cupsd: convert profile to @etc_ro/rw

While cups itself writes to /etc the others require only read-only access and might therefore live in /usr/etc. (cherry picked from commit c3af6228fdf808c5013c27239c9ac73e2d6a355f) Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-08-22 10:07:12 +00:00 · 2024-12-31 09:59:44 +01:00 · 2024-12-31 09:59:44 +01:00 · 2aa7fe4659
commit 2aa7fe4659
parent c456101ebb
1 changed files with 14 additions and 14 deletions
--- a/profiles/apparmor/profiles/extras/usr.sbin.cupsd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.cupsd
@ -23,28 +23,28 @@ include <tunables/global>
  /{usr/,}bin/cat ix,

  /usr/bin/foomatic-rip ixr,
-  /etc/foomatic/** r,
+  @{etc_ro}/foomatic/** r,

  /usr/bin/gs ix,
  /usr/lib/ghostscript/** m,
  /usr/lib64/ghostscript/** m,
  /usr/share/ghostscript/** r,
-  /etc/ghostscript/** r,
+  @{etc_ro}/ghostscript/** r,

  /dev/lp0 rw,
  /dev/tty rw,
  /dev/ttyS? w,
-  /etc/cups rw,
-  /etc/cups/ r,
-  /etc/cups/** r,
-  /etc/cups/certs w,
-  /etc/cups/certs/* w,
-  /etc/cups/*.conf* rw,
-  /etc/cups/ppd rw,
-  /etc/printcap rw,
-  /etc/cups/printcap rw,
-  /etc/cups/ssl rw,
-  /etc/cups/yes/* rw,
+  @{etc_rw}/cups rw,
+  @{etc_rw}/cups/ r,
+  @{etc_rw}/cups/** r,
+  @{etc_rw}/cups/certs w,
+  @{etc_rw}/cups/certs/* w,
+  @{etc_rw}/cups/*.conf* rw,
+  @{etc_rw}/cups/ppd rw,
+  @{etc_rw}/printcap rw,
+  @{etc_rw}/cups/printcap rw,
+  @{etc_rw}/cups/ssl rw,
+  @{etc_rw}/cups/yes/* rw,
  @{PROC}/meminfo r,
  @{PROC}/sys/dev/parport/** r,
  /sys/class/usb r,
@ -65,7 +65,7 @@ include <tunables/global>
  /var/cache/cups/ rw,
  /var/cache/cups/** rw,

-  /etc/paperspecs r,
+  @{etc_ro}/paperspecs r,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/usr.sbin.cupsd>