From: nyet@nyet.org
Package: cups-daemon
Version: 2.4.16-1
Severity: normal
Tags: patch
Dear Maintainer,
/etc/apparmor.d/usr.sbin.cupsd (shipped by cups-daemon) fails to load with:
profile has merged rule with conflicting x modifiers ERROR processing regexs
for profile /usr/sbin/cupsd, failed to load
Steps to reproduce
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.cupsd
Expected result
The profile loads and cupsd runs under AppArmor confinement.
Actual result
The parser reports "profile has merged rule with conflicting x
modifiers" and refuses to load the profile; cupsd then runs unconfined
or with a failed profile load.
Cause
The profile includes abstractions/lightdm, which adds broad execute
rules (e.g. /usr/** rmixk). The profile also has specific execute rules
with different x modifiers (e.g. /usr/lib/cups/backend/cups-pdf Px).
When the parser merges these, the same path gets conflicting execute
modifiers (e.g. ix vs Px), which triggers the error (see e.g. AppArmor
GitLab issue #93). The lightdm abstraction is for display-manager guest
sessions, not for the CUPS daemon, so including it in usr.sbin.cupsd is
inappropriate and causes the conflict.
Suggested fix
In the cups-daemon package, remove the lightdm include from
/etc/apparmor.d/usr.sbin.cupsd
--- usr.sbin.cupsd-dist 2026-02-09 16:08:58.676266796 -0800
+++ usr.sbin.cupsd 2026-02-09 15:59:43.869866156 -0800
@@ -50,7 +50,7 @@
include
include
include
- include
+# include
include
include
include
-- System Information:
Debian Release: trixie/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.18.9+deb14-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not
set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages cups-daemon depends on:
ii adduser 3.152
ii bc 1.07.1-3+b1
ii init-system-helpers 1.68
ii libavahi-client3 0.8-18
ii libavahi-common3 0.8-18
ii libc6 2.42-11
ii libcups2t64 2.4.16-1
ii libdbus-1-3 1.16.2-2+b1
ii libgssapi-krb5-2 1.21.3-5
ii libpam0g 1.7.0-5
ii libpaper2 2.2.5-0.3+b1
ii libsystemd0 259-1
ii lsb-base 11.6
ii procps 2:4.0.4-2
ii ssl-cert 1.1.2
ii sysvinit-utils [lsb-base] 3.06-2
Versions of packages cups-daemon recommends:
ii avahi-daemon 0.8-18
pn colord
ii cups-browsed 1.28.17-7
ii ipp-usb 0.9.23-1+b3
Versions of packages cups-daemon suggests:
ii cups 2.4.16-1
ii cups-bsd 2.4.16-1
ii cups-client 2.4.16-1
ii cups-common 2.4.16-1
ii cups-filters 1.28.17-7
pn cups-pdf
ii cups-ppdc 2.4.16-1
ii cups-server-common 2.4.16-1
pn foomatic-db-compressed-ppds | foomatic-db
ii ghostscript 10.06.0~dfsg-3
ii poppler-utils 25.03.0-11.1+b1
ii smbclient 2:4.23.5+dfsg-1
ii udev 259-1
-- Configuration Files:
/etc/apparmor.d/usr.sbin.cupsd changed:
include
/usr/lib/cups/backend/cups-pdf {
include
include
include
include
include
include if exists
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability setgid,
capability setuid,
unix peer=(label=/usr/sbin/cupsd),
/etc/cups/cups-pdf.conf r,
/etc/cups/ppd/*.ppd r,
/etc/papersize r,
/usr/bin/gs rix,
/usr/lib/cups/backend/cups-pdf mr,
/usr/lib/ghostscript/** mr,
/usr/share/** r,
/var/log/cups/cups-pdf*_log w,
/var/spool/cups-pdf/** rw,
/var/spool/cups/** r,
/{usr/,}bin/bash rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/dash rix,
@{HOME}/[^.]*/** rw,
@{HOME}/[^.]*/{,**/} rw,
@{PROC}/*/auxv r,
}
/usr/sbin/cupsd flags=(attach_disconnected) {
include
include
include
include
include
include
include
include
include if exists
deny capability block_suspend,
capability audit_write,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability kill,
capability net_admin,
capability net_bind_service,
capability setgid,
capability setuid,
capability wake_alarm,
network appletalk dgram,
network ash dgram,
network ax25 dgram,
network bluetooth,
network econet dgram,
network ipx dgram,
network netrom seqpacket,
network rose dgram,
network x25 seqpacket,
deny signal send set=term peer=unconfined,
signal peer=/usr/sbin/cupsd//third_party,
unix peer=(label=/usr/lib/cups/backend/cups-pdf),
unix peer=(label=/usr/sbin/cupsd//third_party),
deny /dev/tty rw, # silence noise
deny /etc/krb5.conf w,
deny /etc/udev/udev.conf r,
deny /{,var/}run/samba/ rw,
/dev/bus/usb/ r,
/dev/bus/usb/** rw,
/dev/lp* rw,
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
