[Pkg-cups-devel] r714 - in cupsys/trunk: . debian debian/local
Martin Pitt
mpitt at alioth.debian.org
Sun Mar 16 21:32:39 UTC 2008
Author: mpitt
Date: Sun Mar 16 21:32:39 2008
New Revision: 714
Log:
* Add debian/local/apparmor-profile: AppArmor profile (taken from Ubuntu
branch). Install it in debian/rules if package is built on Ubuntu (tested
with lsb_release -is). Reload AppArmor in debian/cupsys.postinst if both
the cupsys profile and AppArmor itself are present.
Added:
cupsys/trunk/debian/local/apparmor-profile
Modified:
cupsys/trunk/ (props changed)
cupsys/trunk/debian/changelog
cupsys/trunk/debian/cupsys.postinst
cupsys/trunk/debian/rules
Modified: cupsys/trunk/debian/changelog
==============================================================================
--- cupsys/trunk/debian/changelog (original)
+++ cupsys/trunk/debian/changelog Sun Mar 16 21:32:39 2008
@@ -35,8 +35,12 @@
shutdown. Remove the obsolete kill symlinks on upgrade. Patch adopted from
the Ubuntu branch, but without using the Ubuntu-only 'multiuser' mode of
update-rc.d.
+ * Add debian/local/apparmor-profile: AppArmor profile (taken from Ubuntu
+ branch). Install it in debian/rules if package is built on Ubuntu (tested
+ with lsb_release -is). Reload AppArmor in debian/cupsys.postinst if both
+ the cupsys profile and AppArmor itself are present.
- -- Martin Pitt <mpitt at debian.org> Sun, 16 Mar 2008 21:16:10 +0100
+ -- Martin Pitt <mpitt at debian.org> Sun, 16 Mar 2008 21:38:47 +0100
cupsys (1.3.6-1) unstable; urgency=low
Modified: cupsys/trunk/debian/cupsys.postinst
==============================================================================
--- cupsys/trunk/debian/cupsys.postinst (original)
+++ cupsys/trunk/debian/cupsys.postinst Sun Mar 16 21:32:39 2008
@@ -144,6 +144,11 @@
if dpkg --compare-versions "$2" lt-nl "1.3.6-2"; then
rm -f /etc/rc0.d/K??cupsys /etc/rc6.d/K??cupsys
fi
+
+ # Reload AppArmor profile if present
+ if [ -e /etc/apparmor.d/usr.sbin.cupsd ] && [ -x /etc/init.d/apparmor ]; then
+ invoke-rc.d apparmor force-reload || true
+ fi
;;
abort-upgrade|abort-remove|abort-deconfigure)
Added: cupsys/trunk/debian/local/apparmor-profile
==============================================================================
--- (empty file)
+++ cupsys/trunk/debian/local/apparmor-profile Sun Mar 16 21:32:39 2008
@@ -0,0 +1,136 @@
+# vim:syntax=apparmor
+# Last Modified: Thu Aug 2 12:54:46 2007
+# Author: Martin Pitt <martin.pitt at ubuntu.com>
+
+#include <tunables/global>
+
+/usr/sbin/cupsd {
+ #include <abstractions/base>
+ #include <abstractions/bash>
+ #include <abstractions/authentication>
+ #include <abstractions/dbus>
+ #include <abstractions/fonts>
+ #include <abstractions/nameservice>
+ #include <abstractions/perl>
+ #include <abstractions/user-tmp>
+
+ capability chown,
+ capability fowner,
+ capability fsetid,
+ capability kill,
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+
+ # nasty, but we limit file access pretty tightly, and cups chowns a
+ # lot of files to 'lp' which it cannot read/write afterwards any
+ # more
+ capability dac_override,
+
+ # the bluetooth backend needs this
+ network bluetooth,
+
+ /bin/bash ixr,
+ /bin/dash ixr,
+ /bin/hostname ixr,
+ /dev/lp* rw,
+ /dev/ttyS* rw,
+ /dev/usb/lp* rw,
+ /dev/parport* rw,
+ /etc/cups/ rw,
+ /etc/cups/** rw,
