From 14fd88aa2fa7d13051a77e80086b28b6eb625a33 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 31 Aug 2022 22:10:41 +0100 Subject: [PATCH] feat(profiles): add profiles for cups. --- apparmor.d/profiles-a-f/cups-backend-beh | 18 ++++ apparmor.d/profiles-a-f/cups-backend-brf | 20 +++++ apparmor.d/profiles-a-f/cups-backend-dnssd | 18 ++++ .../profiles-a-f/cups-backend-implicitclass | 18 ++++ apparmor.d/profiles-a-f/cups-backend-ipp | 18 ++++ apparmor.d/profiles-a-f/cups-backend-lpd | 18 ++++ apparmor.d/profiles-a-f/cups-backend-parallel | 18 ++++ apparmor.d/profiles-a-f/cups-backend-pdf | 46 ++++++++++ apparmor.d/profiles-a-f/cups-backend-serial | 18 ++++ apparmor.d/profiles-a-f/cups-backend-snmp | 23 +++++ apparmor.d/profiles-a-f/cups-backend-socket | 18 ++++ apparmor.d/profiles-a-f/cups-backend-usb | 24 +++++ apparmor.d/profiles-a-f/cups-browsed | 69 ++++++++++++++ .../profiles-a-f/cups-pk-helper-mechanism | 35 ++++++++ apparmor.d/profiles-a-f/cupsd | 90 +++++++++++++++++++ debian/apparmor.d.hide | 2 + dists/flags/main.flags | 15 ++++ 17 files changed, 468 insertions(+) create mode 100644 apparmor.d/profiles-a-f/cups-backend-beh create mode 100644 apparmor.d/profiles-a-f/cups-backend-brf create mode 100644 apparmor.d/profiles-a-f/cups-backend-dnssd create mode 100644 apparmor.d/profiles-a-f/cups-backend-implicitclass create mode 100644 apparmor.d/profiles-a-f/cups-backend-ipp create mode 100644 apparmor.d/profiles-a-f/cups-backend-lpd create mode 100644 apparmor.d/profiles-a-f/cups-backend-parallel create mode 100644 apparmor.d/profiles-a-f/cups-backend-pdf create mode 100644 apparmor.d/profiles-a-f/cups-backend-serial create mode 100644 apparmor.d/profiles-a-f/cups-backend-snmp create mode 100644 apparmor.d/profiles-a-f/cups-backend-socket create mode 100644 apparmor.d/profiles-a-f/cups-backend-usb create mode 100644 apparmor.d/profiles-a-f/cups-browsed create mode 100644 apparmor.d/profiles-a-f/cups-pk-helper-mechanism create mode 100644 apparmor.d/profiles-a-f/cupsd diff --git a/apparmor.d/profiles-a-f/cups-backend-beh b/apparmor.d/profiles-a-f/cups-backend-beh new file mode 100644 index 000000000..676bbcb13 --- /dev/null +++ b/apparmor.d/profiles-a-f/cups-backend-beh @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cups/backend/beh +profile cups-backend-beh @{exec_path} { + include + + @{exec_path} mr, + + /etc/papersize r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cups-backend-brf b/apparmor.d/profiles-a-f/cups-backend-brf new file mode 100644 index 000000000..24211196d --- /dev/null +++ b/apparmor.d/profiles-a-f/cups-backend-brf @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cups/backend/cups-brf +profile cups-backend-brf @{exec_path} { + include + + capability setuid, + + @{exec_path} mr, + + /etc/papersize r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cups-backend-dnssd b/apparmor.d/profiles-a-f/cups-backend-dnssd new file mode 100644 index 000000000..cfc987c51 --- /dev/null +++ b/apparmor.d/profiles-a-f/cups-backend-dnssd @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cups/backend/dnssd +profile cups-backend-dnssd @{exec_path} { + include + + @{exec_path} mr, + + /etc/papersize r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cups-backend-implicitclass b/apparmor.d/profiles-a-f/cups-backend-implicitclass new file mode 100644 index 000000000..4311b10b1 --- /dev/null +++ b/apparmor.d/profiles-a-f/cups-backend-implicitclass @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cups/backend/implicitclass +profile cups-backend-implicitclass @{exec_path} { + include + + @{exec_path} mr, + + /etc/papersize r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cups-backend-ipp b/apparmor.d/profiles-a-f/cups-backend-ipp new file mode 100644 index 000000000..ddf6834bf --- /dev/null +++ b/apparmor.d/profiles-a-f/cups-backend-ipp @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cups/backend/ipp +profile cups-backend-ipp @{exec_path} { + include + + @{exec_path} mr, + + /etc/papersize r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cups-backend-lpd b/apparmor.d/profiles-a-f/cups-backend-lpd new file mode 100644 index 000000000..eec56070e --- /dev/null +++ b/apparmor.d/profiles-a-f/cups-backend-lpd @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cups/backend/lpd +profile cups-backend-lpd @{exec_path} { + include + + @{exec_path} mr, + + /etc/papersize r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cups-backend-parallel b/apparmor.d/profiles-a-f/cups-backend-parallel new file mode 100644 index 000000000..b0318f02e --- /dev/null +++ b/apparmor.d/profiles-a-f/cups-backend-parallel @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cups/backend/parallel +profile cups-backend-parallel @{exec_path} { + include + + @{exec_path} mr, + + /etc/papersize r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cups-backend-pdf b/apparmor.d/profiles-a-f/cups-backend-pdf new file mode 100644 index 000000000..fa5863459 --- /dev/null +++ b/apparmor.d/profiles-a-f/cups-backend-pdf @@ -0,0 +1,46 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cups/backend/cups-pdf +profile cups-backend-pdf @{exec_path} { + include + include + include + include + + capability chown, + capability setgid, + capability setuid, + capability dac_override, + + unix peer=(label=cupsd), + + @{exec_path} mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/gs rix, + /{usr/,}bin/gsc rix, + /{usr/,}lib/ghostscript/** mr, + + /usr/share/ghostscript/{,**} r, + + /etc/papersize r, + /etc/cups/ r, + /etc/cups/cups-pdf.conf r, + /etc/cups/ppd/*.ppd r, + + /var/log/cups/cups-pdf*_log w, + /var/spool/cups-pdf/{,**} rw, + /var/spool/cups/** r, + /var/tmp/gs_* rw, + + /dev/tty rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cups-backend-serial b/apparmor.d/profiles-a-f/cups-backend-serial new file mode 100644 index 000000000..33264531a --- /dev/null +++ b/apparmor.d/profiles-a-f/cups-backend-serial @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cups/backend/serial +profile cups-backend-serial @{exec_path} { + include + + @{exec_path} mr, + + /etc/papersize r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cups-backend-snmp b/apparmor.d/profiles-a-f/cups-backend-snmp new file mode 100644 index 000000000..40f2e03ec --- /dev/null +++ b/apparmor.d/profiles-a-f/cups-backend-snmp @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cups/backend/snmp +profile cups-backend-snmp @{exec_path} { + include + + network inet dgram, + network inet6 dgram, + network netlink raw, + + @{exec_path} mr, + + /etc/cups/snmp.conf r, + /etc/papersize r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cups-backend-socket b/apparmor.d/profiles-a-f/cups-backend-socket new file mode 100644 index 000000000..8c66d634f --- /dev/null +++ b/apparmor.d/profiles-a-f/cups-backend-socket @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cups/backend/socket +profile cups-backend-socket @{exec_path} { + include + + @{exec_path} mr, + + /etc/papersize r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cups-backend-usb b/apparmor.d/profiles-a-f/cups-backend-usb new file mode 100644 index 000000000..e6c568008 --- /dev/null +++ b/apparmor.d/profiles-a-f/cups-backend-usb @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cups/backend/usb +profile cups-backend-usb @{exec_path} { + include + include + + network netlink raw, + + @{exec_path} mr, + + /usr/share/cups/usb/{,**} r, + + /etc/cups/ppd/*.ppd r, + /etc/papersize r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cups-browsed b/apparmor.d/profiles-a-f/cups-browsed new file mode 100644 index 000000000..2dbef344e --- /dev/null +++ b/apparmor.d/profiles-a-f/cups-browsed @@ -0,0 +1,69 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{s,}bin/cups-browsed +profile cups-browsed @{exec_path} { + include + include + include + include + include + + capability net_bind_service, + capability sys_nice, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member={GetAPIVersion,GetState,ServiceBrowserNew}, + + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=org.freedesktop.Avahi), + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/Client[0-9]*/ServiceBrowser[0-9]* + interface=org.freedesktop.Avahi.ServiceBrowser + member=Free + peer=(name=org.freedesktop.Avahi), + + dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]* + interface=org.freedesktop.Avahi.ServiceBrowser + member={AllForNow,CacheExhausted}, + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.