diff options
author | Jamie Strandboge <jamie@ubuntu.com> | 2014-09-24 11:24:03 -0500 |
---|---|---|
committer | Didier Raboud <odyx@debian.org> | 2014-09-30 08:18:39 +0200 |
commit | c69d1800141ac95a72975c3175cc94517bbe5574 (patch) | |
tree | 72f8a6af03a954787cf44928bd6a82014e57bda8 | |
parent | c9945caa5e08ca95506e970827b709c704b8d02f (diff) | |
download | cups-c69d1800141ac95a72975c3175cc94517bbe5574.tar.gz |
Update the apparmor-profile
- move Ux to Cx -> third_party and provide a third_party child profile. In
this manner, we can add some modest confinement (can't change MAC
policy, change_profile or mount) but more importantly it allows us to
specify peer=third_party to restrict where the strictly confined cups
process can send signals
- allow r of /var/cache/samba/*.tdb
- allow r of /var/{cache,lib}/samba/printing/printers.tdb
LP: #1370930
LP: #1371097
-rw-r--r-- | debian/local/apparmor-profile | 27 |
1 files changed, 22 insertions, 5 deletions
diff --git a/debian/local/apparmor-profile b/debian/local/apparmor-profile index 69483012..a0392a3d 100644 --- a/debian/local/apparmor-profile +++ b/debian/local/apparmor-profile @@ -92,7 +92,7 @@ /usr/lib/cups/backend/cups-pdf Px, # third party backends get no restrictions as they often need high # privileges and this is beyond our control - /usr/lib/cups/backend/* Ux, + /usr/lib/cups/backend/* Cx -> third_party, /usr/lib/cups/cgi-bin/* ixr, /usr/lib/cups/daemon/* ixr, @@ -100,8 +100,8 @@ /usr/lib/cups/notifier/* ixr, # filters and drivers (PPD generators) are always run as non-root, # and there are a lot of third-party drivers which we cannot predict - /usr/lib/cups/filter/** Uxr, - /usr/lib/cups/driver/* Uxr, + /usr/lib/cups/filter/** Cxr -> third_party, + /usr/lib/cups/driver/* Cxr -> third_party, /usr/local/** rm, /usr/local/lib/cups/** rix, /usr/share/** r, @@ -109,6 +109,8 @@ /{,var/}run/avahi-daemon/socket rw, deny /{,var/}run/samba/ rw, /{,var/}run/samba/** rw, + /var/cache/samba/*.tdb r, + /var/{cache,lib}/samba/printing/printers.tdb r, /{,var/}run/cups/ rw, /{,var/}run/cups/** rw, /var/cache/cups/ rw, @@ -122,8 +124,8 @@ /opt/** rix, # FIXME: no policy ATM for hplip and Brother drivers - /usr/bin/hpijs Ux, - /usr/Brother/** Ux, + /usr/bin/hpijs Cx -> third_party, + /usr/Brother/** Cx -> third_party, # Kerberos authentication /etc/krb5.conf r, @@ -139,6 +141,21 @@ # silence noise deny /etc/udev/udev.conf r, + signal (receive, send) peer=third_party, + profile third_party { + # third party backends, filters, and drivers get relatively no restrictions + # as they often need high privileges, are unpredictable or otherwise beyond + # our control + file, + capability, + audit deny capability mac_admin, + network, + dbus, + signal, + ptrace, + unix, + } + # Site-specific additions and overrides. See local/README for details. #include <local/usr.sbin.cupsd> } |