[Pkg-cups-devel] r714 - in cupsys/trunk: . debian debian/local

Martin Pitt mpitt at alioth.debian.org
Sun Mar 16 21:32:39 UTC 2008 

Author: mpitt
Date: Sun Mar 16 21:32:39 2008
New Revision: 714

Log:
* Add debian/local/apparmor-profile: AppArmor profile (taken from Ubuntu
  branch). Install it in debian/rules if package is built on Ubuntu (tested
  with lsb_release -is). Reload AppArmor in debian/cupsys.postinst if both
  the cupsys profile and AppArmor itself are present.

Added:
   cupsys/trunk/debian/local/apparmor-profile
Modified:
   cupsys/trunk/   (props changed)
   cupsys/trunk/debian/changelog
   cupsys/trunk/debian/cupsys.postinst
   cupsys/trunk/debian/rules

Modified: cupsys/trunk/debian/changelog
==============================================================================
--- cupsys/trunk/debian/changelog	(original)
+++ cupsys/trunk/debian/changelog	Sun Mar 16 21:32:39 2008
@@ -35,8 +35,12 @@
     shutdown. Remove the obsolete kill symlinks on upgrade. Patch adopted from
     the Ubuntu branch, but without using the Ubuntu-only 'multiuser' mode of
     update-rc.d.
+  * Add debian/local/apparmor-profile: AppArmor profile (taken from Ubuntu
+    branch). Install it in debian/rules if package is built on Ubuntu (tested
+    with lsb_release -is). Reload AppArmor in debian/cupsys.postinst if both
+    the cupsys profile and AppArmor itself are present.
 
- -- Martin Pitt <mpitt at debian.org>  Sun, 16 Mar 2008 21:16:10 +0100
+ -- Martin Pitt <mpitt at debian.org>  Sun, 16 Mar 2008 21:38:47 +0100
 
 cupsys (1.3.6-1) unstable; urgency=low
 

Modified: cupsys/trunk/debian/cupsys.postinst
==============================================================================
--- cupsys/trunk/debian/cupsys.postinst	(original)
+++ cupsys/trunk/debian/cupsys.postinst	Sun Mar 16 21:32:39 2008
@@ -144,6 +144,11 @@
         if dpkg --compare-versions "$2" lt-nl "1.3.6-2"; then
             rm -f /etc/rc0.d/K??cupsys /etc/rc6.d/K??cupsys
         fi
+
+        # Reload AppArmor profile if present
+        if [ -e /etc/apparmor.d/usr.sbin.cupsd ] && [ -x /etc/init.d/apparmor ]; then
+            invoke-rc.d apparmor force-reload || true
+        fi
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)

