feat(profiles): add profiles for cups.

2024-11-14 23:43:56 +01:00 · 2022-08-31 22:10:41 +01:00 · 2022-08-31 22:10:41 +01:00 · 14fd88aa2f
commit 14fd88aa2f
parent 30f0b69a67
17 changed files with 468 additions and 0 deletions
--- a/apparmor.d/profiles-a-f/cups-backend-beh
+++ b/apparmor.d/profiles-a-f/cups-backend-beh
@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/cups/backend/beh
+profile cups-backend-beh @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /etc/papersize r,
+
+  include if exists <local/cups-backend-beh>
+}
--- a/apparmor.d/profiles-a-f/cups-backend-brf
+++ b/apparmor.d/profiles-a-f/cups-backend-brf
@ -0,0 +1,20 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/cups/backend/cups-brf
+profile cups-backend-brf @{exec_path} {
+  include <abstractions/base>
+
+  capability setuid,
+
+  @{exec_path} mr,
+
+  /etc/papersize r,
+
+  include if exists <local/cups-backend-brf>
+}
--- a/apparmor.d/profiles-a-f/cups-backend-dnssd
+++ b/apparmor.d/profiles-a-f/cups-backend-dnssd
@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/cups/backend/dnssd
+profile cups-backend-dnssd @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /etc/papersize r,
+
+  include if exists <local/cups-backend-dnssd>
+}
--- a/apparmor.d/profiles-a-f/cups-backend-implicitclass
+++ b/apparmor.d/profiles-a-f/cups-backend-implicitclass
@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/cups/backend/implicitclass
+profile cups-backend-implicitclass @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /etc/papersize r,
+
+  include if exists <local/cups-backend-implicitclass>
+}
--- a/apparmor.d/profiles-a-f/cups-backend-ipp
+++ b/apparmor.d/profiles-a-f/cups-backend-ipp
@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/cups/backend/ipp
+profile cups-backend-ipp @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /etc/papersize r,
+
+  include if exists <local/cups-backend-ipp>
+}
--- a/apparmor.d/profiles-a-f/cups-backend-lpd
+++ b/apparmor.d/profiles-a-f/cups-backend-lpd
@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/cups/backend/lpd
+profile cups-backend-lpd @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /etc/papersize r,
+
+  include if exists <local/cups-backend-lpd>
+}
--- a/apparmor.d/profiles-a-f/cups-backend-parallel
+++ b/apparmor.d/profiles-a-f/cups-backend-parallel
@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/cups/backend/parallel
+profile cups-backend-parallel @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /etc/papersize r,
+
+  include if exists <local/cups-backend-parallel>
+}
--- a/apparmor.d/profiles-a-f/cups-backend-pdf
+++ b/apparmor.d/profiles-a-f/cups-backend-pdf
@ -0,0 +1,46 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/cups/backend/cups-pdf
+profile cups-backend-pdf @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/fonts>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+
+  capability chown,
+  capability setgid,
+  capability setuid,
+  capability dac_override,
+
+  unix peer=(label=cupsd),
+
+  @{exec_path} mr,
+ 
+  /{usr/,}bin/{,ba,da}sh      rix,
+  /{usr/,}bin/cp              rix,
+  /{usr/,}bin/gs              rix,
+  /{usr/,}bin/gsc             rix,
+  /{usr/,}lib/ghostscript/**  mr,
+
+  /usr/share/ghostscript/{,**} r,
+
+  /etc/papersize r,
+  /etc/cups/ r,
+  /etc/cups/cups-pdf.conf r,
+  /etc/cups/ppd/*.ppd r,
+
+  /var/log/cups/cups-pdf*_log w,
+  /var/spool/cups-pdf/{,**} rw,
+  /var/spool/cups/** r,
+  /var/tmp/gs_* rw,
+
+  /dev/tty rw,
+
+  include if exists <local/cups-backend-pdf>
+}
--- a/apparmor.d/profiles-a-f/cups-backend-serial
+++ b/apparmor.d/profiles-a-f/cups-backend-serial
