home *** CD-ROM | disk | FTP | other *** search
/ PC World Komputer 2010 April / PCWorld0410.iso / hity wydania / Ubuntu 9.10 PL / karmelkowy-koliberek-desktop-9.10-i386-PL.iso / casper / filesystem.squashfs / etc / apparmor.d / usr.sbin.cupsd < prev    next >
Text File  |  2009-10-15  |  4KB  |  162 lines
  1. # vim:syntax=apparmor
  2. # Last Modified: Thu Aug  2 12:54:46 2007
  3. # Author: Martin Pitt <martin.pitt@ubuntu.com>
  4.  
  5. #include <tunables/global>
  6.  
  7. /usr/sbin/cupsd {
  8.   #include <abstractions/base>
  9.   #include <abstractions/bash>
  10.   #include <abstractions/authentication>
  11.   #include <abstractions/dbus>
  12.   #include <abstractions/fonts>
  13.   #include <abstractions/nameservice>
  14.   #include <abstractions/perl>
  15.   #include <abstractions/user-tmp>
  16.  
  17.   capability chown,
  18.   capability fowner,
  19.   capability fsetid,
  20.   capability kill,
  21.   capability net_bind_service,
  22.   capability setgid,
  23.   capability setuid,
  24.  
  25.   # nasty, but we limit file access pretty tightly, and cups chowns a
  26.   # lot of files to 'lp' which it cannot read/write afterwards any
  27.   # more
  28.   capability dac_override,
  29.  
  30.   # the bluetooth backend needs this
  31.   network bluetooth,
  32.  
  33.   # the dnssd backend uses those
  34.   network x25 seqpacket,
  35.   network ax25 dgram,
  36.   network netrom seqpacket,
  37.   network rose dgram,
  38.   network ipx dgram,
  39.   network appletalk dgram,
  40.   network econet dgram,
  41.   network ash dgram,
  42.  
  43.   /bin/bash ixr,
  44.   /bin/dash ixr,
  45.   /bin/hostname ixr,
  46.   /dev/lp* rw,
  47.   deny /dev/tty rw,  # silence noise
  48.   /dev/ttyS* rw,
  49.   /dev/usb/lp* rw,
  50.   /dev/bus/usb/ r,
  51.   /dev/bus/usb/** rw,
  52.   /dev/parport* rw,
  53.   /etc/cups/ rw,
  54.   /etc/cups/** rw,
  55.   /etc/foomatic/* r,
  56.   /etc/gai.conf r,
  57.   /etc/papersize r,
  58.   /etc/pnm2ppa.conf r,
  59.   /etc/printcap rwl,
  60.   /etc/ssl/** r,
  61.   @{PROC}/net/ r,
  62.   @{PROC}/net/* r,
  63.   @{PROC}/sys/dev/parport/** r,
  64.   @{PROC}/*/net/ r,
  65.   @{PROC}/*/net/** r,
  66.   @{PROC}/sys/crypto/** r,
  67.   /sys/** r,
  68.   /usr/bin/* ixr,
  69.   /usr/sbin/* ixr,
  70.   /bin/* ixr,
  71.   /sbin/* ixr,
  72.   /usr/lib/** rm,
  73.  
  74.   # backends which come with CUPS can be confined
  75.   /usr/lib/cups/backend/bluetooth ixr,
  76.   /usr/lib/cups/backend/dnssd ixr,
  77.   /usr/lib/cups/backend/http ixr,
  78.   /usr/lib/cups/backend/ipp ixr,
  79.   /usr/lib/cups/backend/lpd ixr,
  80.   /usr/lib/cups/backend/parallel ixr,
  81.   /usr/lib/cups/backend/scsi ixr,
  82.   /usr/lib/cups/backend/serial ixr,
  83.   /usr/lib/cups/backend/snmp ixr,
  84.   /usr/lib/cups/backend/socket ixr,
  85.   /usr/lib/cups/backend/usb ixr,
  86.   # we treat cups-pdf specially, since it needs to write into /home
  87.   # and thus needs extra paranoia
  88.   /usr/lib/cups/backend/cups-pdf Px,
  89.   # third party backends get no restrictions as they often need high
  90.   # privileges and this is beyond our control
  91.   /usr/lib/cups/backend/* Ux,
  92.  
  93.   /usr/lib/cups/cgi-bin/* ixr,
  94.   /usr/lib/cups/daemon/* ixr,
  95.   /usr/lib/cups/monitor/* ixr,
  96.   /usr/lib/cups/notifier/* ixr,
  97.   # filters and drivers (PPD generators) are always run as non-root,
  98.   # and there are a lot of third-party drivers which we cannot predict
  99.   /usr/lib/cups/filter/* Uxr, 
  100.   /usr/lib/cups/driver/* Uxr,
  101.   /usr/local/share/** r,
  102.   /usr/share/** r,
  103.   /var/cache/cups/ rw,
  104.   /var/cache/cups/** rwk,
  105.   /var/log/cups/ rw,
  106.   /var/log/cups/* rw,
  107.   /var/run/avahi-daemon/socket rw,
  108.   /var/run/cups/ rw,
  109.   /var/run/cups/** rw,
  110.   /var/spool/cups/ rw,
  111.   /var/spool/cups/** rw,
  112.  
  113.   # third-party printer drivers; no known structure here
  114.   /opt/** rix,
  115.  
  116.   # FIXME: no policy ATM for hplip and Brother drivers
  117.   /usr/bin/hpijs Ux,
  118.   /usr/Brother/** Ux,
  119.  
  120.   # Kerberos authentication
  121.   /etc/krb5.conf r,
  122.   deny /etc/krb5.conf w,
  123.   /etc/krb5.keytab rk,
  124.   /etc/cups/krb5.keytab rwk,
  125.   /tmp/krb5cc* k,
  126.  
  127.   # likewise authentication
  128.   /etc/likewise r,
  129.   /etc/likewise/* r,
  130. }
  131.  
  132. # separate profile since this needs to write into /home
  133. /usr/lib/cups/backend/cups-pdf {
  134.   #include <abstractions/base>
  135.   #include <abstractions/fonts>
  136.   #include <abstractions/nameservice>
  137.   #include <abstractions/user-tmp>
  138.  
  139.   capability chown,
  140.   capability fowner,
  141.   capability fsetid,
  142.   capability setgid,
  143.   capability setuid,
  144.  
  145.   # unfortunate, but required for when $HOME is 700
  146.   capability dac_override,
  147.  
  148.   /bin/dash ixr,
  149.   /bin/bash ixr,
  150.   /bin/cp ixr,
  151.   /etc/papersize r,
  152.   /etc/cups/cups-pdf.conf r,
  153.   @{HOME}/PDF/ rw,
  154.   @{HOME}/PDF/* rw,
  155.   /usr/bin/gs ixr,
  156.   /usr/lib/cups/backend/cups-pdf mr,
  157.   /usr/lib/ghostscript/** mr,
  158.   /usr/share/** r,
  159.   /var/log/cups/cups-pdf_log w,
  160.   /var/spool/cups-pdf/** rw,
  161. }
  162.