Added: cupsys/trunk/debian/local/apparmor-profile
==============================================================================
--- (empty file)
+++ cupsys/trunk/debian/local/apparmor-profile	Sun Mar 16 21:32:39 2008
@@ -0,0 +1,136 @@
+# vim:syntax=apparmor
+# Last Modified: Thu Aug  2 12:54:46 2007
+# Author: Martin Pitt <martin.pitt at ubuntu.com>
+
+#include <tunables/global>
+
+/usr/sbin/cupsd {
+  #include <abstractions/base>
+  #include <abstractions/bash>
+  #include <abstractions/authentication>
+  #include <abstractions/dbus>
+  #include <abstractions/fonts>
+  #include <abstractions/nameservice>
+  #include <abstractions/perl>
+  #include <abstractions/user-tmp>
+
+  capability chown,
+  capability fowner,
+  capability fsetid,
+  capability kill,
+  capability net_bind_service,
+  capability setgid,
+  capability setuid,
+
+  # nasty, but we limit file access pretty tightly, and cups chowns a
+  # lot of files to 'lp' which it cannot read/write afterwards any
+  # more
+  capability dac_override,
+
+  # the bluetooth backend needs this
+  network bluetooth,
+
+  /bin/bash ixr,
+  /bin/dash ixr,
+  /bin/hostname ixr,
+  /dev/lp* rw,
+  /dev/ttyS* rw,
+  /dev/usb/lp* rw,
+  /dev/parport* rw,
+  /etc/cups/ rw,
+  /etc/cups/** rw,
+  /etc/foomatic/* r,
+  /etc/gai.conf r,
+  /etc/shadow m,
+  /etc/passwd m,
+  /etc/group m,
+  /etc/papersize r,
+  /etc/pnm2ppa.conf r,
+  /etc/printcap rwl,
+  /etc/ssl/** r,
+  @{PROC}/net/ r,
+  @{PROC}/net/* r,
+  @{PROC}/sys/dev/parport/** r,
+  /sys/** r,
+  /usr/bin/* ixr,
+  /usr/sbin/* ixr,
+  /bin/* ixr,
+  /sbin/* ixr,
+  /usr/lib/** rm,
+
+  # backends which come with CUPS can be confined
+  /usr/lib/cups/backend/bluetooth ixr,
+  /usr/lib/cups/backend/dnssd ixr,
+  /usr/lib/cups/backend/http ixr,
+  /usr/lib/cups/backend/ipp ixr,
+  /usr/lib/cups/backend/lpd ixr,
+  /usr/lib/cups/backend/parallel ixr,
+  /usr/lib/cups/backend/scsi ixr,
+  /usr/lib/cups/backend/serial ixr,
+  /usr/lib/cups/backend/snmp ixr,
+  /usr/lib/cups/backend/socket ixr,
+  /usr/lib/cups/backend/usb ixr,
+  # we treat cups-pdf specially, since it needs to write into /home
+  # and thus needs extra paranoia
+  /usr/lib/cups/backend/cups-pdf Px,
+  # third party backends get no restrictions as they often need high
+  # privileges and this is beyond our control
+  /usr/lib/cups/backend/* Ux,
+
+  /usr/lib/cups/cgi-bin/* ixr,
+  /usr/lib/cups/daemon/* ixr,
+  /usr/lib/cups/monitor/* ixr,
+  /usr/lib/cups/notifier/* ixr,
+  # filters and drivers (PPD generators) are always run as non-root,
+  # and there are a lot of third-party drivers which we cannot predict
+  /usr/lib/cups/filter/* Uxr, 
+  /usr/lib/cups/driver/* Uxr,
+  /usr/local/share/** r,
+  /usr/share/** r,
+  /var/cache/cups/ rw,
+  /var/cache/cups/** rw,
+  /var/log/cups/ rw,
+  /var/log/cups/* rw,
+  /var/run/avahi-daemon/socket rw,
+  /var/run/cups/ rw,
+  /var/run/cups/** rw,
+  /var/spool/cups/ rw,
+  /var/spool/cups/** rw,
+
+  # third-party printer drivers; no known structure here
+  /opt/** rix,
+
+  # FIXME: no policy ATM for hplip
+  /usr/bin/hpijs Ux,
+
+  # Kerberos authentication
+  /etc/krb5.conf r,
+  /etc/cups/krb5.keytab rw,
+}
+
+# separate profile since this needs to write into /home
+/usr/lib/cups/backend/cups-pdf {
+  #include <abstractions/base>
+  #include <abstractions/fonts>
+  #include <abstractions/nameservice>
+  #include <abstractions/user-tmp>
+
+  capability chown,
+  capability fowner,
+  capability fsetid,
+  capability setgid,
+  capability setuid,
+
+  /bin/dash ixr,
+  /bin/bash ixr,
+  /etc/papersize r,
+  /etc/cups/cups-pdf.conf r,
+  @{HOME}/PDF/ w,
+  @{HOME}/PDF/* w,
+  /usr/bin/gs ixr,
+  /usr/lib/cups/backend/cups-pdf mr,
+  /usr/lib/ghostscript/** mr,
+  /usr/share/** r,
+  /var/log/cups/cups-pdf_log w,
+  /var/spool/cups-pdf/** rw,
+}

Modified: cupsys/trunk/debian/rules
==============================================================================
--- cupsys/trunk/debian/rules	(original)
+++ cupsys/trunk/debian/rules	Sun Mar 16 21:32:39 2008
@@ -72,6 +72,11 @@
 	# the system-config-printer applet
 	install -D -m 644 packaging/cups-dbus.conf $(DEB_DESTDIR)/../cupsys/etc/dbus-1/system.d/cups.conf
 
+	# install AppArmor profile on Ubuntu
+	if [ "`lsb_release -is 2>/dev/null`" = "Ubuntu" ]; then \
+	   install -D -m 644 debian/local/apparmor-profile debian/$(cdbs_curpkg)/etc/apparmor.d/usr.sbin.cupsd; \
+	fi
+
 binary-post-install/libcupsimage2-dev::
 	rm -r debian/libcupsimage2-dev/usr/share/doc/libcupsimage2-dev
 	ln -s libcupsimage2 debian/libcupsimage2-dev/usr/share/doc/libcupsimage2-dev

More information about the Pkg-cups-devel mailing list