[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#977813: cupsd requests net_admin capability, but AppArmor denies

On Mon 21 Dec 2020 at 12:25:21 +0100, Jörg Sommer wrote:

> Package: cups-daemon
> Version: 2.3.3op1-3
> Severity: normal
> 
> Hi,
> 
> since the upgrade of cups-daemon from 2.3.3-4 to 2.3.3op1-1 I see these
> message in my log:
> 
> ```
> kernel: audit: type=1400 audit(1608535286.330:113): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=479747 comm="cupsd" capability=12  capname="net_admin"
> ```
> 
> I'm unsure to allow it in AppArmor, because it's a very privileged
> capability:
> 
> > CAP_NET_ADMIN
> >        Perform various network-related operations:
> >        * interface configuration;
> >        * administration of IP firewall, masquerading, and accounting;
> >        * modify routing tables;
> >        * bind to any address for transparent proxying;
> >        * set type-of-service (TOS);
> >        * clear driver statistics;
> >        * set promiscuous mode;
> >        * enabling multicasting;
> >        * use setsockopt(2) to set the following socket options:  SO_DE‐
> >          BUG,  SO_MARK, SO_PRIORITY (for a priority outside the range 0
> >          to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE.

Thank you for your report, Jörg. Please see #980974:

 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980974

Regards,

Brian.
Reply to: