summaryrefslogtreecommitdiffstats
path: root/config/chroot_local-patches
diff options
context:
space:
mode:
authorintrigeri <intrigeri@boum.org>2015-08-11 12:23:28 +0000
committerintrigeri <intrigeri@boum.org>2015-08-11 12:30:00 +0000
commitcea3a0c3d1af4e06c92ede0a757c6999ac301848 (patch)
tree86d7de0327048c2e64e4f9cd4a6cc2d032e7be97 /config/chroot_local-patches
parent035e97a19254be14ee3998e698ec801c6eb53655 (diff)
apparmor-adjust-cupsd-profile.diff: adjust to parse fine on current Jessie.
Closes: #9963 More specifically: a) avoid "conflicting x modifiers" for /usr/bin/hpijs, by modifying the /usr/bin/* rule to not match it; b) add missing backends to the list of confined ones, and: asked how we can better maintain this list : https://lists.ubuntu.com/archives/apparmor/2015-August/008463.html c) to avoid "conflicting x modifiers", replaced glob that matches all remaining backends by a hard-coded list of third-party ones we ship; d) Added a note to the RM role duties to sanity check these two lists. Also, add the attach_disconnected flag to the third_party local profile in there, as was done in sid already, and is needed for it to work under systemd (this patch already did that for /usr/sbin/cupsd).
Diffstat (limited to 'config/chroot_local-patches')
-rw-r--r--config/chroot_local-patches/apparmor-adjust-cupsd-profile.diff51
1 files changed, 47 insertions, 4 deletions
diff --git a/config/chroot_local-patches/apparmor-adjust-cupsd-profile.diff b/config/chroot_local-patches/apparmor-adjust-cupsd-profile.diff
index 9052983..0ad86aa 100644
--- a/config/chroot_local-patches/apparmor-adjust-cupsd-profile.diff
+++ b/config/chroot_local-patches/apparmor-adjust-cupsd-profile.diff
@@ -1,5 +1,5 @@
---- a/etc/apparmor.d/usr.sbin.cupsd 2014-11-16 20:48:15.320000000 +0000
-+++ b/etc/apparmor.d/usr.sbin.cupsd 2014-11-16 21:13:34.248000000 +0000
+--- a/etc/apparmor.d/usr.sbin.cupsd 2015-08-11 14:05:35.731931035 +0200
++++ a/etc/apparmor.d/usr.sbin.cupsd 2015-08-11 14:21:15.573030660 +0200
@@ -4,7 +4,7 @@
#include <tunables/global>
@@ -9,7 +9,41 @@
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/authentication>
-@@ -113,12 +113,12 @@
+@@ -70,7 +70,7 @@
+ @{PROC}/*/auxv r,
+ @{PROC}/sys/crypto/** r,
+ /sys/** r,
+- /usr/bin/* ixr,
++ /usr/bin/{[^h],h[^p],hp[^i],hpi[^j],hpij[^s]}* ixr,
+ /usr/sbin/* ixr,
+ /bin/* ixr,
+ /sbin/* ixr,
+@@ -80,7 +80,10 @@
+ /usr/lib/cups/backend/bluetooth ixr,
+ /usr/lib/cups/backend/dnssd ixr,
+ /usr/lib/cups/backend/http ixr,
++ /usr/lib/cups/backend/https ixr,
+ /usr/lib/cups/backend/ipp ixr,
++ /usr/lib/cups/backend/ipp[0-9]+ ixr,
++ /usr/lib/cups/backend/ipps ixr,
+ /usr/lib/cups/backend/lpd ixr,
+ /usr/lib/cups/backend/parallel ixr,
+ /usr/lib/cups/backend/serial ixr,
+@@ -92,7 +95,12 @@
+ /usr/lib/cups/backend/cups-pdf Px,
+ # third party backends get no restrictions as they often need high
+ # privileges and this is beyond our control
+- /usr/lib/cups/backend/* Cx -> third_party,
++ # Due to Tails#9963 we hard-code the third-party backends we ship:
++ # /usr/lib/cups/backend/* Cx -> third_party,
++ /usr/lib/cups/backend/gutenprint52+usb Cx -> third_party,
++ /usr/lib/cups/backend/hp Cx -> third_party,
++ /usr/lib/cups/backend/hpfax Cx -> third_party,
++ /usr/lib/cups/backend/mdns Cx -> third_party,
+
+ /usr/lib/cups/cgi-bin/* ixr,
+ /usr/lib/cups/daemon/* ixr,
+@@ -113,12 +121,12 @@
/var/{cache,lib}/samba/printing/printers.tdb r,
/{,var/}run/cups/ rw,
/{,var/}run/cups/** rw,
@@ -28,7 +62,16 @@
# third-party printer drivers; no known structure here
/opt/** rix,
-@@ -186,6 +186,6 @@
+@@ -141,7 +149,7 @@
+ # silence noise
+ deny /etc/udev/udev.conf r,
+
+- profile third_party {
++ profile third_party flags=(attach_disconnected) {
+ # third party backends, filters, and drivers get relatively no restrictions
+ # as they often need high privileges, are unpredictable or otherwise beyond
+ # our control
+@@ -186,6 +194,6 @@
/usr/lib/ghostscript/** mr,
/usr/share/** r,
/var/log/cups/cups-pdf_log w,