diff options
-rw-r--r-- | debian/patches/ubuntu/ubuntu-apparmor-profile.patch | 26 |
1 files changed, 20 insertions, 6 deletions
diff --git a/debian/patches/ubuntu/ubuntu-apparmor-profile.patch b/debian/patches/ubuntu/ubuntu-apparmor-profile.patch index 61c9af15..3f49b839 100644 --- a/debian/patches/ubuntu/ubuntu-apparmor-profile.patch +++ b/debian/patches/ubuntu/ubuntu-apparmor-profile.patch @@ -2,23 +2,37 @@ Description: Update the apparmor-profile - move Ux to Cx -> third_party and provide a third_party child profile. In this manner, we can add some modest confinement (can't change MAC policy, change_profile or mount) but more importantly it allows us to - specify peer=third_party to restrict where the strictly confined cups - process can send signals + specify peer=/usr/sbin/cupsd//third_party to restrict where the strictly + confined cups process can send signals + - allow all signals to /usr/sbin/cupsd//third_party + - allow unix to /usr/sbin/cupsd//third_party (LP: #1382042) - allow r of /var/cache/samba/*.tdb - allow r of /var/{cache,lib}/samba/printing/printers.tdb + - temporarily use attach_disconnected to work around LP: #1373070. This + should be undone once 1373070 is properly fixed Author: Jamie Strandboge <jamie@ubuntu.com> -Last-Update: 2014-10-01 +Last-Update: 2014-10-16 --- a/debian/local/apparmor-profile +++ b/debian/local/apparmor-profile -@@ -141,6 +141,7 @@ +@@ -4,7 +4,7 @@ + + #include <tunables/global> + +-/usr/sbin/cupsd { ++/usr/sbin/cupsd flags=(attach_disconnected) { + #include <abstractions/base> + #include <abstractions/bash> + #include <abstractions/authentication> +@@ -141,6 +141,8 @@ # silence noise deny /etc/udev/udev.conf r, -+ signal (receive, send) peer=third_party, ++ signal peer=/usr/sbin/cupsd//third_party, ++ unix peer=(label=/usr/sbin/cupsd//third_party), profile third_party { # third party backends, filters, and drivers get relatively no restrictions # as they often need high privileges, are unpredictable or otherwise beyond -@@ -149,6 +150,10 @@ +@@ -149,6 +151,10 @@ capability, audit deny capability mac_admin, network, |