Ubuntu
cups package

no longer confined by AppArmor

Bug #690040 reported by Kees Cook
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cups (Ubuntu)
Fix Released
High
Martin Pitt
Ubuntu natty-alpha-2
Maverick
Fix Released
High
Jamie Strandboge
Natty
Fix Released
High
Martin Pitt
Ubuntu natty-alpha-2

Bug Description

Binary package hint: cups

Maverick and Natty cups daemon are not confined by AppArmor.

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: cups 1.4.5-1
ProcVersionSignature: Ubuntu 2.6.37-9.22-generic 2.6.37-rc5
Uname: Linux 2.6.37-9-generic x86_64
Architecture: amd64
CupsErrorLog:

Date: Mon Dec 13 21:40:23 2010
Lpstat:
 device for Deskjet-5700: ///dev/null
 device for LaserJet-1320: ///dev/null
 device for PDF: cups-pdf:/
Papersize: letter
PpdFiles: PDF: Generic PDF file generator
ProcEnviron:
 LANGUAGE=en_US:en
 PATH=(custom, user)
 LANG=en_US.utf8
 SHELL=/bin/bash
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-2.6.37-9-generic root=/dev/mapper/systemvg-root2lv ro quiet splash
SourcePackage: cups
dmi.bios.date: 09/22/2008
dmi.bios.vendor: Intel Corp.
dmi.bios.version: JOQ3510J.86A.0954.2008.0922.2331
dmi.board.asset.tag: Base Board Asset Tag
dmi.board.name: DQ35JO
dmi.board.vendor: Intel Corporation
dmi.board.version: AAD82085-800
dmi.chassis.type: 3
dmi.modalias: dmi:bvnIntelCorp.:bvrJOQ3510J.86A.0954.2008.0922.2331:bd09/22/2008:svn:pn:pvr:rvnIntelCorporation:rnDQ35JO:rvrAAD82085-800:cvn:ct3:cvr:

Revision history for this message
Kees Cook (kees) wrote :
security vulnerability: no → yes
Revision history for this message
Kees Cook (kees) wrote :

This is a race between /etc/init/cups and /etc/init.d/apparmor. /etc/init/cups should include a stanza to load the AppArmor profile like all the other /etc/init services that have AppArmor profiles.

$ sudo aa-status
...
1 processes are unconfined but have a profile defined.
   /usr/sbin/cupsd (2137)

Revision history for this message
Kees Cook (kees) wrote :

Workaround: sudo service cups restart

Till Kamppeter (till-kamppeter)
Changed in cups (Ubuntu Maverick):
assignee: nobody → Martin Pitt (pitti)
Changed in cups (Ubuntu Natty):
assignee: nobody → Martin Pitt (pitti)
Revision history for this message
Martin Pitt (pitti) wrote :

Kees,

thanks for pointing out. I guess for maverick we won't get around adding these extra calls to the upstart script, but this is really expensive (it starts a big perl process for each of those). For natty, is it planned to move apparmor to an upstart job, so that jobs can just wait for it to be available? Otherwise I'd just go back to using an init.d script; right now, cups starts too early for my taste, and the original reason why we moved to upstart in the first place (starting before samba) turned out to not work anyway.

Changed in cups (Ubuntu Natty):
status: New → Triaged
Changed in cups (Ubuntu Maverick):
status: New → Triaged
Revision history for this message
Kees Cook (kees) wrote :

Perl? What? No, it should just use the logic all the other services do. For example:

pre-start script
    [ -d /sys/module/apparmor ] || exit 0
    [ -x /sbin/apparmor_parser ] || exit 0
    /sbin/apparmor_parser -r -W /etc/apparmor.d/usr.sbin.avahi-daemon || true
end script

There will be a helper for this in natty soon, but for maverick, something like above should be backported. There are no plans to move apparmor wholesale into /etc/init because blocking on it for everything would slow too much down. Instead, individual services are responsible for loading their profiles in their init scripts.

Revision history for this message
Kees Cook (kees) wrote :

Sorry, it should also include a test for being enabled (this is missing from avahi, but is what others are using aa-status for).

read profile < /sys/kernel/security/apparmor/profiles || true
[ -z "$profile" ] && exit 0 # quit if disabled

Revision history for this message
Kees Cook (kees) wrote :

(Or not, since this is early-boot and there may be no profiles loaded yet, so we should skip that test.)

Jamie Strandboge (jdstrand)
Changed in cups (Ubuntu Natty):
milestone: none → natty-alpha-2
Revision history for this message
Kees Cook (kees) wrote :

Helper script for upstart is now bug 692801.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cups - 1.4.5-1ubuntu5

---------------
cups (1.4.5-1ubuntu5) natty; urgency=low

  * Use AppArmor profile loading helper (LP: #690040):
    - debian/patches/ubuntu-upstart.dpatch: load profile.
    - debian/control: Depend on upstart.
 -- Kees Cook <email address hidden> Mon, 03 Jan 2011 17:16:27 -0800

Changed in cups (Ubuntu Natty):
status: Triaged → Fix Released
Jamie Strandboge (jdstrand)
Changed in cups (Ubuntu Maverick):
assignee: Martin Pitt (pitti) → Jamie Strandboge (jdstrand)
status: Triaged → In Progress
Jamie Strandboge (jdstrand)
Changed in cups (Ubuntu Maverick):
importance: Undecided → High
Changed in cups (Ubuntu Natty):
importance: Undecided → High
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I have uploaded an updated package using the attached debdiff to the security PPA.

Changed in cups (Ubuntu Maverick):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cups - 1.4.4-6ubuntu2.3

---------------
cups (1.4.4-6ubuntu2.3) maverick-security; urgency=low

  * ubuntu-upstart.dpatch: update to explicitly load the AppArmor profile
    to avoid race condition where cups could load before AppArmor and run
    unconfined (LP: #690040)
 -- Jamie Strandboge <email address hidden> Tue, 04 Jan 2011 09:52:12 -0600

Changed in cups (Ubuntu Maverick):
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand)
tags: added: apparmor
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.