@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/cups/backend/serial
+profile cups-backend-serial @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /etc/papersize r,
+
+  include if exists <local/cups-backend-serial>
+}
--- a/apparmor.d/profiles-a-f/cups-backend-snmp
+++ b/apparmor.d/profiles-a-f/cups-backend-snmp
@ -0,0 +1,23 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/cups/backend/snmp
+profile cups-backend-snmp @{exec_path} {
+  include <abstractions/base>
+
+  network inet dgram,
+  network inet6 dgram,
+  network netlink raw,
+
+  @{exec_path} mr,
+ 
+  /etc/cups/snmp.conf r,
+  /etc/papersize r,
+
+  include if exists <local/cups-backend-snmp>
+}
--- a/apparmor.d/profiles-a-f/cups-backend-socket
+++ b/apparmor.d/profiles-a-f/cups-backend-socket
@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/cups/backend/socket
+profile cups-backend-socket @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /etc/papersize r,
+
+  include if exists <local/cups-backend-socket>
+}
--- a/apparmor.d/profiles-a-f/cups-backend-usb
+++ b/apparmor.d/profiles-a-f/cups-backend-usb
@ -0,0 +1,24 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/cups/backend/usb
+profile cups-backend-usb @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/devices-usb>
+
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  /usr/share/cups/usb/{,**} r,
+
+  /etc/cups/ppd/*.ppd r,
+  /etc/papersize r,
+
+  include if exists <local/cups-backend-usb>
+}
--- a/apparmor.d/profiles-a-f/cups-browsed
+++ b/apparmor.d/profiles-a-f/cups-browsed
@ -0,0 +1,69 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/cups-browsed
+profile cups-browsed @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/cups-client>
+  include <abstractions/dbus-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/p11-kit>
+
+  capability net_bind_service,
+  capability sys_nice,
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  dbus send bus=system path=/
+       interface=org.freedesktop.Avahi.Server
+       member={GetAPIVersion,GetState,ServiceBrowserNew},
+
+  dbus send bus=system path=/
+       interface=org.freedesktop.DBus.Peer
+       member=Ping
+       peer=(name=org.freedesktop.Avahi),
+
+  dbus send bus=system path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll,
+
+  dbus send bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
+       interface=org.freedesktop.Avahi.ServiceBrowser
+       member=Free
+       peer=(name=org.freedesktop.Avahi),
+
+  dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
+       interface=org.freedesktop.Avahi.ServiceBrowser
+       member={AllForNow,CacheExhausted},
+
+  dbus receive bus=system path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.{DBus.Properties,NetworkManager}
+       member={CheckPermissions,PropertiesChanged,StateChanged,DeviceAdded},
+
+  dbus receive bus=system path=/
+       interface=org.freedesktop.Avahi.Server
+       member=StateChanged,
+
+  @{exec_path} mr,
+
+  /usr/share/cups/locale/{,**} r,
+  /usr/share/locale/{,**} r,
+
+  /etc/cups/{,**} r,
+
+  /var/cache/cups/{,**} rw,
+  /var/log/cups/{,**} rw,
+
+  @{run}/cups/certs/* r,
+
+  include if exists <local/cups-browsed>
+}
--- a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism
+++ b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism
@ -0,0 +1,35 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/cups-pk-helper-mechanism
+@{exec_path} += /{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism
+@{exec_path} += /{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism
+profile cups-pk-helper-mechanism @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/dbus-strict>
