[pkg-apparmor] Bug#980974: apparmor blocks cups backend outgoing network connections
Jörg Sommer
joerg at jo-so.de
Tue Sep 13 09:25:02 BST 2022
Christian Boltz schrieb am Wed 17. Aug, 20:47 (+0200):
> Hello,
>
> denials for capabilty net_admin are often a sign that a service uses
> systemd libraries on startup, and these systemd libraries do funny[tm]
> things. In these cases the net_admin capability is not really needed.
Hi,
yes, you are right. Systemd is the culprit. This is the call leading to the
audit message:
``` text
81641 09:05:48.607647 setsockopt(12<socket:[1138186]>, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) <0.000020>
> /usr/lib/x86_64-linux-gnu/libc.so.6(setsockopt+0xa) [0x10b59a]
> /usr/lib/x86_64-linux-gnu/libsystemd.so.0.34.0(sd_machine_get_ifindices+0x104c1) [0x90ec1]
> /usr/lib/x86_64-linux-gnu/libsystemd.so.0.34.0(sd_pid_notify_with_fds+0x1ae) [0x6ebfe]
> /usr/lib/x86_64-linux-gnu/libsystemd.so.0.34.0(sd_notifyf+0xd8) [0x6f328]
> /usr/sbin/cupsd() [0xc130]
> /usr/lib/x86_64-linux-gnu/libc.so.6(__libc_init_first+0x8a) [0x2920a]
> /usr/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x7c) [0x292bc]
> /usr/sbin/cupsd() [0xd5c1]
```
Hence, it should be okay to deny the access. I've added the line `deny
capability net_admin,` and cups works and the audit message is gone.
Regards
Jörg
--
„Gesundheit ist dasjenige Maß an Krankheit, das es mir noch erlaubt,
meinen wesentlichen Beschäftigungen nachzugehen.“ (Friedrich Nietzsche)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 269 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20220913/021e718a/attachment.sig>
More information about the pkg-apparmor-team
mailing list