[Pkg-cups-devel] r505 - in cupsys/branches/cups-1.2-ubuntu/debian: . local

Martin Pitt mpitt at alioth.debian.org
Thu Aug 2 12:10:42 UTC 2007 

Author: mpitt
Date: Thu Aug  2 12:10:42 2007
New Revision: 505

Log:
* Add debian/local/apparmor-profile: AppArmor profile for cupsys, to replace
  the former derooting patches. This uses complain mode for now, until we
  got some more testing. Install it to /etc/apparmor.d/usr.sbin.cupsd in
  debian/rules and reload apparmor in debian/cupsys.postinst on configure.

Added:
   cupsys/branches/cups-1.2-ubuntu/debian/local/apparmor-profile
Modified:
   cupsys/branches/cups-1.2-ubuntu/debian/changelog
   cupsys/branches/cups-1.2-ubuntu/debian/cupsys.postinst
   cupsys/branches/cups-1.2-ubuntu/debian/rules

Modified: cupsys/branches/cups-1.2-ubuntu/debian/changelog
==============================================================================
--- cupsys/branches/cups-1.2-ubuntu/debian/changelog	(original)
+++ cupsys/branches/cups-1.2-ubuntu/debian/changelog	Thu Aug  2 12:10:42 2007
@@ -24,8 +24,12 @@
      sensible AppArmor profile.
    * debian/cupsys.preinst: Fix file permissions on upgrades (owner cupsys ->
      root).
+  * Add debian/local/apparmor-profile: AppArmor profile for cupsys, to replace
+    the former derooting patches. This uses complain mode for now, until we
+    got some more testing. Install it to /etc/apparmor.d/usr.sbin.cupsd in
+    debian/rules and reload apparmor in debian/cupsys.postinst on configure.
 
- -- Martin Pitt <martin.pitt at ubuntu.com>  Thu, 02 Aug 2007 13:52:46 +0200
+ -- Martin Pitt <martin.pitt at ubuntu.com>  Thu, 02 Aug 2007 14:06:05 +0200
 
 cupsys (1.2.12-1ubuntu1) gutsy; urgency=low
 

Modified: cupsys/branches/cups-1.2-ubuntu/debian/cupsys.postinst
==============================================================================
--- cupsys/branches/cups-1.2-ubuntu/debian/cupsys.postinst	(original)
+++ cupsys/branches/cups-1.2-ubuntu/debian/cupsys.postinst	Thu Aug  2 12:10:42 2007
@@ -237,6 +237,8 @@
             rm -f /etc/rc0.d/K19cupsys /etc/rc6.d/K19cupsys
         fi
 
+        # Reload AppArmor profile
+        invoke-rc.d apparmor force-reload || true
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)

Added: cupsys/branches/cups-1.2-ubuntu/debian/local/apparmor-profile
==============================================================================
--- (empty file)
+++ cupsys/branches/cups-1.2-ubuntu/debian/local/apparmor-profile	Thu Aug  2 12:10:42 2007
@@ -0,0 +1,60 @@
+# vim:syntax=apparmor
+# Last Modified: Thu Aug  2 12:54:46 2007
+# Author: Martin Pitt <martin.pitt at ubuntu.com>
+
+#include <tunables/global>
+
+/usr/sbin/cupsd flags=(complain) {
+  #include <abstractions/base>
+  #include <abstractions/bash>
+  #include <abstractions/dbus>
+  #include <abstractions/fonts>
+  #include <abstractions/nameservice>
+  #include <abstractions/perl>
+  #include <abstractions/user-tmp>
+
+  capability chown,
+  capability fowner,
+  capability fsetid,
+  capability kill,
+  capability net_bind_service,
+  capability setgid,
+  capability setuid,
+
+  /bin/bash ixr,
+  /bin/dash ixr,
+  /bin/hostname ixr,
+  /dev/lp* rw,
+  /dev/ttyS* rw,
+  /dev/usb/lp* rw,
+  /etc/cups rw,
+  /etc/cups/** rw,
+  /etc/foomatic/* r,
+  /etc/gai.conf r,
+  /etc/group r,
+  /etc/pam.d/* r,
+  /etc/passwd r,
+  /etc/shadow r,
+  /etc/ssl/** r,
+  /lib/** rm,
+  /proc/net r,
+  /proc/net/* r,
+  /sys/** r,
+  /usr/bin/foomatic* ixr,
+  /usr/bin/gs ixr,
+  /usr/bin/smbspool ixr,
+  /usr/bin/whoami ixr,
+  /usr/lib/** mr,
+  /usr/lib/cups/** ixr,
+  /usr/local/share/** r,
+  /usr/share/** r,
+  /var/cache/cups rw,
+  /var/cache/cups/** rw,
+  /var/log/cups rw,
+  /var/log/cups/* rw,
+  /var/run/avahi-daemon/socket rw,
+  /var/run/cups rw,
+  /var/run/cups/** rw,
+  /var/spool/cups rw,
+  /var/spool/cups/** rw,
+}

Modified: cupsys/branches/cups-1.2-ubuntu/debian/rules
==============================================================================
--- cupsys/branches/cups-1.2-ubuntu/debian/rules	(original)
+++ cupsys/branches/cups-1.2-ubuntu/debian/rules	Thu Aug  2 12:10:42 2007
@@ -66,6 +66,9 @@
 	#ln -s ../cups/model $(DEB_DESTDIR)/../cupsys/usr/share/ppd/cups-transitional-dir
 	dh_usrlocal
 
+	# install AppArmor profile
+	install -D -m 644 debian/local/apparmor-profile $(DEB_DESTDIR)/../cupsys/etc/apparmor.d/usr.sbin.cupsd
+
 binary-post-install/libcupsimage2-dev::
 	rm -r debian/libcupsimage2-dev/usr/share/doc/libcupsimage2-dev
 	ln -s libcupsimage2 debian/libcupsimage2-dev/usr/share/doc/libcupsimage2-dev

More information about the Pkg-cups-devel mailing list