{DBus.Properties,NetworkManager} + member={CheckPermissions,PropertiesChanged,StateChanged,DeviceAdded}, + + dbus receive bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=StateChanged, + + @{exec_path} mr, + + /usr/share/cups/locale/{,**} r, + /usr/share/locale/{,**} r, + + /etc/cups/{,**} r, + + /var/cache/cups/{,**} rw, + /var/log/cups/{,**} rw, + + @{run}/cups/certs/* r, + + include if exists +} diff --git a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism new file mode 100644 index 000000000..ef7ce21f1 --- /dev/null +++ b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cups-pk-helper-mechanism +@{exec_path} += /{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism +@{exec_path} += /{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism +profile cups-pk-helper-mechanism @{exec_path} { + include + include + include + + capability dac_read_search, + capability sys_nice, + + dbus receive bus=system path=/ + interface=org.opensuse.CupsPkHelper.Mechanism, + + dbus bind bus=system + name=org.opensuse.CupsPkHelper.Mechanism, + + @{exec_path} mr, + + /etc/cups/ppd/*.ppd r, + + owner /tmp/[a-z0-9]* rw, + + @{run}/cups/cups.sock rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/cupsd b/apparmor.d/profiles-a-f/cupsd new file mode 100644 index 000000000..6ccb2338f --- /dev/null +++ b/apparmor.d/profiles-a-f/cupsd @@ -0,0 +1,90 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +include + +@{exec_path} = /{usr/,}{s,}bin/cupsd +profile cupsd @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + + capability audit_write, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability fsetid, + capability kill, + capability net_admin, + capability net_bind_service, + capability setgid, + capability setuid, + capability wake_alarm, + + network inet stream, + network inet6 stream, + + network appletalk dgram, + network ash dgram, + network ax25 dgram, + network bluetooth, + network econet dgram, + network ipx dgram, + network netrom seqpacket, + network rose dgram, + network x25 seqpacket, + + dbus send bus=system path=/org/freedesktop/ColorManager{,/devices/cups_*} + interface=org.freedesktop.ColorManager{,.*} + member={CreateProfile,CreateDevice,FindDeviceById,AddProfile} + peer=(name=org.freedesktop.ColorManager), + + @{exec_path} mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gsc rix, + /{usr/,}bin/hostname rix, + /{usr/,}bin/ippfind rix, + /{usr/,}bin/python3.[0-9]* rix, + /{usr/,}bin/smbspool rPx, + /{usr/,}bin/xz rix, + /{usr/,}lib/cups/backend/* rPx, + /{usr/,}lib/cups/cgi-bin/*.cgi rix, + /{usr/,}lib/cups/daemon/* rix, + /{usr/,}lib/cups/driver/* rix, + /{usr/,}lib/cups/filter/* rix, + /{usr/,}lib/cups/monitor/* rix, + /{usr/,}lib/cups/notifier/* rix, + + /usr/share/cups/{,**} r, + /usr/share/ppd/{,**} r, + /usr/share/ghostscript/{,**} r, + + /etc/cups/{,**} rw, + /etc/foomatic/* r, + /etc/papersize r, + /etc/pnm2ppa.conf r, + /etc/printcap rwl, + + /var/cache/cups/ rw, + /var/cache/cups/** rwk, + /var/log/cups/{,*} rw, + /var/spool/cups/{,**} rw, + + @{run}/cups/{,**} rw, + @{run}/systemd/notify w, + + @{sys}/module/apparmor/parameters/enabled r, + + @{PROC}/@{pids}/fd r, + owner @{PROC}/@{pid}/mounts r, + + /dev/tty rw, + + include if exists +} \ No newline at end of file diff --git a/debian/apparmor.d.hide b/debian/apparmor.d.hide index 0825db141..7e7c07801 100644 --- a/debian/apparmor.d.hide +++ b/debian/apparmor.d.hide @@ -2,3 +2,5 @@ # SPDX-License-Identifier: GPL-2.0-only /etc/apparmor.d/usr.bin.man +/etc/apparmor.d/usr.sbin.cups-browsed +/etc/apparmor.d/usr.sbin.cupsd diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 88f0c6c1e..804f7d4ab 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -21,6 +21,21 @@ cockpit-ssh complain cockpit-tls complain cockpit-ws complain cockpit-wsinstance-factory complain +cups-backend-beh complain +cups-backend-brf complain +cups-backend-dnssd complain +cups-backend-implicitclass complain +cups-backend-ipp complain +cups-backend-lpd complain +cups-backend-parallel complain +cups-backend-pdf complain +cups-backend-serial complain +cups-backend-snmp complain +cups-backend-socket complain +cups-backend-usb complain +cups-browsed complain +cups-pk-helper-mechanism complain +cupsd attach_disconnected,complain dkms attach_disconnected,complain downloadhelper complain e2fsck complain