+  include <abstractions/nameservice-strict>
+
+  capability dac_read_search,
+  capability sys_nice,
+
+  dbus receive bus=system path=/
+       interface=org.opensuse.CupsPkHelper.Mechanism,
+
+  dbus bind bus=system 
+      name=org.opensuse.CupsPkHelper.Mechanism,
+
+  @{exec_path} mr,
+
+  /etc/cups/ppd/*.ppd r,
+
+  owner /tmp/[a-z0-9]* rw,
+
+  @{run}/cups/cups.sock rw,
+
+  include if exists <local/cups-pk-helper-mechanism>
+}
--- a/apparmor.d/profiles-a-f/cupsd
+++ b/apparmor.d/profiles-a-f/cupsd
@ -0,0 +1,90 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/cupsd
+profile cupsd @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/authentication>
+  include <abstractions/dbus-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/python>
+
+  capability audit_write,
+  capability chown,
+  capability dac_override,
+  capability dac_read_search,
+  capability fowner,
+  capability fsetid,
+  capability kill,
+  capability net_admin,
+  capability net_bind_service,
+  capability setgid,
+  capability setuid,
+  capability wake_alarm,
+
+  network inet stream,
+  network inet6 stream,
+
+  network appletalk dgram,
+  network ash dgram,
+  network ax25 dgram,
+  network bluetooth,
+  network econet dgram,
+  network ipx dgram,
+  network netrom seqpacket,
+  network rose dgram,
+  network x25 seqpacket,
+
+  dbus send bus=system path=/org/freedesktop/ColorManager{,/devices/cups_*}
+    interface=org.freedesktop.ColorManager{,.*}
+    member={CreateProfile,CreateDevice,FindDeviceById,AddProfile}
+    peer=(name=org.freedesktop.ColorManager),
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/{,ba,da}sh          rix,
+  /{usr/,}bin/gsc                 rix,
+  /{usr/,}bin/hostname            rix,
+  /{usr/,}bin/ippfind             rix,
+  /{usr/,}bin/python3.[0-9]*      rix,
+  /{usr/,}bin/smbspool            rPx,
+  /{usr/,}bin/xz                  rix,
+  /{usr/,}lib/cups/backend/*      rPx,
+  /{usr/,}lib/cups/cgi-bin/*.cgi  rix,
+  /{usr/,}lib/cups/daemon/*       rix,
+  /{usr/,}lib/cups/driver/*       rix,
+  /{usr/,}lib/cups/filter/*       rix,
+  /{usr/,}lib/cups/monitor/*      rix,
+  /{usr/,}lib/cups/notifier/*     rix,
+
+  /usr/share/cups/{,**} r,
+  /usr/share/ppd/{,**} r,
+  /usr/share/ghostscript/{,**} r,
+
+  /etc/cups/{,**} rw,
+  /etc/foomatic/* r,
+  /etc/papersize r,
+  /etc/pnm2ppa.conf r,
+  /etc/printcap rwl,
+
+  /var/cache/cups/ rw,
+  /var/cache/cups/** rwk,
+  /var/log/cups/{,*} rw,
+  /var/spool/cups/{,**} rw,
+
+  @{run}/cups/{,**} rw,
+  @{run}/systemd/notify w,
+
+  @{sys}/module/apparmor/parameters/enabled r,
+
+        @{PROC}/@{pids}/fd r,
+  owner @{PROC}/@{pid}/mounts r,
+
+  /dev/tty rw,
+
+  include if exists <local/cupsd>
+}
--- a/debian/apparmor.d.hide
+++ b/debian/apparmor.d.hide
@ -2,3 +2,5 @@
 # SPDX-License-Identifier: GPL-2.0-only

 /etc/apparmor.d/usr.bin.man
+/etc/apparmor.d/usr.sbin.cups-browsed
+/etc/apparmor.d/usr.sbin.cupsd
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@ -21,6 +21,21 @@ cockpit-ssh complain
 cockpit-tls complain
 cockpit-ws complain
 cockpit-wsinstance-factory complain
+cups-backend-beh complain
+cups-backend-brf complain
+cups-backend-dnssd complain
+cups-backend-implicitclass complain
+cups-backend-ipp complain
+cups-backend-lpd complain
+cups-backend-parallel complain
+cups-backend-pdf complain
+cups-backend-serial complain
+cups-backend-snmp complain
+cups-backend-socket complain
+cups-backend-usb complain
+cups-browsed complain
+cups-pk-helper-mechanism complain
+cupsd attach_disconnected,complain
 dkms attach_disconnected,complain
 downloadhelper complain
 e2fsck complain