123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100 |
- --- a/etc/apparmor.d/usr.sbin.cupsd 2015-11-20 09:41:01.408000000 +0000
- +++ b/etc/apparmor.d/usr.sbin.cupsd 2015-11-20 09:47:01.728000000 +0000
- @@ -4,7 +4,9 @@
-
- #include <tunables/global>
-
- -/usr/sbin/cupsd {
- +@{etccups}=/{etc/cups,live/persistence/TailsData_unlocked/cups-configuration}
- +
- +/usr/sbin/cupsd flags=(attach_disconnected) {
- #include <abstractions/base>
- #include <abstractions/bash>
- #include <abstractions/authentication>
- @@ -53,9 +55,10 @@
- /dev/bus/usb/ r,
- /dev/bus/usb/** rw,
- /dev/parport* rw,
- - /etc/cups/ rw,
- - /etc/cups/** rw,
- - /etc/cups/interfaces/* ixrw,
- + @{etccups}/ rw,
- + /etc/.wh..wh.cups.*/ rw,
- + @{etccups}/** rw,
- + @{etccups}/interfaces/* ixrw,
- /etc/foomatic/* r,
- /etc/gai.conf r,
- /etc/papersize r,
- @@ -70,7 +73,7 @@
- @{PROC}/*/auxv r,
- @{PROC}/sys/crypto/** r,
- /sys/** r,
- - /usr/bin/* ixr,
- + /usr/bin/{[^h],h[^p],hp[^i],hpi[^j],hpij[^s]}* ixr,
- /usr/sbin/* ixr,
- /bin/* ixr,
- /sbin/* ixr,
- @@ -80,7 +83,10 @@
- /usr/lib/cups/backend/bluetooth ixr,
- /usr/lib/cups/backend/dnssd ixr,
- /usr/lib/cups/backend/http ixr,
- + /usr/lib/cups/backend/https ixr,
- /usr/lib/cups/backend/ipp ixr,
- + /usr/lib/cups/backend/ipp[0-9][0-9] ixr,
- + /usr/lib/cups/backend/ipps ixr,
- /usr/lib/cups/backend/lpd ixr,
- /usr/lib/cups/backend/parallel ixr,
- /usr/lib/cups/backend/serial ixr,
- @@ -92,7 +98,12 @@
- /usr/lib/cups/backend/cups-pdf Px,
- # third party backends get no restrictions as they often need high
- # privileges and this is beyond our control
- - /usr/lib/cups/backend/* Cx -> third_party,
- + # Due to Tails#9963 we hard-code the third-party backends we ship:
- + # /usr/lib/cups/backend/* Cx -> third_party,
- + /usr/lib/cups/backend/gutenprint52+usb Cx -> third_party,
- + /usr/lib/cups/backend/hp Cx -> third_party,
- + /usr/lib/cups/backend/hpfax Cx -> third_party,
- + /usr/lib/cups/backend/mdns Cx -> third_party,
-
- /usr/lib/cups/cgi-bin/* ixr,
- /usr/lib/cups/daemon/* ixr,
- @@ -119,6 +130,9 @@
- /var/log/cups/* rw,
- /var/spool/cups/ rw,
- /var/spool/cups/** rw,
- + /var/cache/.wh..wh.cups.*/ rw,
- + /var/log/.wh..wh.cups.*/ rw,
- + /var/spool/.wh..wh.cups.*/ rw,
-
- # third-party printer drivers; no known structure here
- /opt/** rix,
- @@ -131,7 +145,7 @@
- /etc/krb5.conf r,
- deny /etc/krb5.conf w,
- /etc/krb5.keytab rk,
- - /etc/cups/krb5.keytab rwk,
- + @{etccups}/krb5.keytab rwk,
- /tmp/krb5cc* k,
-
- # likewise authentication
- @@ -141,7 +155,7 @@
- # silence noise
- deny /etc/udev/udev.conf r,
-
- - profile third_party {
- + profile third_party flags=(attach_disconnected) {
- # third party backends, filters, and drivers get relatively no restrictions
- # as they often need high privileges, are unpredictable or otherwise beyond
- # our control
- @@ -178,7 +192,7 @@
- /bin/bash ixr,
- /bin/cp ixr,
- /etc/papersize r,
- - /etc/cups/cups-pdf.conf r,
- + @{etccups}/cups-pdf.conf r,
- @{HOME}/PDF/ rw,
- @{HOME}/PDF/* rw,
- /usr/bin/gs ixr,
|