feat(profiles): add profiles for cups.

This commit is contained in:
Alexandre Pujol 2022-08-31 22:10:41 +01:00
parent 30f0b69a67
commit 14fd88aa2f
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
17 changed files with 468 additions and 0 deletions

View File

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/beh
profile cups-backend-beh @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/papersize r,
include if exists <local/cups-backend-beh>
}

View File

@ -0,0 +1,20 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/cups-brf
profile cups-backend-brf @{exec_path} {
include <abstractions/base>
capability setuid,
@{exec_path} mr,
/etc/papersize r,
include if exists <local/cups-backend-brf>
}

View File

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/dnssd
profile cups-backend-dnssd @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/papersize r,
include if exists <local/cups-backend-dnssd>
}

View File

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/implicitclass
profile cups-backend-implicitclass @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/papersize r,
include if exists <local/cups-backend-implicitclass>
}

View File

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/ipp
profile cups-backend-ipp @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/papersize r,
include if exists <local/cups-backend-ipp>
}

View File

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/lpd
profile cups-backend-lpd @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/papersize r,
include if exists <local/cups-backend-lpd>
}

View File

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/parallel
profile cups-backend-parallel @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/papersize r,
include if exists <local/cups-backend-parallel>
}

View File

@ -0,0 +1,46 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/cups-pdf
profile cups-backend-pdf @{exec_path} {
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
capability chown,
capability setgid,
capability setuid,
capability dac_override,
unix peer=(label=cupsd),
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/gs rix,
/{usr/,}bin/gsc rix,
/{usr/,}lib/ghostscript/** mr,
/usr/share/ghostscript/{,**} r,
/etc/papersize r,
/etc/cups/ r,
/etc/cups/cups-pdf.conf r,
/etc/cups/ppd/*.ppd r,
/var/log/cups/cups-pdf*_log w,
/var/spool/cups-pdf/{,**} rw,
/var/spool/cups/** r,
/var/tmp/gs_* rw,
/dev/tty rw,
include if exists <local/cups-backend-pdf>
}

View File

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/serial
profile cups-backend-serial @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/papersize r,
include if exists <local/cups-backend-serial>
}

View File

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/snmp
profile cups-backend-snmp @{exec_path} {
include <abstractions/base>
network inet dgram,
network inet6 dgram,
network netlink raw,
@{exec_path} mr,
/etc/cups/snmp.conf r,
/etc/papersize r,
include if exists <local/cups-backend-snmp>
}

View File

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/socket
profile cups-backend-socket @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/papersize r,
include if exists <local/cups-backend-socket>
}

View File

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups/backend/usb
profile cups-backend-usb @{exec_path} {
include <abstractions/base>
include <abstractions/devices-usb>
network netlink raw,
@{exec_path} mr,
/usr/share/cups/usb/{,**} r,
/etc/cups/ppd/*.ppd r,
/etc/papersize r,
include if exists <local/cups-backend-usb>
}

View File

@ -0,0 +1,69 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/cups-browsed
profile cups-browsed @{exec_path} {
include <abstractions/base>
include <abstractions/cups-client>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
include <abstractions/p11-kit>
capability net_bind_service,
capability sys_nice,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
dbus send bus=system path=/
interface=org.freedesktop.Avahi.Server
member={GetAPIVersion,GetState,ServiceBrowserNew},
dbus send bus=system path=/
interface=org.freedesktop.DBus.Peer
member=Ping
peer=(name=org.freedesktop.Avahi),
dbus send bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
interface=org.freedesktop.Avahi.ServiceBrowser
member=Free
peer=(name=org.freedesktop.Avahi),
dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
interface=org.freedesktop.Avahi.ServiceBrowser
member={AllForNow,CacheExhausted},
dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.{DBus.Properties,NetworkManager}
member={CheckPermissions,PropertiesChanged,StateChanged,DeviceAdded},
dbus receive bus=system path=/
interface=org.freedesktop.Avahi.Server
member=StateChanged,
@{exec_path} mr,
/usr/share/cups/locale/{,**} r,
/usr/share/locale/{,**} r,
/etc/cups/{,**} r,
/var/cache/cups/{,**} rw,
/var/log/cups/{,**} rw,
@{run}/cups/certs/* r,
include if exists <local/cups-browsed>
}

