Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#977813: cupsd requests net_admin capability, but AppArmor denies
1,367 views
Skip to first unread message
Jörg Sommer
Dec 21, 2020, 6:30:03 AM12/21/20
to
Package: cups-daemon
Version: 2.3.3op1-3
Severity: normal
Hi,
since the upgrade of cups-daemon from 2.3.3-4 to 2.3.3op1-1 I see these
message in my log:
```
kernel: audit: type=1400 audit(1608535286.330:113): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=479747 comm="cupsd" capability=12 capname="net_admin"
```
I'm unsure to allow it in AppArmor, because it's a very privileged
capability:
> CAP_NET_ADMIN
> Perform various network-related operations:
> * interface configuration;
> * administration of IP firewall, masquerading, and accounting;
> * modify routing tables;
> * bind to any address for transparent proxying;
> * set type-of-service (TOS);
> * clear driver statistics;
> * set promiscuous mode;
> * enabling multicasting;
> * use setsockopt(2) to set the following socket options: SO_DE‐
> BUG, SO_MARK, SO_PRIORITY (for a priority outside the range 0
> to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE.
Regards Jörg
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.9.0-5-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_CRAP, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages cups-daemon depends on:
ii adduser 3.118
ii bc 1.07.1-2+b2
ii init-system-helpers 1.60
ii libavahi-client3 0.8-3
ii libavahi-common3 0.8-3
ii libc6 2.31-6
ii libcups2 2.3.3op1-3
ii libdbus-1-3 1.13.18-1
ii libgssapi-krb5-2 1.18.3-4
ii libpam0g 1.3.1-5
ii libpaper1 1.1.28+b1
ii libsystemd0 247.2-1
ii lsb-base 11.1.0
ii procps 2:3.3.16-5
ii ssl-cert 1.0.40
Versions of packages cups-daemon recommends:
pn avahi-daemon <none>
pn colord <none>
pn cups-browsed <none>
pn ipp-usb <none>
Versions of packages cups-daemon suggests:
ii cups 2.3.3op1-3
pn cups-bsd <none>
ii cups-client 2.3.3op1-3
ii cups-common 2.3.3op1-3
ii cups-filters 1.28.6-1
pn cups-pdf <none>
ii cups-ppdc 2.3.3op1-3
ii cups-server-common 2.3.3op1-3
pn foomatic-db-compressed-ppds | foomatic-db <none>
ii ghostscript 9.53.3~dfsg-5
ii poppler-utils 20.09.0-3
ii smbclient 2:4.13.3+dfsg-1
ii udev 247.2-1
-- no debconf information
Version: 2.3.3op1-3
Severity: normal
Hi,
since the upgrade of cups-daemon from 2.3.3-4 to 2.3.3op1-1 I see these
message in my log:
```
kernel: audit: type=1400 audit(1608535286.330:113): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=479747 comm="cupsd" capability=12 capname="net_admin"
```
I'm unsure to allow it in AppArmor, because it's a very privileged
capability:
> CAP_NET_ADMIN
> Perform various network-related operations:
> * interface configuration;
> * administration of IP firewall, masquerading, and accounting;
> * modify routing tables;
> * bind to any address for transparent proxying;
> * set type-of-service (TOS);
> * clear driver statistics;
> * set promiscuous mode;
> * enabling multicasting;
> * use setsockopt(2) to set the following socket options: SO_DE‐
> BUG, SO_MARK, SO_PRIORITY (for a priority outside the range 0
> to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE.
