summaryrefslogtreecommitdiffstats
path: root/config/chroot_local-patches
diff options
context:
space:
mode:
authorintrigeri <intrigeri@boum.org>2015-09-17 08:00:06 +0000
committerintrigeri <intrigeri@boum.org>2015-09-17 08:00:06 +0000
commite17b756d9d647743e7f4acb2e4b92f781d683bbc (patch)
tree1d2cf18c8ca8ee750f565750cd1bcdf40619b5b3 /config/chroot_local-patches
parent61135c03a955eb651f541ec8d4ab1409d6de07b4 (diff)
apparmor-adjust-cupsd-profile.diff: fix access to aufs whiteouts for /etc/cups, /var/{cache,log,spool}/cups.
Closes: #10210
Diffstat (limited to 'config/chroot_local-patches')
-rw-r--r--config/chroot_local-patches/apparmor-adjust-cupsd-profile.diff27
1 files changed, 23 insertions, 4 deletions
diff --git a/config/chroot_local-patches/apparmor-adjust-cupsd-profile.diff b/config/chroot_local-patches/apparmor-adjust-cupsd-profile.diff
index 3b27cc4..97d491e 100644
--- a/config/chroot_local-patches/apparmor-adjust-cupsd-profile.diff
+++ b/config/chroot_local-patches/apparmor-adjust-cupsd-profile.diff
@@ -9,7 +9,15 @@
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/authentication>
-@@ -70,7 +70,7 @@
+@@ -54,6 +54,7 @@
+ /dev/bus/usb/** rw,
+ /dev/parport* rw,
+ /etc/cups/ rw,
++ /etc/.wh..wh.cups.*/ rw,
+ /etc/cups/** rw,
+ /etc/cups/interfaces/* ixrw,
+ /etc/foomatic/* r,
+@@ -70,7 +71,7 @@
@{PROC}/*/auxv r,
@{PROC}/sys/crypto/** r,
/sys/** r,
@@ -18,7 +26,7 @@
/usr/sbin/* ixr,
/bin/* ixr,
/sbin/* ixr,
-@@ -80,7 +80,10 @@
+@@ -80,7 +81,10 @@
/usr/lib/cups/backend/bluetooth ixr,
/usr/lib/cups/backend/dnssd ixr,
/usr/lib/cups/backend/http ixr,
@@ -29,7 +37,7 @@
/usr/lib/cups/backend/lpd ixr,
/usr/lib/cups/backend/parallel ixr,
/usr/lib/cups/backend/serial ixr,
-@@ -92,7 +95,12 @@
+@@ -92,7 +96,12 @@
/usr/lib/cups/backend/cups-pdf Px,
# third party backends get no restrictions as they often need high
# privileges and this is beyond our control
@@ -43,7 +51,17 @@
/usr/lib/cups/cgi-bin/* ixr,
/usr/lib/cups/daemon/* ixr,
-@@ -141,7 +149,7 @@
+@@ -119,6 +128,9 @@
+ /var/log/cups/* rw,
+ /var/spool/cups/ rw,
+ /var/spool/cups/** rw,
++ /var/cache/.wh..wh.cups.*/ rw,
++ /var/log/.wh..wh.cups.*/ rw,
++ /var/spool/.wh..wh.cups.*/ rw,
+
+ # third-party printer drivers; no known structure here
+ /opt/** rix,
+@@ -141,7 +153,7 @@
# silence noise
deny /etc/udev/udev.conf r,
@@ -52,3 +70,4 @@
# third party backends, filters, and drivers get relatively no restrictions
# as they often need high privileges, are unpredictable or otherwise beyond
# our control
+