Bug#898122: cups-daemon: Harden systemd service by default
Package: cups-daemon
Version: 2.3~b4-2
Severity: wishlist
Dear Maintainer,
Given that cupsd must run as root, we should restrict its capabilities as much as possible. Given that the cups-daemon package provides the systemd service, would it be possible to harden it by default? The following options worked for me in the [Service] section (but we may need more extensive testing):
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_FSETID CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
PrivateTmp=true
PrivateDevices=true
MemoryDenyWriteExecute=true
LockPersonality=true
ReadWritePaths=/etc/cups /var/log/cups /var/run/cups /var/cache/cups /var/spool/cups
Sincerely,
Chiraag
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.16.5-chiraag (SMP w/8 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages cups-daemon depends on:
ii adduser 3.117
ii bc 1.07.1-2
ii libavahi-client3 0.7-4
ii libavahi-common3 0.7-4
ii libc6 2.27-3
ii libcups2 2.3~b4-2
ii libcupsmime1 2.3~b4-2
ii libdbus-1-3 1.13.4-1
ii libgssapi-krb5-2 1.16-2
ii libpam0g 1.1.8-3.7
ii libpaper1 1.1.24+nmu5
ii libsystemd0 238-4
ii lsb-base 9.20170808
ii procps 2:3.3.14-1+b1
ii ssl-cert 1.0.39
Versions of packages cups-daemon recommends:
ii avahi-daemon 0.7-4
pn colord <none>
ii cups-browsed 1.20.3-1+b1
Versions of packages cups-daemon suggests:
ii cups 2.3~b4-2
ii cups-bsd 2.3~b4-2
ii cups-client 2.3~b4-2
ii cups-common 2.3~b4-2
ii cups-filters [foomatic-filters] 1.20.3-1+b1
ii cups-ppdc 2.3~b4-2
ii cups-server-common 2.3~b4-2
ii foomatic-db-compressed-ppds [foomatic-db] 20180306-1
ii ghostscript 9.22~dfsg-2.1
pn hplip <none>
ii poppler-utils 0.64.0-1
ii printer-driver-cups-pdf [cups-pdf] 3.0.1-5
ii printer-driver-gutenprint 5.3.0~pre1-3
ii printer-driver-hpcups 3.18.4+repack0-2
pn smbclient <none>
ii udev 238-4
-- Configuration Files:
/etc/apparmor.d/usr.sbin.cupsd changed:
/usr/sbin/cupsd flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/authentication>
#include <abstractions/dbus>
#include <abstractions/fonts>
#include <abstractions/nameservice>
#include <abstractions/perl>
#include <abstractions/user-tmp>
capability chown,
capability fowner,
capability fsetid,
capability kill,
capability net_bind_service,
capability setgid,
capability setuid,
capability audit_write,
capability wake_alarm,
deny capability block_suspend,
# noisy
deny signal (send) set=("term") peer=unconfined,
# nasty, but we limit file access pretty tightly, and cups chowns a
# lot of files to 'lp' which it cannot read/write afterwards any
# more
capability dac_override,
capability dac_read_search,
# the bluetooth backend needs this
network bluetooth,
# the dnssd backend uses those
network x25 seqpacket,
network ax25 dgram,
network netrom seqpacket,
network rose dgram,
network ipx dgram,
network appletalk dgram,
network econet dgram,
network ash dgram,
/{usr/,}bin/bash ixr,
/{usr/,}bin/dash ixr,
/{usr/,}bin/hostname ixr,
/dev/lp* rw,
deny /dev/tty rw, # silence noise
/dev/ttyS* rw,
/dev/ttyUSB* rw,
/dev/usb/lp* rw,
/dev/bus/usb/ r,
/dev/bus/usb/** rw,
/dev/parport* rw,
/etc/cups/ rw,
/etc/cups/** rw,
/etc/cups/interfaces/* ixrw,
/etc/foomatic/* r,
/etc/gai.conf r,
/etc/papersize r,
/etc/pnm2ppa.conf r,
/etc/printcap rwl,
/etc/ssl/** r,
@{PROC}/net/ r,
@{PROC}/net/* r,
@{PROC}/sys/dev/parport/** r,
