[pkg-apparmor] Bug#980974: apparmor blocks cups backend outgoing network connections
Brian Potkin
claremont102 at gmail.com
Thu Aug 18 13:15:14 BST 2022
On Wed 17 Aug 2022 at 20:47:24 +0200, Christian Boltz wrote:
> Hello,
>
> denials for capabilty net_admin are often a sign that a service uses
> systemd libraries on startup, and these systemd libraries do funny[tm]
> things. In these cases the net_admin capability is not really needed.
>
> See https://bugzilla.opensuse.org/show_bug.cgi?id=1196850#c3 for the
> technical details. (Yes, I'm aware that this bugreport is for Samba, not
> cups - but I'm somewhat sure that cups uses the same systemd libraries
> on startup.)
>
> I have to admit that I'm only a cups user, but I'd be surprised if it
> really needs capability net_admin.
In capabilities(7) network-related operations for CAP_NET_ADMIN include
bind to any address for transparent proxying;
enabling multicasting;
I am not sue these are the relevant operations in this case but I am
suue that Debian 11 introduced ipp-usb as a recommended package for
cups-daemon. ipp-usb effectively implements a HTTP reverse proxy:
https://github.com/OpenPrinting/ipp-usb
Twp clues? Putting them together I purged ipp-usb and the deniel for
capabilty net_admin disappears from the journal when cups is restarted.
Perhaps this could be tested by others?
> To find out if it's really needed or just "systemd noise", can you please
> explicitely deny net_admin and test if printing still works? To do this,
> add
> deny capability net_admin,
> to /etc/apparmor.d/local/usr.sbin.cupsd This will a) deny it and b)
> silence the logging. Then reload the profile with
> systemctl reload apparmor
>
> I'd also recommend to
> aa-enforce cupsd
> (in theory deny rules get enforced even in complain mode, but better
> safe than sorry)
>
>
> If printing doesn't work with the deny rule added, please try if it
> works if you allow the capability:
> capability net_admin,
> (and remove the deny rule).
I don't notice any degradation in printing to printers over the network.
USB printing (using IPP-over-USB) wasn't tested, but has always worked
for me in the past.
My tentative conclusion is that cupsd's desire to access capabilty
net_admin is legitimate. OTOH, denying it doesn't appear to affect my
printing here, but more testing is needed
Cheers,
Brian.
More information about the pkg-apparmor-team
mailing list