+ /etc/foomatic/* r,
+ /etc/gai.conf r,
+ /etc/shadow m,
+ /etc/passwd m,
+ /etc/group m,
+ /etc/papersize r,
+ /etc/pnm2ppa.conf r,
+ /etc/printcap rwl,
+ /etc/ssl/** r,
+ @{PROC}/net/ r,
+ @{PROC}/net/* r,
+ @{PROC}/sys/dev/parport/** r,
+ /sys/** r,
+ /usr/bin/* ixr,
+ /usr/sbin/* ixr,
+ /bin/* ixr,
+ /sbin/* ixr,
+ /usr/lib/** rm,
+
+ # backends which come with CUPS can be confined
+ /usr/lib/cups/backend/bluetooth ixr,
+ /usr/lib/cups/backend/dnssd ixr,
+ /usr/lib/cups/backend/http ixr,
+ /usr/lib/cups/backend/ipp ixr,
+ /usr/lib/cups/backend/lpd ixr,
+ /usr/lib/cups/backend/parallel ixr,
+ /usr/lib/cups/backend/scsi ixr,
+ /usr/lib/cups/backend/serial ixr,
+ /usr/lib/cups/backend/snmp ixr,
+ /usr/lib/cups/backend/socket ixr,
+ /usr/lib/cups/backend/usb ixr,
+ # we treat cups-pdf specially, since it needs to write into /home
+ # and thus needs extra paranoia
+ /usr/lib/cups/backend/cups-pdf Px,
+ # third party backends get no restrictions as they often need high
+ # privileges and this is beyond our control
+ /usr/lib/cups/backend/* Ux,
+
+ /usr/lib/cups/cgi-bin/* ixr,
+ /usr/lib/cups/daemon/* ixr,
+ /usr/lib/cups/monitor/* ixr,
+ /usr/lib/cups/notifier/* ixr,
+ # filters and drivers (PPD generators) are always run as non-root,
+ # and there are a lot of third-party drivers which we cannot predict
+ /usr/lib/cups/filter/* Uxr,
+ /usr/lib/cups/driver/* Uxr,
+ /usr/local/share/** r,
+ /usr/share/** r,
+ /var/cache/cups/ rw,
+ /var/cache/cups/** rw,
+ /var/log/cups/ rw,
+ /var/log/cups/* rw,
+ /var/run/avahi-daemon/socket rw,
+ /var/run/cups/ rw,
+ /var/run/cups/** rw,
+ /var/spool/cups/ rw,
+ /var/spool/cups/** rw,
+
+ # third-party printer drivers; no known structure here
+ /opt/** rix,
+
+ # FIXME: no policy ATM for hplip
+ /usr/bin/hpijs Ux,
+
+ # Kerberos authentication
+ /etc/krb5.conf r,
+ /etc/cups/krb5.keytab rw,
+}
+
+# separate profile since this needs to write into /home
+/usr/lib/cups/backend/cups-pdf {
+ #include <abstractions/base>
+ #include <abstractions/fonts>
+ #include <abstractions/nameservice>
+ #include <abstractions/user-tmp>
+
+ capability chown,
+ capability fowner,
+ capability fsetid,
+ capability setgid,
+ capability setuid,
+
+ /bin/dash ixr,
+ /bin/bash ixr,
+ /etc/papersize r,
+ /etc/cups/cups-pdf.conf r,
+ @{HOME}/PDF/ w,
+ @{HOME}/PDF/* w,
+ /usr/bin/gs ixr,
+ /usr/lib/cups/backend/cups-pdf mr,
+ /usr/lib/ghostscript/** mr,
+ /usr/share/** r,
+ /var/log/cups/cups-pdf_log w,
+ /var/spool/cups-pdf/** rw,
+}
Modified: cupsys/trunk/debian/rules
==============================================================================
--- cupsys/trunk/debian/rules (original)
+++ cupsys/trunk/debian/rules Sun Mar 16 21:32:39 2008
@@ -72,6 +72,11 @@
# the system-config-printer applet
install -D -m 644 packaging/cups-dbus.conf $(DEB_DESTDIR)/../cupsys/etc/dbus-1/system.d/cups.conf
+ # install AppArmor profile on Ubuntu
+ if [ "`lsb_release -is 2>/dev/null`" = "Ubuntu" ]; then \
+ install -D -m 644 debian/local/apparmor-profile debian/$(cdbs_curpkg)/etc/apparmor.d/usr.sbin.cupsd; \
+ fi
+
binary-post-install/libcupsimage2-dev::
rm -r debian/libcupsimage2-dev/usr/share/doc/libcupsimage2-dev
ln -s libcupsimage2 debian/libcupsimage2-dev/usr/share/doc/libcupsimage2-dev
More information about the Pkg-cups-devel
mailing list