@{PROC}/*/net/ r,
@{PROC}/*/net/** r,
@{PROC}/*/auxv r,
@{PROC}/sys/crypto/** r,
/sys/** r,
/usr/bin/* ixr,
/usr/sbin/* ixr,
/{usr/,}bin/* ixr,
/{usr/,}sbin/* ixr,
/usr/lib/** rm,
# backends which come with CUPS can be confined
/usr/lib/cups/backend/bluetooth ixr,
/usr/lib/cups/backend/dnssd ixr,
/usr/lib/cups/backend/http ixr,
/usr/lib/cups/backend/ipp ixr,
/usr/lib/cups/backend/lpd ixr,
/usr/lib/cups/backend/parallel ixr,
/usr/lib/cups/backend/serial ixr,
/usr/lib/cups/backend/snmp ixr,
/usr/lib/cups/backend/socket ixr,
/usr/lib/cups/backend/usb ixr,
# we treat cups-pdf specially, since it needs to write into /home
# and thus needs extra paranoia
/usr/lib/cups/backend/cups-pdf Px,
# allow communicating with cups-pdf via Unix sockets
unix peer=(label=/usr/lib/cups/backend/cups-pdf),
# third party backends get no restrictions as they often need high
# privileges and this is beyond our control
/usr/lib/cups/backend/* Cx -> third_party,
/usr/lib/cups/cgi-bin/* ixr,
/usr/lib/cups/daemon/* ixr,
/usr/lib/cups/monitor/* ixr,
/usr/lib/cups/notifier/* ixr,
# filters and drivers (PPD generators) are always run as non-root,
# and there are a lot of third-party drivers which we cannot predict
/usr/lib/cups/filter/** Cxr -> third_party,
/usr/lib/cups/driver/* Cxr -> third_party,
/usr/local/** rm,
/usr/local/lib/cups/** rix,
/usr/share/** r,
/{,var/}run/** rm,
/{,var/}run/avahi-daemon/socket rw,
deny /{,var/}run/samba/ rw,
/{,var/}run/samba/** rw,
/var/cache/samba/*.tdb r,
/var/{cache,lib}/samba/printing/printers.tdb r,
/{,var/}run/cups/ rw,
/{,var/}run/cups/** rw,
/var/cache/cups/ rw,
/var/cache/cups/** rwk,
/var/log/cups/ rw,
/var/log/cups/* rw,
/var/spool/cups/ rw,
/var/spool/cups/** rw,
# third-party printer drivers; no known structure here
/opt/** rix,
# FIXME: no policy ATM for hplip and Brother drivers
/usr/bin/hpijs Cx -> third_party,
/usr/Brother/** Cx -> third_party,
# Kerberos authentication
/etc/krb5.conf r,
deny /etc/krb5.conf w,
/etc/krb5.keytab rk,
/etc/cups/krb5.keytab rwk,
/tmp/krb5cc* k,
# likewise authentication
/etc/likewise r,
/etc/likewise/* r,
# silence noise
deny /etc/udev/udev.conf r,
signal peer=/usr/sbin/cupsd//third_party,
unix peer=(label=/usr/sbin/cupsd//third_party),
profile third_party flags=(attach_disconnected) {
# third party backends, filters, and drivers get relatively no restrictions
# as they often need high privileges, are unpredictable or otherwise beyond
# our control
file,
capability,
audit deny capability mac_admin,
network,
dbus,
signal,
ptrace,
unix,
}
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.cupsd>
}
/usr/lib/cups/backend/cups-pdf flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
capability chown,
capability fowner,
capability fsetid,
capability setgid,
capability setuid,
# unfortunate, but required for when $HOME is 700
capability dac_override,
capability dac_read_search,
# allow communicating with cupsd via Unix sockets
unix peer=(label=/usr/sbin/cupsd),
@{PROC}/*/auxv r,
/{usr/,}bin/dash ixr,
/{usr/,}bin/bash ixr,
/{usr/,}bin/cp ixr,
/etc/papersize r,
/etc/cups/cups-pdf.conf r,
/etc/cups/ppd/*.ppd r,
@{HOME}/PDF/ rw,
@{HOME}/PDF/* rw,
/usr/bin/gs ixr,
/usr/lib/cups/backend/cups-pdf mr,
/usr/lib/ghostscript/** mr,
/usr/share/** r,
/var/log/cups/cups-pdf*_log w,
/var/spool/cups/** r,
/var/spool/cups-pdf/** rw,
}
-- no debconf information
Reply to: