin/cupsd//third_party
- Allow unix to /usr/sbin/cupsd//third_party (LP: #1382042)
-rw-r--r-- | debian/patches/ubuntu/ubuntu-apparmor-profile.patch | 26 |
1 files changed, 20 insertions, 6 deletions
diff --git a/debian/patches/ubuntu/ubuntu-apparmor-profile.patch b/debian/patches/ubuntu/ubuntu-apparmor-profile.patch index 61c9af15..3f49b839 100644 --- a/debian/patches/ubuntu/ubuntu-apparmor-profile.patch +++ b/debian/patches/ubuntu/ubuntu-apparmor-profile.patch @@ -2,23 +2,37 @@ Description: Update the apparmor-profile - move Ux to Cx -> third_party and provide a third_party child profile. In this manner, we can add some modest confinement (can't change MAC policy, change_profile or mount) but more importantly it allows us to - specify peer=third_party to restrict where the strictly confined cups - process can send signals + specify peer=/usr/sbin/cupsd//third_party to restrict where the strictly + confined cups process can send signals + - allow all signals to /usr/sbin/cupsd//third_party + - allow unix to /usr/sbin/cupsd//third_party (LP: #1382042) - allow r of /var/cache/samba/*.tdb - allow r of /var/{cache,lib}/samba/printing/printers.tdb + - temporarily use attach_disconnected to work around LP: #1373070. This + should be undone once 1373070 is properly fixed Author: Jamie Strandboge <jamie@ubuntu.com> -Last-Update: 2014-10-01 +Last-Update: 2014-10-16 --- a/debian/local/apparmor-profile +++ b/debian/local/apparmor-profile -@@ -141,6 +141,7 @@ +@@ -4,7 +4,7 @@ + + #include <tunables/global> + +-/usr/sbin/cupsd { ++/usr/sbin/cupsd flags=(attach_disconnected) { + #include <abstractions/base> + #include <abstractions/bash> + #include <abstractions/authentication> +@@ -141,6 +141,8 @@ # silence noise deny /etc/udev/udev.conf r, -+ signal (receive, send) peer=third_party, ++ signal peer=/usr/sbin/cupsd//third_party, ++ unix peer=(label=/usr/sbin/cupsd//third_party), profile third_party { # third party backends, filters, and drivers get relatively no restrictions # as they often need high privileges, are unpredictable or otherwise beyond -@@ -149,6 +150,10 @@ +@@ -149,6 +151,10 @@ capability, audit deny capability mac_admin, network, |