summaryrefslogtreecommitdiffstats
path: root/config/chroot_local-patches/apparmor-adjust-cupsd-profile.diff
blob: 53e445562d851e43b71be738beb43b4cf56c3a90 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
--- a/etc/apparmor.d/usr.sbin.cupsd	2015-11-20 09:41:01.408000000 +0000
+++ b/etc/apparmor.d/usr.sbin.cupsd	2015-11-20 09:47:01.728000000 +0000
@@ -4,7 +4,9 @@
 
 #include <tunables/global>
 
-/usr/sbin/cupsd {
+@{etccups}=/{etc/cups,live/persistence/TailsData_unlocked/cups-configuration}
+
+/usr/sbin/cupsd flags=(attach_disconnected) {
   #include <abstractions/base>
   #include <abstractions/bash>
   #include <abstractions/authentication>
@@ -53,9 +55,10 @@
   /dev/bus/usb/ r,
   /dev/bus/usb/** rw,
   /dev/parport* rw,
-  /etc/cups/ rw,
-  /etc/cups/** rw,
-  /etc/cups/interfaces/* ixrw,
+  @{etccups}/ rw,
+  /etc/.wh..wh.cups.*/ rw,
+  @{etccups}/** rw,
+  @{etccups}/interfaces/* ixrw,
   /etc/foomatic/* r,
   /etc/gai.conf r,
   /etc/papersize r,
@@ -70,7 +73,7 @@
   @{PROC}/*/auxv r,
   @{PROC}/sys/crypto/** r,
   /sys/** r,
-  /usr/bin/* ixr,
+  /usr/bin/{[^h],h[^p],hp[^i],hpi[^j],hpij[^s]}* ixr,
   /usr/sbin/* ixr,
   /bin/* ixr,
   /sbin/* ixr,
@@ -80,7 +83,10 @@
   /usr/lib/cups/backend/bluetooth ixr,
   /usr/lib/cups/backend/dnssd ixr,
   /usr/lib/cups/backend/http ixr,
+  /usr/lib/cups/backend/https ixr,
   /usr/lib/cups/backend/ipp ixr,
+  /usr/lib/cups/backend/ipp[0-9][0-9] ixr,
+  /usr/lib/cups/backend/ipps ixr,
   /usr/lib/cups/backend/lpd ixr,
   /usr/lib/cups/backend/parallel ixr,
   /usr/lib/cups/backend/serial ixr,
@@ -92,7 +98,12 @@
   /usr/lib/cups/backend/cups-pdf Px,
   # third party backends get no restrictions as they often need high
   # privileges and this is beyond our control
-  /usr/lib/cups/backend/* Cx -> third_party,
+  # Due to Tails#9963 we hard-code the third-party backends we ship:
+  # /usr/lib/cups/backend/* Cx -> third_party,
+  /usr/lib/cups/backend/gutenprint52+usb Cx -> third_party,
+  /usr/lib/cups/backend/hp Cx -> third_party,
+  /usr/lib/cups/backend/hpfax Cx -> third_party,
+  /usr/lib/cups/backend/mdns Cx -> third_party,
 
   /usr/lib/cups/cgi-bin/* ixr,
   /usr/lib/cups/daemon/* ixr,
@@ -119,6 +130,9 @@
   /var/log/cups/* rw,
   /var/spool/cups/ rw,
   /var/spool/cups/** rw,
+  /var/cache/.wh..wh.cups.*/ rw,
+  /var/log/.wh..wh.cups.*/ rw,
+  /var/spool/.wh..wh.cups.*/ rw,
 
   # third-party printer drivers; no known structure here
   /opt/** rix,
@@ -131,7 +145,7 @@
   /etc/krb5.conf r,
   deny /etc/krb5.conf w,
   /etc/krb5.keytab rk,
-  /etc/cups/krb5.keytab rwk,
+  @{etccups}/krb5.keytab rwk,
   /tmp/krb5cc* k,
 
   # likewise authentication
@@ -141,7 +155,7 @@
   # silence noise
   deny /etc/udev/udev.conf r,
 
-  profile third_party {
+  profile third_party flags=(attach_disconnected) {
     # third party backends, filters, and drivers get relatively no restrictions
     # as they often need high privileges, are unpredictable or otherwise beyond
     # our control
@@ -178,7 +192,7 @@
   /bin/bash ixr,
   /bin/cp ixr,
   /etc/papersize r,
-  /etc/cups/cups-pdf.conf r,
+  @{etccups}/cups-pdf.conf r,
   @{HOME}/PDF/ rw,
   @{HOME}/PDF/* rw,
   /usr/bin/gs ixr,