From 2aa7fe46593c9109d57c484d060d485a74c82345 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Sommer?= Date: Tue, 31 Dec 2024 09:59:44 +0100 Subject: [PATCH] cupsd: convert profile to @etc_ro/rw While cups itself writes to /etc the others require only read-only access and might therefore live in /usr/etc. (cherry picked from commit c3af6228fdf808c5013c27239c9ac73e2d6a355f) Signed-off-by: John Johansen --- .../apparmor/profiles/extras/usr.sbin.cupsd | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/profiles/apparmor/profiles/extras/usr.sbin.cupsd b/profiles/apparmor/profiles/extras/usr.sbin.cupsd index 22e8c2cad..b5bb1ea9b 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.cupsd +++ b/profiles/apparmor/profiles/extras/usr.sbin.cupsd @@ -23,28 +23,28 @@ include /{usr/,}bin/cat ix, /usr/bin/foomatic-rip ixr, - /etc/foomatic/** r, + @{etc_ro}/foomatic/** r, /usr/bin/gs ix, /usr/lib/ghostscript/** m, /usr/lib64/ghostscript/** m, /usr/share/ghostscript/** r, - /etc/ghostscript/** r, + @{etc_ro}/ghostscript/** r, /dev/lp0 rw, /dev/tty rw, /dev/ttyS? w, - /etc/cups rw, - /etc/cups/ r, - /etc/cups/** r, - /etc/cups/certs w, - /etc/cups/certs/* w, - /etc/cups/*.conf* rw, - /etc/cups/ppd rw, - /etc/printcap rw, - /etc/cups/printcap rw, - /etc/cups/ssl rw, - /etc/cups/yes/* rw, + @{etc_rw}/cups rw, + @{etc_rw}/cups/ r, + @{etc_rw}/cups/** r, + @{etc_rw}/cups/certs w, + @{etc_rw}/cups/certs/* w, + @{etc_rw}/cups/*.conf* rw, + @{etc_rw}/cups/ppd rw, + @{etc_rw}/printcap rw, + @{etc_rw}/cups/printcap rw, + @{etc_rw}/cups/ssl rw, + @{etc_rw}/cups/yes/* rw, @{PROC}/meminfo r, @{PROC}/sys/dev/parport/** r, /sys/class/usb r, @@ -65,7 +65,7 @@ include /var/cache/cups/ rw, /var/cache/cups/** rw, - /etc/paperspecs r, + @{etc_ro}/paperspecs r, # Site-specific additions and overrides. See local/README for details. include if exists