[Touch-packages] [Bug 1571531] Re: cupsd cause apparmor denials for /etc/ld.so.preload

Wed, 09 Oct 2019 13:26:35 -0700 

I don't think we have such a capability right now in snapd. If you
locally modify the snap-confine profile, it will be rewritten on at
least core refreshes (and reboots as well if I'm not mistaken), so it
sounds like we need some mechanism to specify additional rules to be
included in the snap-confine profile.

** Changed in: snapd (Ubuntu)
       Status: New => Triaged

** Changed in: snapd (Ubuntu)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1571531

Title:
  cupsd cause apparmor denials for /etc/ld.so.preload

Status in apparmor package in Ubuntu:
  New
Status in snapd package in Ubuntu:
  Triaged

Bug description:
  There is a constant flood of messages in dmesg:

  [ 4431.638163] audit: type=1400 audit(1460962510.272:60): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10559 
comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661208] audit: type=1400 audit(1460962510.296:61): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661390] audit: type=1400 audit(1460962510.296:62): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661759] audit: type=1400 audit(1460962510.296:63): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 4431.661936] audit: type=1400 audit(1460962510.296:64): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661937] audit: type=1400 audit(1460962510.296:65): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 4431.662534] audit: type=1400 audit(1460962510.296:66): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 5081.410342] audit: type=1400 audit(1460963160.033:67): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10810 
comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 5081.446507] audit: type=1400 audit(1460963160.069:68): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10815 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: cups-daemon 2.1.3-4
  ProcVersionSignature: Ubuntu 4.4.0-18.34-generic 4.4.6
  Uname: Linux 4.4.0-18-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2
  Architecture: amd64
  CupsErrorLog:
   
  CurrentDesktop: X-Cinnamon
  Date: Mon Apr 18 10:56:37 2016
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2013-07-19 (1003 days ago)
  InstallationMedia: Xubuntu 13.04 "Raring Ringtail" - Release i386 (20130423.1)
  Lpstat: device for Generic-PCL-5e: socket://192.168.1.100:9100
  MachineType: LENOVO 4298R86
  Papersize: a4
  PpdFiles: Error: command ['fgrep', '-H', '*NickName', 
'/etc/cups/ppd/Generic-PCL-5e.ppd'] failed with exit code 2: grep: 
/etc/cups/ppd/Generic-PCL-5e.ppd: Permission denied
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-18-generic 
root=UUID=3d4ce850-6e8a-4cf5-9b82-fb135c22fe1e ro
  SourcePackage: cups
  UpgradeStatus: Upgraded to xenial on 2015-10-29 (171 days ago)
  dmi.bios.date: 12/01/2011
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 8DET56WW (1.26 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 4298R86
  dmi.board.vendor: LENOVO
  dmi.board.version: Not Available
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: 
dmi:bvnLENOVO:bvr8DET56WW(1.26):bd12/01/2011:svnLENOVO:pn4298R86:pvrThinkPadX220Tablet:rvnLENOVO:rn4298R86:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
  dmi.product.name: 4298R86
  dmi.product.version: ThinkPad X220 Tablet
  dmi.sys.vendor: LENOVO
  modified.conffile..etc.default.cups:
   # Cups configure options
   
   # LOAD_LP_MODULE: enable/disable to load "lp" parallel printer driver module
   # LOAD_LP_MODULE has migrated to /etc/modules-load.d/cups-filters.conf
   # LOAD_LP_MODULE=yes
  mtime.conffile..etc.default.cups: 2014-03-12T15:11:15.740184

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1571531/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to