Bug#977813: cupsd requests net_admin capability, but AppArmor denies
On Mon 21 Dec 2020 at 12:25:21 +0100, Jörg Sommer wrote:
> Package: cups-daemon
> Version: 2.3.3op1-3
> Severity: normal
>
> Hi,
>
> since the upgrade of cups-daemon from 2.3.3-4 to 2.3.3op1-1 I see these
> message in my log:
>
> ```
> kernel: audit: type=1400 audit(1608535286.330:113): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=479747 comm="cupsd" capability=12 capname="net_admin"
> ```
>
> I'm unsure to allow it in AppArmor, because it's a very privileged
> capability:
>
> > CAP_NET_ADMIN
> > Perform various network-related operations:
> > * interface configuration;
> > * administration of IP firewall, masquerading, and accounting;
> > * modify routing tables;
> > * bind to any address for transparent proxying;
> > * set type-of-service (TOS);
> > * clear driver statistics;
> > * set promiscuous mode;
> > * enabling multicasting;
> > * use setsockopt(2) to set the following socket options: SO_DE‐
> > BUG, SO_MARK, SO_PRIORITY (for a priority outside the range 0
> > to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE.
Thank you for your report, Jörg. Please see #980974:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980974
Regards,
Brian.
Reply to: