Bug#763673: marked as done (/etc/apparmor.d/usr.sbin.cupsd AppArmor profile doesn't parse (depends on unreleased AppArmor 2.9 parser))

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Thu, 02 Oct 2014 09:35:28 +0000
with message-id <E1XZcnI-0008WS-1m@franck.debian.org>
and subject line Bug#763673: fixed in cups 1.7.5-4
has caused the Debian Bug report #763673,
regarding /etc/apparmor.d/usr.sbin.cupsd AppArmor profile doesn't parse (depends on unreleased AppArmor 2.9 parser)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
763673: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=763673
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: /etc/apparmor.d/usr.sbin.cupsd AppArmor profile doesn't parse (depends on unreleased AppArmor 2.9 parser)
• From: intrigeri@debian.org
• Date: Wed, 01 Oct 2014 21:06:25 +0200
• Message-id: <[🔎] 85y4szlidq.fsf@boum.org>

Package: cups-daemon
Version: 1.7.5-3
Severity: normal
Tags: patch
X-Debbugs-Cc: Debian AppArmor team <pkg-apparmor-team@lists.alioth.debian.org>

Hi,

since the upgrade to 1.7.5-3, the /etc/apparmor.d/usr.sbin.cupsd
profile doesn't parse on sid anymore, and is thus entirely disabled.
That's because it contains rules that depend:

  * to be useful: on kernel patches that were not submitted to Linux
    mainline yet

  * to parse at all, regardless of the kernel's AppArmor feature: on
    AppArmor 2.9 userspace (unreleased yet), that is able to ignore
    rules the kernel doesn't support

The attached patch fixes this. Of course, the resulting profile is
less strict than it could be, but oh well, at least it will
be enabled.

Cheers,
--
intrigeri

--- /etc/apparmor.d/usr.sbin.cupsd.orig	2014-09-30 13:04:05.000000000 +0200
+++ /etc/apparmor.d/usr.sbin.cupsd	2014-10-01 21:03:01.191242269 +0200
@@ -141,7 +141,6 @@
   # silence noise
   deny /etc/udev/udev.conf r,
 
-  signal (receive, send) peer=third_party,
   profile third_party {
     # third party backends, filters, and drivers get relatively no restrictions
     # as they often need high privileges, are unpredictable or otherwise beyond
@@ -150,10 +149,6 @@
     capability,
     audit deny capability mac_admin,
     network,
-    dbus,
-    signal,
-    ptrace,
-    unix,
   }
 
   # Site-specific additions and overrides. See local/README for details.

--- End Message ---

--- Begin Message ---

• To: 763673-close@bugs.debian.org
• Subject: Bug#763673: fixed in cups 1.7.5-4
• From: Didier Raboud <odyx@debian.org>
• Date: Thu, 02 Oct 2014 09:35:28 +0000
• Message-id: <E1XZcnI-0008WS-1m@franck.debian.org>