Regards Jörg
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.9.0-5-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_CRAP, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages cups-daemon depends on:
ii adduser 3.118
ii bc 1.07.1-2+b2
ii init-system-helpers 1.60
ii libavahi-client3 0.8-3
ii libavahi-common3 0.8-3
ii libc6 2.31-6
ii libcups2 2.3.3op1-3
ii libdbus-1-3 1.13.18-1
ii libgssapi-krb5-2 1.18.3-4
ii libpam0g 1.3.1-5
ii libpaper1 1.1.28+b1
ii libsystemd0 247.2-1
ii lsb-base 11.1.0
ii procps 2:3.3.16-5
ii ssl-cert 1.0.40
Versions of packages cups-daemon recommends:
pn avahi-daemon <none>
pn colord <none>
pn cups-browsed <none>
pn ipp-usb <none>
Versions of packages cups-daemon suggests:
ii cups 2.3.3op1-3
pn cups-bsd <none>
ii cups-client 2.3.3op1-3
ii cups-common 2.3.3op1-3
ii cups-filters 1.28.6-1
pn cups-pdf <none>
ii cups-ppdc 2.3.3op1-3
ii cups-server-common 2.3.3op1-3
pn foomatic-db-compressed-ppds | foomatic-db <none>
ii ghostscript 9.53.3~dfsg-5
ii poppler-utils 20.09.0-3
ii smbclient 2:4.13.3+dfsg-1
ii udev 247.2-1
-- no debconf information
Brian Potkin
Aug 16, 2022, 3:00:04 PM8/16/22
to
On Mon 21 Dec 2020 at 12:25:21 +0100, Jörg Sommer wrote:
> Package: cups-daemon
> Version: 2.3.3op1-3
> Severity: normal
>
> Hi,
>
> since the upgrade of cups-daemon from 2.3.3-4 to 2.3.3op1-1 I see these
> message in my log:
>
> ```
> kernel: audit: type=1400 audit(1608535286.330:113): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=479747 comm="cupsd" capability=12 capname="net_admin"
> ```
>
> I'm unsure to allow it in AppArmor, because it's a very privileged
> capability:
>
> > CAP_NET_ADMIN
> > Perform various network-related operations:
> > * interface configuration;
> > * administration of IP firewall, masquerading, and accounting;
> > * modify routing tables;
> > * bind to any address for transparent proxying;
> > * set type-of-service (TOS);
> > * clear driver statistics;
> > * set promiscuous mode;
> > * enabling multicasting;
> > * use setsockopt(2) to set the following socket options: SO_DE‐
> > BUG, SO_MARK, SO_PRIORITY (for a priority outside the range 0
> > to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE.
Thank you for your report, Jörg. Please see #980974:
> Package: cups-daemon
> Version: 2.3.3op1-3
> Severity: normal
>
> Hi,
>
> since the upgrade of cups-daemon from 2.3.3-4 to 2.3.3op1-1 I see these
> message in my log:
>
> ```
> kernel: audit: type=1400 audit(1608535286.330:113): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=479747 comm="cupsd" capability=12 capname="net_admin"
> ```
>
> I'm unsure to allow it in AppArmor, because it's a very privileged
> capability:
>
> > CAP_NET_ADMIN
> > Perform various network-related operations:
> > * interface configuration;
> > * administration of IP firewall, masquerading, and accounting;
> > * modify routing tables;
> > * bind to any address for transparent proxying;
> > * set type-of-service (TOS);
> > * clear driver statistics;
> > * set promiscuous mode;
> > * enabling multicasting;
> > * use setsockopt(2) to set the following socket options: SO_DE‐
> > BUG, SO_MARK, SO_PRIORITY (for a priority outside the range 0
> > to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980974
Regards,
Brian.
Athanasius
Mar 26, 2023, 4:30:03 AM3/26/23
to
I see no sign of `net_admin` at all, let alone `deny capability
net_admin` in /etc/apparmor.d/usr.sbin.cupsd and am still seeing the
audit log message:
Mar 25 11:59:41 emilia audit[1421]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=1421 comm="cupsd" capability=12 capname="net_admin"
09:00:45 0$ dpkg -l cups-daemon
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-============-============-==================================>
ii cups-daemon 2.4.2-2 amd64 Common UNIX Printing System(tm) - >
Did this bug report get closed prematurely before a fixed package was
actually produced ?
--
- Athanasius (he/him) = Athanasius(at)miggy.org / https://miggy.org/
GPG/PGP Key: https://miggy.org/gpg-key
"And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME
net_admin` in /etc/apparmor.d/usr.sbin.cupsd and am still seeing the
audit log message:
Mar 25 11:59:41 emilia audit[1421]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=1421 comm="cupsd" capability=12 capname="net_admin"
09:00:45 0$ dpkg -l cups-daemon
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-============-============-==================================>
ii cups-daemon 2.4.2-2 amd64 Common UNIX Printing System(tm) - >
Did this bug report get closed prematurely before a fixed package was
actually produced ?
--
- Athanasius (he/him) = Athanasius(at)miggy.org / https://miggy.org/
GPG/PGP Key: https://miggy.org/gpg-key
"And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME
0 new messages