[Pkg-cups-devel] r640 - in cupsys/branches/cups-1.2-ubuntu: . debian debian/local
Martin Pitt
mpitt at alioth.debian.org
Mon Dec 3 10:24:41 UTC 2007
Author: mpitt
Date: Mon Dec 3 10:24:41 2007
New Revision: 640
Log:
* debian/local/apparmor-profile: Only restrict backends which are shipped by
cupsys itself (or known packages like cups-pdf). All other backends remain
unrestricted, since we cannot predict which privileges they need.
Modified:
cupsys/branches/cups-1.2-ubuntu/ (props changed)
cupsys/branches/cups-1.2-ubuntu/debian/changelog
cupsys/branches/cups-1.2-ubuntu/debian/local/apparmor-profile
Modified: cupsys/branches/cups-1.2-ubuntu/debian/changelog
==============================================================================
--- cupsys/branches/cups-1.2-ubuntu/debian/changelog (original)
+++ cupsys/branches/cups-1.2-ubuntu/debian/changelog Mon Dec 3 10:24:41 2007
@@ -20,8 +20,11 @@
* Revert most of the doc symlinking changes from 1.3.2-1ubuntu4, since
Ubuntu's cdbs does it by default now. Clean up a few other pieces of
Debian-Ubuntu delta noise along the way.
+ * debian/local/apparmor-profile: Only restrict backends which are shipped by
+ cupsys itself (or known packages like cups-pdf). All other backends remain
+ unrestricted, since we cannot predict which privileges they need.
- -- Martin Pitt <martin.pitt at ubuntu.com> Fri, 30 Nov 2007 17:38:42 +0100
+ -- Martin Pitt <martin.pitt at ubuntu.com> Mon, 03 Dec 2007 09:46:42 +0100
cupsys (1.3.4-2) unstable; urgency=low
Modified: cupsys/branches/cups-1.2-ubuntu/debian/local/apparmor-profile
==============================================================================
--- cupsys/branches/cups-1.2-ubuntu/debian/local/apparmor-profile (original)
+++ cupsys/branches/cups-1.2-ubuntu/debian/local/apparmor-profile Mon Dec 3 10:24:41 2007
@@ -54,16 +54,28 @@
/bin/* ixr,
/sbin/* ixr,
/usr/lib/** rm,
- /usr/lib/cups/backend/* ixr,
+
+ # backends which come with CUPS can be confined
+ /usr/lib/cups/backend/dnssd ixr,
+ /usr/lib/cups/backend/http ixr,
+ /usr/lib/cups/backend/ipp ixr,
+ /usr/lib/cups/backend/lpd ixr,
+ /usr/lib/cups/backend/parallel ixr,
+ /usr/lib/cups/backend/scsi ixr,
+ /usr/lib/cups/backend/serial ixr,
+ /usr/lib/cups/backend/snmp ixr,
+ /usr/lib/cups/backend/socket ixr,
+ /usr/lib/cups/backend/usb ixr,
# we treat cups-pdf specially, since it needs to write into /home
# and thus needs extra paranoia
/usr/lib/cups/backend/cups-pdf Px,
+ # third party backends get no restrictions as they often need high
+ # privileges and this is beyond our control
+ /usr/lib/cups/backend/* Ux,
# AA blocks creation of bluetooth sockets without providing a way to
# allow them (see LP #172534)
/usr/lib/cups/backend/bluetooth Ux,
- # the Samsung MFP driver needs high privileges and is beyond our
- # control due to being a third-party driver.
- /usr/lib/cups/backend/mfp Ux,
+
/usr/lib/cups/cgi-bin/* ixr,
/usr/lib/cups/daemon/* ixr,
/usr/lib/cups/driver/* ixr,
@@ -89,8 +101,6 @@
# FIXME: no policy ATM for hplip
/usr/bin/hpijs Ux,
- /usr/lib/cups/backend/hp Ux,
- /usr/lib/cups/backend/hpfax Ux,
}
# separate profile since this needs to write into /home
More information about the Pkg-cups-devel
mailing list