Source: cups
Source-Version: 1.7.5-4

We believe that the bug you reported is fixed in the latest version of
cups, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 763673@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Didier Raboud <odyx@debian.org> (supplier of updated cups package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 01 Oct 2014 21:40:15 +0200
Source: cups
Binary: libcups2 libcupsimage2 libcupscgi1 libcupsmime1 libcupsppdc1 cups cups-core-drivers cups-daemon cups-client libcups2-dev libcupsimage2-dev libcupscgi1-dev libcupsmime1-dev libcupsppdc1-dev cups-bsd cups-common cups-server-common cups-ppdc cups-dbg
Architecture: source all
Version: 1.7.5-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Didier Raboud <odyx@debian.org>
Description:
 cups       - Common UNIX Printing System(tm) - PPD/driver support, web interfa
 cups-bsd   - Common UNIX Printing System(tm) - BSD commands
 cups-client - Common UNIX Printing System(tm) - client programs (SysV)
 cups-common - Common UNIX Printing System(tm) - common files
 cups-core-drivers - Common UNIX Printing System(tm) - PPD-less printing
 cups-daemon - Common UNIX Printing System(tm) - daemon
 cups-dbg   - Common UNIX Printing System(tm) - debugging symbols
 cups-ppdc  - Common UNIX Printing System(tm) - PPD manipulation utilities
 cups-server-common - Common UNIX Printing System(tm) - server common files
 libcups2   - Common UNIX Printing System(tm) - Core library
 libcups2-dev - Common UNIX Printing System(tm) - Development files CUPS library
 libcupscgi1 - Common UNIX Printing System(tm) - CGI library
 libcupscgi1-dev - Common UNIX Printing System(tm) - Development files for CGI libra
 libcupsimage2 - Common UNIX Printing System(tm) - Raster image library
 libcupsimage2-dev - Common UNIX Printing System(tm) - Development files CUPS image li
 libcupsmime1 - Common UNIX Printing System(tm) - MIME library
 libcupsmime1-dev - Common UNIX Printing System(tm) - Development files MIME library
 libcupsppdc1 - Common UNIX Printing System(tm) - PPD manipulation library
 libcupsppdc1-dev - Common UNIX Printing System(tm) - Development files PPD library
Closes: 763673
Changes:
 cups (1.7.5-4) unstable; urgency=medium
 .
   [ intrigeri ]
   * In the apparmor profile, drop features yet unsupported in Debian
     (Closes: #763673)
 .
   [ Didier Raboud ]
   * Add the Ubuntu-specific apparmor profile as Ubuntu-specific patch
Checksums-Sha1:
 372bb09f7ea483cfc7d81df3a9d70b72f4637ba6 3529 cups_1.7.5-4.dsc
 6ed26974643c09e9aef5e368423620b0c19e88e1 297732 cups_1.7.5-4.debian.tar.xz
 6dd91b8ac8b2053264374c3090ab2ce41d46f4f9 272646 cups-common_1.7.5-4_all.deb
 d05b722cc9deb718b56a07acb6c12251920e30d8 618066 cups-server-common_1.7.5-4_all.deb
Checksums-Sha256:
 377baaaa697a968ae89b00ab503cfd97cd3d185d22d4e1ab02aedc7af2ee0eb9 3529 cups_1.7.5-4.dsc
 4d0ca62f64737652e40e7898f55f6f2b9904659eeb5fa12fef9c348c64a986f8 297732 cups_1.7.5-4.debian.tar.xz
 8b1c89c86f1ed3d09929628f1c789313bbad206cc274be85dc225be93a6fec55 272646 cups-common_1.7.5-4_all.deb
 46322f5e115e51d86eaada3c5bb6e2333ad1970d26ea910153a7778f3bac2db5 618066 cups-server-common_1.7.5-4_all.deb
Files:
 29e11b21573cdd9b9252df876c4a162c 272646 net optional cups-common_1.7.5-4_all.deb
 744a0f50ca975cdb999f94dc84910e58 618066 net optional cups-server-common_1.7.5-4_all.deb
 7f0f43940e6aa918c101fa9a6b94e196 3529 net optional cups_1.7.5-4.dsc
 ca6760b09e16315a6d624685f7e0a277 297732 net optional cups_1.7.5-4.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJULRUAAAoJEIvPpx7KFjRVX1YL/04agXT76197gSSwFhM5xJHx
oOcJhlCnp21ZNMN6n7qh3quQw4VRsiOnUMQd72ALO3nYoisdwN7FVHNAMVnROYdY
Ht+lpXYud4UDgeDEbOISasaowfjKHMbQJliAf0Ek5tJtBzMy9r+HegRocUcGJs3S
y+J/2oahz3pX8gkhcSF3lYZwXBUtTOymV7R05KzFaQopccEUvnHvQBtdltrpfq4m
mCx3dFPm2vZeEPk9gW+cbMM0TWSRUjtq/dww+bfrR8Fq4TnEI3YteeLxHiCkPlN2
Ds0jJvYnevgUC1T252/V6WMd/pp0uE2csHOQUlvTLH0oaXG9p5FZyHAJYYzJAXer
nLGS8r5txTAuOB/nwgUOzvD+i7gqROKbIDEf/xG78/sDxGUaktYYZ5uXnXgbsl0R
5hBx6nRWYFZawfBevnIpBDp5XN905zC2rftbOqoY5E2AI5dRSnOfoBYjKIsa2duy
zOjh9xZkz+tBQwa/PtSEqnWqw3yDaFA8VsHQi8N03A==
=o67f
-----END PGP SIGNATURE-----

--- End Message ---