Package: cups-daemon Version: 2.4.16-1 Severity: normal Tags: newcomer Dear Maintainer,
On Debian Forky (testing), USB-attached printers are completely non-functional when AppArmor is active, even when the printer URI is entered manually in the CUPS web interface or via the command line. This appears to be a regression compared to Bookworm, where the AppArmor denials documented in bugs #980974 and #1060378 were present but did not prevent printing. -- Symptoms -- The kernel recognizes the printer correctly: usb 1-1: New USB device found, idVendor=0482, idProduct=065c usb 1-1: Product: Kyocera ECOSYS P2135d usblp 1-1:1.0: usblp0: USB Bidirectional printer dev 22 if 0 alt 0 Running the USB backend directly (outside AppArmor confinement) also finds the device without issue: $ sudo /usr/lib/cups/backend/usb direct usb://Kyocera/ECOSYS%20P2135d?serial=LXR4105158 \ "Kyocera ECOSYS P2135d" "Kyocera ECOSYS P2135d" ... However, udev-configure-printer reports "no corresponding CUPS device found", and manually configuring the printer using the URI obtained above also fails to establish communication. -- AppArmor denials -- The following denials appear in the kernel log when the printer is plugged in (pid is the cupsd USB backend subprocess): apparmor="DENIED" operation="capable" class="cap" \ profile="/usr/sbin/cupsd" capname="net_admin" apparmor="DENIED" operation="open" class="file" \ profile="/usr/sbin/cupsd" name="/" requested_mask="r" denied_mask="r" The "open /" denial (repeated ~10 times per connect event) is the functionally critical one: it prevents the cupsd USB backend from enumerating or communicating with the device. The net_admin denial has been documented since at least 2021 (bugs #977813, #980974, #1060378), but appears to have been harmless in Bookworm. The "open /" denial is new and appears to be a Forky-specific regression. -- Workaround -- Adding the following to /etc/apparmor.d/local/usr.sbin.cupsd: capability net_admin, / r, followed by: sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.cupsd sudo systemctl restart cups restores full USB printing functionality. -- Relation to existing bugs -- This report documents that the AppArmor denials discussed in bugs #980974 and #1060378 have progressed from log noise (Bookworm) to a complete functional regression (Forky), due to the addition of the "open /" denial. Bug #1060378 was last updated in September 2025 without a fix being released. -- System Information: Debian Release: forky/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.19.10+deb14-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages cups-daemon depends on: ii adduser 3.155 ii bc 1.07.1-4 ii init-system-helpers 1.69 ii libavahi-client3 0.8-18 ii libavahi-common3 0.8-18 ii libc6 2.42-14 ii libcups2t64 2.4.16-1 ii libdbus-1-3 1.16.2-4 ii libgssapi-krb5-2 1.22.1-2 ii libpam0g 1.7.0-5+b1 ii libpaper2 2.2.5-0.3+b3 ii libsystemd0 260.1-1 ii procps 2:4.0.4-9+b1 ii ssl-cert 1.1.3 ii sysvinit-utils [lsb-base] 3.18-1 Versions of packages cups-daemon recommends: ii avahi-daemon 0.8-18 ii colord 1.4.8-3 ii cups-browsed 1.28.17-7 ii ipp-usb 0.9.23-2+b8 Versions of packages cups-daemon suggests: ii cups 2.4.16-1 pn cups-bsd <none> ii cups-client 2.4.16-1 ii cups-common 2.4.16-1 ii cups-filters 1.28.17-7 pn cups-pdf <none> ii cups-ppdc 2.4.16-1 ii cups-server-common 2.4.16-1 pn foomatic-db-compressed-ppds | foomatic-db <none> ii ghostscript 10.07.0~dfsg-2 ii poppler-utils 25.03.0-11.1+b1 pn smbclient <none> ii udev 260.1-1 -- no debconf information
