From 2d3831221af1662619f74f10a208aff01c599665 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 22 Aug 2025 18:16:43 +0200
Subject: [PATCH] feat(profile): update cups profiles.

---
 apparmor.d/groups/cups/cups-browsed        |  5 ++++-
 apparmor.d/groups/cups/ippfind             | 22 ++++++++++++++++++++++
 apparmor.d/groups/cups/print-backends-cups | 19 +++++++++++++++++++
 3 files changed, 45 insertions(+), 1 deletion(-)
 create mode 100644 apparmor.d/groups/cups/ippfind
 create mode 100644 apparmor.d/groups/cups/print-backends-cups

diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed
index 9498f245a..a7773a57f 100644
--- a/apparmor.d/groups/cups/cups-browsed
+++ b/apparmor.d/groups/cups/cups-browsed
@@ -38,7 +38,7 @@ profile cups-browsed @{exec_path} {
 
   dbus receive bus=system path=/org/cups/cupsd/Notifier
        interface=org.cups.cupsd.Notifier
-       member=PrinterDeleted
+       member={PrinterDeleted,PrinterStopped}
        peer=(name=@{busname}, label=cups-notifier-dbus),
 
   @{exec_path} mr,
@@ -52,7 +52,10 @@ profile cups-browsed @{exec_path} {
   /var/cache/cups/{,**} rw,
   /var/log/cups/{,**} rw,
 
+  owner @{tmp}/@{hex} rw,
+
   @{run}/cups/certs/* r,
+  @{run}/avahi-daemon/socket rw, # TODO: in abs 'avahi' ?
 
   @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
 
diff --git a/apparmor.d/groups/cups/ippfind b/apparmor.d/groups/cups/ippfind
new file mode 100644
index 000000000..c2a944b11
--- /dev/null
+++ b/apparmor.d/groups/cups/ippfind
@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/ippfind
+profile ippfind @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.Avahi>
+
+  @{exec_path} mr,
+
+  @{bin}/echo rix,
+
+  include if exists <local/ippfind>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/groups/cups/print-backends-cups b/apparmor.d/groups/cups/print-backends-cups
new file mode 100644
index 000000000..6ab6007cb
--- /dev/null
+++ b/apparmor.d/groups/cups/print-backends-cups
@@ -0,0 +1,19 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/@{multiarch}/print-backends/cups
+profile print-backends-cups @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+
+  include if exists <local/print-backends-cups>
+}
+
+# vim:syntax=apparmor