Bug#977813: cupsd requests net_admin capability, but AppArmor denies

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#977813: cupsd requests net_admin capability, but AppArmor denies
From: Jörg Sommer <joerg@jo-so.de>
Date: Mon, 21 Dec 2020 12:25:21 +0100
Message-id: <[🔎] 20201221112521.tiidpk44ijyvjjap@jo-so.de>
Reply-to: Jörg Sommer <joerg@jo-so.de>, 977813@bugs.debian.org

Package: cups-daemon
Version: 2.3.3op1-3
Severity: normal

Hi,

since the upgrade of cups-daemon from 2.3.3-4 to 2.3.3op1-1 I see these
message in my log:

```
kernel: audit: type=1400 audit(1608535286.330:113): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=479747 comm="cupsd" capability=12  capname="net_admin"
```

I'm unsure to allow it in AppArmor, because it's a very privileged
capability:

> CAP_NET_ADMIN
>        Perform various network-related operations:
>        * interface configuration;
>        * administration of IP firewall, masquerading, and accounting;
>        * modify routing tables;
>        * bind to any address for transparent proxying;
>        * set type-of-service (TOS);
>        * clear driver statistics;
>        * set promiscuous mode;
>        * enabling multicasting;
>        * use setsockopt(2) to set the following socket options:  SO_DE‐
>          BUG,  SO_MARK, SO_PRIORITY (for a priority outside the range 0
>          to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE.

Regards Jörg

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.9.0-5-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_CRAP, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cups-daemon depends on:
ii  adduser              3.118
ii  bc                   1.07.1-2+b2
ii  init-system-helpers  1.60
ii  libavahi-client3     0.8-3
ii  libavahi-common3     0.8-3
ii  libc6                2.31-6
ii  libcups2             2.3.3op1-3
ii  libdbus-1-3          1.13.18-1
ii  libgssapi-krb5-2     1.18.3-4
ii  libpam0g             1.3.1-5
ii  libpaper1            1.1.28+b1
ii  libsystemd0          247.2-1
ii  lsb-base             11.1.0
ii  procps               2:3.3.16-5
ii  ssl-cert             1.0.40

Versions of packages cups-daemon recommends:
pn  avahi-daemon  <none>
pn  colord        <none>
pn  cups-browsed  <none>
pn  ipp-usb       <none>

Versions of packages cups-daemon suggests:
ii  cups                                       2.3.3op1-3
pn  cups-bsd                                   <none>
ii  cups-client                                2.3.3op1-3
ii  cups-common                                2.3.3op1-3
ii  cups-filters                               1.28.6-1
pn  cups-pdf                                   <none>
ii  cups-ppdc                                  2.3.3op1-3
ii  cups-server-common                         2.3.3op1-3
pn  foomatic-db-compressed-ppds | foomatic-db  <none>
ii  ghostscript                                9.53.3~dfsg-5
ii  poppler-utils                              20.09.0-3
ii  smbclient                                  2:4.13.3+dfsg-1
ii  udev                                       247.2-1

-- no debconf information

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: Bug#977198: cups service should start after nslcd service
Next by Date: Re: Bug#977754: evince does not display EPS or PS files anymore and shows "Loading..." forever
Previous by thread: Processed: found 977568 in 2.0.2-3, tagging 977568, tagging 972089, fixed 972089 in 3.20.9+dfsg0-4 ...
Next by thread: Re: Bug#977754: evince does not display EPS or PS files anymore and shows "Loading..." forever
Index(es):
- Date
- Thread