Personal Computer World 2009 February

home *** CD-ROM | disk | FTP | other *** search

/ Personal Computer World 2009 February / PCWFEB09.iso / Software / Linux / Kubuntu 8.10 / kubuntu-8.10-desktop-i386.iso / casper / filesystem.squashfs / etc / apparmor.d / usr.sbin.cupsd

Wrap

Text File | 2008-10-20 | 3KB | 137 lines

# vim:syntax=apparmor # Last Modified: Thu Aug 2 12:54:46 2007 # Author: Martin Pitt <martin.pitt@ubuntu.com> #include <tunables/global> /usr/sbin/cupsd { #include <abstractions/base> #include <abstractions/bash> #include <abstractions/authentication> #include <abstractions/dbus> #include <abstractions/fonts> #include <abstractions/nameservice> #include <abstractions/perl> #include <abstractions/user-tmp> capability chown, capability fowner, capability fsetid, capability kill, capability net_bind_service, capability setgid, capability setuid, # nasty, but we limit file access pretty tightly, and cups chowns a # lot of files to 'lp' which it cannot read/write afterwards any # more capability dac_override, # the bluetooth backend needs this network bluetooth, /bin/bash ixr, /bin/dash ixr, /bin/hostname ixr, /dev/lp* rw, /dev/ttyS* rw, /dev/usb/lp* rw, /dev/parport* rw, /etc/cups/ rw, /etc/cups/** rw, /etc/foomatic/* r, /etc/gai.conf r, /etc/shadow m, /etc/passwd m, /etc/group m, /etc/papersize r, /etc/pnm2ppa.conf r, /etc/printcap rwl, /etc/ssl/** r, @{PROC}/net/ r, @{PROC}/net/* r, @{PROC}/sys/dev/parport/** r, /sys/** r, /usr/bin/* ixr, /usr/sbin/* ixr, /bin/* ixr, /sbin/* ixr, /usr/lib/** rm, # backends which come with CUPS can be confined /usr/lib/cups/backend/bluetooth ixr, /usr/lib/cups/backend/dnssd ixr, /usr/lib/cups/backend/http ixr, /usr/lib/cups/backend/ipp ixr, /usr/lib/cups/backend/lpd ixr, /usr/lib/cups/backend/parallel ixr, /usr/lib/cups/backend/scsi ixr, /usr/lib/cups/backend/serial ixr, /usr/lib/cups/backend/snmp ixr, /usr/lib/cups/backend/socket ixr, /usr/lib/cups/backend/usb ixr, # we treat cups-pdf specially, since it needs to write into /home # and thus needs extra paranoia /usr/lib/cups/backend/cups-pdf Px, # third party backends get no restrictions as they often need high # privileges and this is beyond our control /usr/lib/cups/backend/* Ux, /usr/lib/cups/cgi-bin/* ixr, /usr/lib/cups/daemon/* ixr, /usr/lib/cups/monitor/* ixr, /usr/lib/cups/notifier/* ixr, # filters and drivers (PPD generators) are always run as non-root, # and there are a lot of third-party drivers which we cannot predict /usr/lib/cups/filter/* Uxr, /usr/lib/cups/driver/* Uxr, /usr/local/share/** r, /usr/share/** r, /var/cache/cups/ rw, /var/cache/cups/** rwk, /var/log/cups/ rw, /var/log/cups/* rw, /var/run/avahi-daemon/socket rw, /var/run/cups/ rw, /var/run/cups/** rw, /var/spool/cups/ rw, /var/spool/cups/** rw, # third-party printer drivers; no known structure here /opt/** rix, # FIXME: no policy ATM for hplip /usr/bin/hpijs Ux, # Kerberos authentication /etc/krb5.conf r, /etc/cups/krb5.keytab rw, } # separate profile since this needs to write into /home /usr/lib/cups/backend/cups-pdf { #include <abstractions/base> #include <abstractions/fonts> #include <abstractions/nameservice> #include <abstractions/user-tmp> capability chown, capability fowner, capability fsetid, capability setgid, capability setuid, /bin/dash ixr, /bin/bash ixr, /etc/papersize r, /etc/cups/cups-pdf.conf r, @{HOME}/PDF/ rw, @{HOME}/PDF/* rw, /usr/bin/gs ixr, /usr/lib/cups/backend/cups-pdf mr, /usr/lib/ghostscript/** mr, /usr/share/** r, /var/log/cups/cups-pdf_log w, /var/spool/cups-pdf/** rw, }