View File

@ -0,0 +1,35 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/cups-pk-helper-mechanism
@{exec_path} += /{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism
@{exec_path} += /{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism
profile cups-pk-helper-mechanism @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
capability dac_read_search,
capability sys_nice,
dbus receive bus=system path=/
interface=org.opensuse.CupsPkHelper.Mechanism,
dbus bind bus=system
name=org.opensuse.CupsPkHelper.Mechanism,
@{exec_path} mr,
/etc/cups/ppd/*.ppd r,
owner /tmp/[a-z0-9]* rw,
@{run}/cups/cups.sock rw,
include if exists <local/cups-pk-helper-mechanism>
}

View File

@ -0,0 +1,90 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/cupsd
profile cupsd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/authentication>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/python>
capability audit_write,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability kill,
capability net_admin,
capability net_bind_service,
capability setgid,
capability setuid,
capability wake_alarm,
network inet stream,
network inet6 stream,
network appletalk dgram,
network ash dgram,
network ax25 dgram,
network bluetooth,
network econet dgram,
network ipx dgram,
network netrom seqpacket,
network rose dgram,
network x25 seqpacket,
dbus send bus=system path=/org/freedesktop/ColorManager{,/devices/cups_*}
interface=org.freedesktop.ColorManager{,.*}
member={CreateProfile,CreateDevice,FindDeviceById,AddProfile}
peer=(name=org.freedesktop.ColorManager),
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gsc rix,
/{usr/,}bin/hostname rix,
/{usr/,}bin/ippfind rix,
/{usr/,}bin/python3.[0-9]* rix,
/{usr/,}bin/smbspool rPx,
/{usr/,}bin/xz rix,
/{usr/,}lib/cups/backend/* rPx,
/{usr/,}lib/cups/cgi-bin/*.cgi rix,
/{usr/,}lib/cups/daemon/* rix,
/{usr/,}lib/cups/driver/* rix,
/{usr/,}lib/cups/filter/* rix,
/{usr/,}lib/cups/monitor/* rix,
/{usr/,}lib/cups/notifier/* rix,
/usr/share/cups/{,**} r,
/usr/share/ppd/{,**} r,
/usr/share/ghostscript/{,**} r,
/etc/cups/{,**} rw,
/etc/foomatic/* r,
/etc/papersize r,
/etc/pnm2ppa.conf r,
/etc/printcap rwl,
/var/cache/cups/ rw,
/var/cache/cups/** rwk,
/var/log/cups/{,*} rw,
/var/spool/cups/{,**} rw,
@{run}/cups/{,**} rw,
@{run}/systemd/notify w,
@{sys}/module/apparmor/parameters/enabled r,
@{PROC}/@{pids}/fd r,
owner @{PROC}/@{pid}/mounts r,
/dev/tty rw,
include if exists <local/cupsd>
}

View File

@ -2,3 +2,5 @@
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
/etc/apparmor.d/usr.bin.man /etc/apparmor.d/usr.bin.man
/etc/apparmor.d/usr.sbin.cups-browsed
/etc/apparmor.d/usr.sbin.cupsd

View File

@ -21,6 +21,21 @@ cockpit-ssh complain
cockpit-tls complain cockpit-tls complain
cockpit-ws complain cockpit-ws complain
cockpit-wsinstance-factory complain cockpit-wsinstance-factory complain
cups-backend-beh complain
cups-backend-brf complain
cups-backend-dnssd complain
cups-backend-implicitclass complain
cups-backend-ipp complain
cups-backend-lpd complain
cups-backend-parallel complain
cups-backend-pdf complain
cups-backend-serial complain
cups-backend-snmp complain
cups-backend-socket complain
cups-backend-usb complain
cups-browsed complain
cups-pk-helper-mechanism complain
cupsd attach_disconnected,complain
dkms attach_disconnected,complain dkms attach_disconnected,complain
downloadhelper complain downloadhelper complain
e2fsck complain e2fsck complain