Ubuntu
cups-filters package

cups-browsed upstart job does not load the apparmor profile for cups-browsed

Bug #1276630 reported by Jamie Strandboge
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cups-filters (Ubuntu)
Fix Released
High
Didier Raboud

Bug Description

On up to date trust I noticed that:
$ sudo aa-status
apparmor module is loaded.
124 profiles are loaded.
  ...
  /usr/sbin/cups-browsed
0 profiles are in complain mode.
32 processes have profiles defined.
31 processes are in enforce mode.
  ...
0 processes are in complain mode.
1 processes are unconfined but have a profile defined.
   /usr/sbin/cups-browsed (1222)

This means that while there is an apparmor profile for cups-browsed and it is loaded (good), it is being loaded into the kernel after /usr/sbin/cups-browsed is started which means that /usr/sbin/cups-browsed is running unconfined (bad).

Fix is to adjust the upstart job to either use /lib/init/apparmor-profile-load in the pre-start or to use the new apparmor stanza in the upstart job. Since cups itself is still using /lib/init/apparmor-profile-load, attached is a patch to use it for cups-browsed.

Tags: patch
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Till Kamppeter (till-kamppeter)
Changed in cups-filters (Ubuntu):
assignee: nobody → Didier Raboud (odyx)
Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

Didier, can you apply this patch to cups-filters and upload to Debian so that it syncs into Ubuntu? Thanks.

Changed in cups-filters (Ubuntu):
status: New → Triaged
Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Revision history for this message
Didier Raboud (odyx) wrote :

I'm uploading this right now to sid.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cups-filters - 1.0.44-2

---------------
cups-filters (1.0.44-2) unstable; urgency=medium

  [ Jamie Strandboge ]
  * Add patch to ensure that under upstart, the apparmor profile is
    loaded in the kernel before cups-browsed is started (LP: #1276630)

  [ Didier Raboud ]
  * Drop specific fonts' dependencies from cups-filters, as a reasonable
    set of fonts is provided through fontconfig already, thanks to
    Fabian Greffrath (Closes: #735223, #670059)

 -- Didier Raboud <email address hidden> Wed, 05 Feb 2014 17:25:00 +0100

Changed in cups-filters (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.