From 97d7fa3f5f2ca016f853af6dbb97187f9525adf5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Sommer?= Date: Tue, 31 Dec 2024 10:06:29 +0100 Subject: [PATCH 1/2] cupsd: Add /etc/paperspecs read access Cups uses libpaper which accesses /etc/paperspecs. https://github.com/rrthomas/libpaper/blob/ce42216e2e3cd3fdf97d666aed6fa28f8ad5b9d4/lib/libpaper.c.in.in#L419 --- profiles/apparmor/profiles/extras/usr.sbin.cupsd | 2 ++ 1 file changed, 2 insertions(+) diff --git a/profiles/apparmor/profiles/extras/usr.sbin.cupsd b/profiles/apparmor/profiles/extras/usr.sbin.cupsd index 9b51b8453..22e8c2cad 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.cupsd +++ b/profiles/apparmor/profiles/extras/usr.sbin.cupsd @@ -65,6 +65,8 @@ include /var/cache/cups/ rw, /var/cache/cups/** rw, + /etc/paperspecs r, + # Site-specific additions and overrides. See local/README for details. include if exists } From c3af6228fdf808c5013c27239c9ac73e2d6a355f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Sommer?= Date: Tue, 31 Dec 2024 09:59:44 +0100 Subject: [PATCH 2/2] cupsd: convert profile to @etc_ro/rw While cups itself writes to /etc the others require only read-only access and might therefore live in /usr/etc. --- .../apparmor/profiles/extras/usr.sbin.cupsd | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/profiles/apparmor/profiles/extras/usr.sbin.cupsd b/profiles/apparmor/profiles/extras/usr.sbin.cupsd index 22e8c2cad..b5bb1ea9b 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.cupsd +++ b/profiles/apparmor/profiles/extras/usr.sbin.cupsd @@ -23,28 +23,28 @@ include /{usr/,}bin/cat ix, /usr/bin/foomatic-rip ixr, - /etc/foomatic/** r, + @{etc_ro}/foomatic/** r, /usr/bin/gs ix, /usr/lib/ghostscript/** m, /usr/lib64/ghostscript/** m, /usr/share/ghostscript/** r, - /etc/ghostscript/** r, + @{etc_ro}/ghostscript/** r, /dev/lp0 rw, /dev/tty rw, /dev/ttyS? w, - /etc/cups rw, - /etc/cups/ r, - /etc/cups/** r, - /etc/cups/certs w, - /etc/cups/certs/* w, - /etc/cups/*.conf* rw, - /etc/cups/ppd rw, - /etc/printcap rw, - /etc/cups/printcap rw, - /etc/cups/ssl rw, - /etc/cups/yes/* rw, + @{etc_rw}/cups rw, + @{etc_rw}/cups/ r, + @{etc_rw}/cups/** r, + @{etc_rw}/cups/certs w, + @{etc_rw}/cups/certs/* w, + @{etc_rw}/cups/*.conf* rw, + @{etc_rw}/cups/ppd rw, + @{etc_rw}/printcap rw, + @{etc_rw}/cups/printcap rw, + @{etc_rw}/cups/ssl rw, + @{etc_rw}/cups/yes/* rw, @{PROC}/meminfo r, @{PROC}/sys/dev/parport/** r, /sys/class/usb r, @@ -65,7 +65,7 @@ include /var/cache/cups/ rw, /var/cache/cups/** rw, - /etc/paperspecs r, + @{etc_ro}/paperspecs r, # Site-specific additions and overrides. See local/README for details. include if exists