Description: Update the apparmor-profile
  - move Ux to Cx -> third_party and provide a third_party child profile. In
    this manner, we can add some modest confinement (can't change MAC
    policy, change_profile or mount) but more importantly it allows us to
    specify peer=/usr/sbin/cupsd//third_party to restrict where the strictly
    confined cups process can send signals
  - allow all signals to /usr/sbin/cupsd//third_party
  - allow unix to /usr/sbin/cupsd//third_party (LP: #1382042)
  - allow r of /var/cache/samba/*.tdb
  - allow r of /var/{cache,lib}/samba/printing/printers.tdb
  - temporarily use attach_disconnected to work around LP: #1373070. This
    should be undone once 1373070 is properly fixed
Author: Jamie Strandboge <jamie@ubuntu.com>
Last-Update: 2014-10-16
--- a/debian/local/apparmor-profile
+++ b/debian/local/apparmor-profile
@@ -4,7 +4,7 @@
 
 #include <tunables/global>
 
-/usr/sbin/cupsd {
+/usr/sbin/cupsd flags=(attach_disconnected) {
   #include <abstractions/base>
   #include <abstractions/bash>
   #include <abstractions/authentication>
@@ -141,6 +141,8 @@
   # silence noise
   deny /etc/udev/udev.conf r,
 
+  signal peer=/usr/sbin/cupsd//third_party,
+  unix peer=(label=/usr/sbin/cupsd//third_party),
   profile third_party {
     # third party backends, filters, and drivers get relatively no restrictions
     # as they often need high privileges, are unpredictable or otherwise beyond
@@ -149,6 +151,10 @@
     capability,
     audit deny capability mac_admin,
     network,
+    dbus,
+    signal,
+    ptrace,
+    unix,
   }
 
   # Site-specific additions and overrides. See local/README for details.