Joel, thank you very much for your analysis and for posting Debian bug
#1016622, as the fix has to be applied in the Debian package.
** Package changed: cups (Ubuntu) => cups-filters (Ubuntu)
** Changed in: cups-filters (Ubuntu)
Status: Confirmed => Triaged
** Bug watch added: Debian Bug
This message doesn't seem to affect anything, from what I can tell.
Here's a technical analysis.
The system call, sched_setattr, is being made in glib's
g_system_thread_get_scheduler_settings. It gets the current scheduling
settings, and then tests to make sure it can set them on the same
Apparmor audit message.
** Attachment added: "Apparmor audit message"
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1897369/+attachment/5581262/+files/Apparmor%20audit%20message
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is
I have 33 denied messages that increase in number every time I reboot.
** Attachment added: "Apparmor rsys log d"
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1897369/+attachment/5581261/+files/Apparmor%20rsys%20log%20d
--
You received this bug notification because you are a member
** Attachment added: "Apparmor kernal log"
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1897369/+attachment/5581260/+files/Apparmor%20kernal%20log
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
It may also be an option to set the desired scheduling parameters via
systemd.exec(5) parameters instead of asking the daemon to do the
changes itself.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
** Changed in: cups (Ubuntu)
Importance: Undecided => Low
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1897369
Title:
apparmor: Allow cups-browsed to change nice value
I have searched the code of cups-browsed and libcupsfilters and did not
find any call of the mentioned functions which require CAP_SYS_NICE.
Most probably some of the library functions cups-browsed is using
contains such calls.
As cups-browsed works correctly I suggest to add the "deny capability
Till, it allows quite a few things (from man capabilities):
CAP_SYS_NICE
* Raise process nice value (nice(2), setpriority(2)) and change the
nice value for arbitrary processes;
* set real-time scheduling policies for calling process, and set
scheduling
I did not have anything to control the priority in the source code of
cups-browsed, I also did not find anything in the packaging of cups-
filters. I also do not see any security risk in priority changing, it
can only make the system faster or slower.
Perhaps systemd does the nice level change?
Anyone of the security team, does allowing the "sys_nice" capability for
cups-browsed cause any possible security risk?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1897369
Thank you for your bug report
Till, do you know what impact that priority change failing has? Could
you check with the security team if that call should be allowed by
default in the cups profile?
** Changed in: cups (Ubuntu)
Assignee: (unassigned) => Till Kamppeter (till-kamppeter)
--
You
On my system, I have a consistent Deny on cups-browsed --capable, one
example from 281300Z November 2020 being:
Nov 28 13:00:24 hotrodgpc-desktop kernel: [ 52.928672] audit:
type=1400 audit(1606597224.111:54): apparmor="DENIED"
operation="capable" profile="/usr/sbin/cups-browsed" pid=1496 comm
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: cups (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
>From the manual page capabilities(7):
CAP_SYS_NICE
* Lower the process nice value (nice(2), setpriority(2)) and
change the nice value for arbitrary processes;
* set real-time scheduling policies for calling process, and set
15 matches
Mail list logo
