1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
|
# vim:syntax=apparmor
# Last Modified: Thu Aug 2 12:54:46 2007
# Author: Martin Pitt <martin.pitt@ubuntu.com>
#include <tunables/global>
/usr/sbin/cupsd flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/authentication>
#include <abstractions/dbus>
#include <abstractions/fonts>
#include <abstractions/nameservice>
#include <abstractions/perl>
#include <abstractions/user-tmp>
capability chown,
capability fowner,
capability fsetid,
capability kill,
capability net_bind_service,
capability setgid,
capability setuid,
capability audit_write,
capability wake_alarm,
deny capability block_suspend,
# noisy
deny signal (send) set=("term") peer=unconfined,
# nasty, but we limit file access pretty tightly, and cups chowns a
# lot of files to 'lp' which it cannot read/write afterwards any
# more
capability dac_override,
capability dac_read_search,
# the bluetooth backend needs this
network bluetooth,
# the dnssd backend uses those
network x25 seqpacket,
network ax25 dgram,
network netrom seqpacket,
network rose dgram,
network ipx dgram,
network appletalk dgram,
network econet dgram,
network ash dgram,
/{usr/,}bin/bash ixr,
/{usr/,}bin/dash ixr,
/{usr/,}bin/hostname ixr,
/dev/lp* rw,
deny /dev/tty rw, # silence noise
/dev/ttyS* rw,
/dev/ttyUSB* rw,
/dev/usb/lp* rw,
/dev/bus/usb/ r,
/dev/bus/usb/** rw,
/dev/parport* rw,
/etc/cups/ rw,
/etc/cups/** rw,
/etc/cups/interfaces/* ixrw,
/etc/foomatic/* r,
/etc/gai.conf r,
/etc/papersize r,
/etc/pnm2ppa.conf r,
/etc/printcap rwl,
/etc/ssl/** r,
@{PROC}/net/ r,
@{PROC}/net/* r,
@{PROC}/sys/dev/parport/** r,
@{PROC}/*/net/ r,
@{PROC}/*/net/** r,
@{PROC}/*/auxv r,
@{PROC}/sys/crypto/** r,
/sys/** r,
/usr/bin/* ixr,
/usr/sbin/* ixr,
/{usr/,}bin/* ixr,
/{usr/,}sbin/* ixr,
/usr/lib/** rm,
# backends which come with CUPS can be confined
/usr/lib/cups/backend/bluetooth ixr,
/usr/lib/cups/backend/dnssd ixr,
/usr/lib/cups/backend/http ixr,
/usr/lib/cups/backend/ipp ixr,
/usr/lib/cups/backend/lpd ixr,
/usr/lib/cups/backend/mdns ixr,
/usr/lib/cups/backend/parallel ixr,
/usr/lib/cups/backend/serial ixr,
/usr/lib/cups/backend/snmp ixr,
/usr/lib/cups/backend/socket ixr,
/usr/lib/cups/backend/usb ixr,
# we treat cups-pdf specially, since it needs to write into /home
# and thus needs extra paranoia
/usr/lib/cups/backend/cups-pdf Px,
# allow communicating with cups-pdf via Unix sockets
unix peer=(label=/usr/lib/cups/backend/cups-pdf),
# third party backends get no restrictions as they often need high
# privileges and this is beyond our control
/usr/lib/cups/backend/* Cx -> third_party,
/usr/lib/cups/cgi-bin/* ixr,
/usr/lib/cups/daemon/* ixr,
/usr/lib/cups/monitor/* ixr,
/usr/lib/cups/notifier/* ixr,
# filters and drivers (PPD generators) are always run as non-root,
# and there are a lot of third-party drivers which we cannot predict
/usr/lib/cups/filter/** Cxr -> third_party,
/usr/lib/cups/driver/* Cxr -> third_party,
/usr/local/** rm,
/usr/local/lib/cups/** rix,
/usr/share/** r,
/{,var/}run/** rm,
/{,var/}run/avahi-daemon/socket rw,
deny /{,var/}run/samba/ rw,
/{,var/}run/samba/** rw,
/var/cache/samba/*.tdb r,
/var/{cache,lib}/samba/printing/printers.tdb r,
/{,var/}run/cups/ rw,
/{,var/}run/cups/** rw,
/var/cache/cups/ rw,
/var/cache/cups/** rwk,
/var/log/cups/ rw,
/var/log/cups/* rw,
/var/spool/cups/ rw,
/var/spool/cups/** rw,
# third-party printer drivers; no known structure here
/opt/** rix,
# FIXME: no policy ATM for hplip and Brother drivers
/usr/bin/hpijs Cx -> third_party,
/usr/Brother/** Cx -> third_party,
# Kerberos authentication
/etc/krb5.conf r,
deny /etc/krb5.conf w,
/etc/krb5.keytab rk,
/etc/cups/krb5.keytab rwk,
/tmp/krb5cc* k,
# likewise authentication
/etc/likewise r,
/etc/likewise/* r,
# silence noise
deny /etc/udev/udev.conf r,
signal peer=/usr/sbin/cupsd//third_party,
unix peer=(label=/usr/sbin/cupsd//third_party),
profile third_party flags=(attach_disconnected) {
# third party backends, filters, and drivers get relatively no restrictions
# as they often need high privileges, are unpredictable or otherwise beyond
# our control
file,
capability,
audit deny capability mac_admin,
network,
dbus,
signal,
ptrace,
unix,
}
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.cupsd>
}
# separate profile since this needs to write into /home
/usr/lib/cups/backend/cups-pdf {
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
capability chown,
capability fowner,
capability fsetid,
capability setgid,
capability setuid,
# unfortunate, but required for when $HOME is 700
capability dac_override,
capability dac_read_search,
# allow communicating with cupsd via Unix sockets
unix peer=(label=/usr/sbin/cupsd),
@{PROC}/*/auxv r,
/{usr/,}bin/dash ixr,
/{usr/,}bin/bash ixr,
/{usr/,}bin/cp ixr,
/etc/papersize r,
/etc/cups/cups-pdf.conf r,
/etc/cups/ppd/*.ppd r,
@{HOME}/PDF/ rw,
@{HOME}/PDF/* rw,
/usr/bin/gs ixr,
/usr/lib/cups/backend/cups-pdf mr,
/usr/lib/ghostscript/** mr,
/usr/share/** r,
/var/log/cups/cups-pdf*_log w,
/var/spool/cups/** r,
/var/spool/cups-pdf/** rw,
}
|
