This file is indexed.

/etc/apparmor.d/usr.sbin.cupsd is in cups 1.5.2-9ubuntu1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
# vim:syntax=apparmor
# Last Modified: Thu Aug  2 12:54:46 2007
# Author: Martin Pitt <martin.pitt@ubuntu.com>

#include <tunables/global>

/usr/sbin/cupsd {
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/authentication>
  #include <abstractions/dbus>
  #include <abstractions/fonts>
  #include <abstractions/nameservice>
  #include <abstractions/perl>
  #include <abstractions/user-tmp>

  capability chown,
  capability fowner,
  capability fsetid,
  capability kill,
  capability net_bind_service,
  capability setgid,
  capability setuid,

  # nasty, but we limit file access pretty tightly, and cups chowns a
  # lot of files to 'lp' which it cannot read/write afterwards any
  # more
  capability dac_override,

  # the bluetooth backend needs this
  network bluetooth,

  # the dnssd backend uses those
  network x25 seqpacket,
  network ax25 dgram,
  network netrom seqpacket,
  network rose dgram,
  network ipx dgram,
  network appletalk dgram,
  network econet dgram,
  network ash dgram,

  /bin/bash ixr,
  /bin/dash ixr,
  /bin/hostname ixr,
  /dev/lp* rw,
  deny /dev/tty rw,  # silence noise
  /dev/ttyS* rw,
  /dev/ttyUSB* rw,
  /dev/usb/lp* rw,
  /dev/bus/usb/ r,
  /dev/bus/usb/** rw,
  /dev/parport* rw,
  /etc/cups/ rw,
  /etc/cups/** rw,
  /etc/foomatic/* r,
  /etc/gai.conf r,
  /etc/papersize r,
  /etc/pnm2ppa.conf r,
  /etc/printcap rwl,
  /etc/ssl/** r,
  @{PROC}/net/ r,
  @{PROC}/net/* r,
  @{PROC}/sys/dev/parport/** r,
  @{PROC}/*/net/ r,
  @{PROC}/*/net/** r,
  @{PROC}/*/auxv r,
  @{PROC}/sys/crypto/** r,
  /sys/** r,
  /usr/bin/* ixr,
  /usr/sbin/* ixr,
  /bin/* ixr,
  /sbin/* ixr,
  /usr/lib/** rm,

  # backends which come with CUPS can be confined
  /usr/lib/cups/backend/bluetooth ixr,
  /usr/lib/cups/backend/dnssd ixr,
  /usr/lib/cups/backend/http ixr,
  /usr/lib/cups/backend/ipp ixr,
  /usr/lib/cups/backend/lpd ixr,
  /usr/lib/cups/backend/parallel ixr,
  /usr/lib/cups/backend/serial ixr,
  /usr/lib/cups/backend/snmp ixr,
  /usr/lib/cups/backend/socket ixr,
  /usr/lib/cups/backend/usb ixr,
  # we treat cups-pdf specially, since it needs to write into /home
  # and thus needs extra paranoia
  /usr/lib/cups/backend/cups-pdf Px,
  # third party backends get no restrictions as they often need high
  # privileges and this is beyond our control
  /usr/lib/cups/backend/* Ux,

  /usr/lib/cups/cgi-bin/* ixr,
  /usr/lib/cups/daemon/* ixr,
  /usr/lib/cups/monitor/* ixr,
  /usr/lib/cups/notifier/* ixr,
  # filters and drivers (PPD generators) are always run as non-root,
  # and there are a lot of third-party drivers which we cannot predict
  /usr/lib/cups/filter/** Uxr, 
  /usr/lib/cups/driver/* Uxr,
  /usr/local/** rm,
  /usr/local/lib/cups/** rix,
  /usr/share/** r,
  /{,var/}run/** rm,
  /{,var/}run/avahi-daemon/socket rw,
  deny /{,var/}run/samba/ rw,
  /{,var/}run/samba/** rw,
  /{,var/}run/cups/ rw,
  /{,var/}run/cups/** rw,
  /var/cache/cups/ rw,
  /var/cache/cups/** rwk,
  /var/log/cups/ rw,
  /var/log/cups/* rw,
  /var/spool/cups/ rw,
  /var/spool/cups/** rw,

  # third-party printer drivers; no known structure here
  /opt/** rix,

  # FIXME: no policy ATM for hplip and Brother drivers
  /usr/bin/hpijs Ux,
  /usr/Brother/** Ux,

  # Kerberos authentication
  /etc/krb5.conf r,
  deny /etc/krb5.conf w,
  /etc/krb5.keytab rk,
  /etc/cups/krb5.keytab rwk,
  /tmp/krb5cc* k,

  # likewise authentication
  /etc/likewise r,
  /etc/likewise/* r,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.cupsd>
}

# separate profile since this needs to write into /home
/usr/lib/cups/backend/cups-pdf {
  #include <abstractions/base>
  #include <abstractions/fonts>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>

  capability chown,
  capability fowner,
  capability fsetid,
  capability setgid,
  capability setuid,

  # unfortunate, but required for when $HOME is 700
  capability dac_override,
  capability dac_read_search,

  /bin/dash ixr,
  /bin/bash ixr,
  /bin/cp ixr,
  /etc/papersize r,
  /etc/cups/cups-pdf.conf r,
  @{HOME}/PDF/ rw,
  @{HOME}/PDF/* rw,
  /usr/bin/gs ixr,
  /usr/lib/cups/backend/cups-pdf mr,
  /usr/lib/ghostscript/** mr,
  /usr/share/** r,
  /var/log/cups/cups-pdf_log w,
  /var/spool/cups/** r,
  /var/spool/cups-pdf/** rw,
}