Package: cups-daemon Version: 2.2.10-6+deb10u2 Severity: wishlist Right now you have two stanzas (cupsd and cups-pdf), but you only allow dropins in the former. Please add an #include for cups-pdf.
#include <tunables/global> /usr/sbin/cupsd flags=(attach_disconnected) { [...] #include <local/usr.sbin.cupsd> } /usr/lib/cups/backend/cups-pdf { [...] + ## Please add this line! + #include <local/usr.lib.cups.backend.cups-pdf> } The reason I want this is my cups-pdf.conf uses "PostProcessing /usr/lib/blah" to do some b2b invoicing stuff. With a drop-in, I can put site-specific whitelist rules in a dedicated file. Without a drop-in, I have to put those rules in the existing file in a specific place, which is more fiddly to automate. PS: I think you also need to ship an empty local/usr.lib.cups.backend.cups-pdf, otherwise apparmor gets cranky about a "missing" include. -- System Information: Debian Release: 10.3 APT prefers stable APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.4.0-0.bpo.2-amd64 (SMP w/2 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled