iikb
/
tails


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100
							--- a/etc/apparmor.d/usr.sbin.cupsd	2015-11-20 09:41:01.408000000 +0000
+++ b/etc/apparmor.d/usr.sbin.cupsd	2015-11-20 09:47:01.728000000 +0000
@@ -4,7 +4,9 @@
 
 #include <tunables/global>
 
-/usr/sbin/cupsd {
+@{etccups}=/{etc/cups,live/persistence/TailsData_unlocked/cups-configuration}
+
+/usr/sbin/cupsd flags=(attach_disconnected) {
   #include <abstractions/base>
   #include <abstractions/bash>
   #include <abstractions/authentication>
@@ -53,9 +55,10 @@
   /dev/bus/usb/ r,
   /dev/bus/usb/** rw,
   /dev/parport* rw,
-  /etc/cups/ rw,
-  /etc/cups/** rw,
-  /etc/cups/interfaces/* ixrw,
+  @{etccups}/ rw,
+  /etc/.wh..wh.cups.*/ rw,
+  @{etccups}/** rw,
+  @{etccups}/interfaces/* ixrw,
   /etc/foomatic/* r,
   /etc/gai.conf r,
   /etc/papersize r,
@@ -70,7 +73,7 @@
   @{PROC}/*/auxv r,
   @{PROC}/sys/crypto/** r,
   /sys/** r,
-  /usr/bin/* ixr,
+  /usr/bin/{[^h],h[^p],hp[^i],hpi[^j],hpij[^s]}* ixr,
   /usr/sbin/* ixr,
   /bin/* ixr,
   /sbin/* ixr,
@@ -80,7 +83,10 @@
   /usr/lib/cups/backend/bluetooth ixr,
   /usr/lib/cups/backend/dnssd ixr,
   /usr/lib/cups/backend/http ixr,
+  /usr/lib/cups/backend/https ixr,
   /usr/lib/cups/backend/ipp ixr,
+  /usr/lib/cups/backend/ipp[0-9][0-9] ixr,
+  /usr/lib/cups/backend/ipps ixr,
   /usr/lib/cups/backend/lpd ixr,
   /usr/lib/cups/backend/parallel ixr,
   /usr/lib/cups/backend/serial ixr,
@@ -92,7 +98,12 @@
   /usr/lib/cups/backend/cups-pdf Px,
   # third party backends get no restrictions as they often need high
   # privileges and this is beyond our control
-  /usr/lib/cups/backend/* Cx -> third_party,
+  # Due to Tails#9963 we hard-code the third-party backends we ship:
+  # /usr/lib/cups/backend/* Cx -> third_party,
+  /usr/lib/cups/backend/gutenprint52+usb Cx -> third_party,
+  /usr/lib/cups/backend/hp Cx -> third_party,
+  /usr/lib/cups/backend/hpfax Cx -> third_party,
+  /usr/lib/cups/backend/mdns Cx -> third_party,
 
   /usr/lib/cups/cgi-bin/* ixr,
   /usr/lib/cups/daemon/* ixr,
@@ -119,6 +130,9 @@
   /var/log/cups/* rw,
   /var/spool/cups/ rw,
   /var/spool/cups/** rw,
+  /var/cache/.wh..wh.cups.*/ rw,
+  /var/log/.wh..wh.cups.*/ rw,
+  /var/spool/.wh..wh.cups.*/ rw,
 
   # third-party printer drivers; no known structure here
   /opt/** rix,
@@ -131,7 +145,7 @@
   /etc/krb5.conf r,
   deny /etc/krb5.conf w,
   /etc/krb5.keytab rk,
-  /etc/cups/krb5.keytab rwk,
+  @{etccups}/krb5.keytab rwk,
   /tmp/krb5cc* k,
 
   # likewise authentication
@@ -141,7 +155,7 @@
   # silence noise
   deny /etc/udev/udev.conf r,
 
-  profile third_party {
+  profile third_party flags=(attach_disconnected) {
     # third party backends, filters, and drivers get relatively no restrictions
     # as they often need high privileges, are unpredictable or otherwise beyond
     # our control
@@ -178,7 +192,7 @@
   /bin/bash ixr,
   /bin/cp ixr,
   /etc/papersize r,
-  /etc/cups/cups-pdf.conf r,
+  @{etccups}/cups-pdf.conf r,
   @{HOME}/PDF/ rw,
   @{HOME}/PDF/* rw,
   /usr/bin/gs ixr,