[GUTSY] Third-party drivers (like Turboprint) do not work due to AppArmor

It seems that the AppArmor protection breaks a lot of third-party printer drivers, especially as drivers have often extra file which can be anywhere in the system.

I suggest the following:

The filter chain is always run as non-root user (usually "lp") by CUPS, so one should perhaps better remove any protection from the filters. So AppArmor should be configured to allow everything for all sub processes running as non-root (or at least as CUPS-special user: "lp", "cupsys", ...), or it should allow everything for sub processes in /usr/lib/cups/filter/ especially also with all their auxiliary files.

I registered the bug 132624, which turned out to be a duplicate of this one.

If you want some end-user testing of the fix let me know, I'll be happy to help ... since I have to boot into windows to print anything

As a workaround try:

sudo aa-complain cupsd

Does printing now work for you?

Hallo,

Nope, printer status goes to "pending" and stops, see also answers on bug 132624

Ubuntu Gutsy comes with AppArmor, which prevents the Brother (and other) drivers to work with CUPS as they're in /usr/local instead of /opt/

To fix the problem, try editing /etc/apparmor.d/usr.sbin.cupsd to add the following lines:

   # Brother printer drivers are installed in /usr/local
   /usr/local/Brother/inf/brMFC210Cfunc r,
   /usr/local/Brother/lpd/filterMFC210C ix,
   # And need read acces to /dev/tty
   /dev/tty r,

Then restart: /etc/init.d/apparmor reload

All printing should resume fine. It works for me, although I don't know the security implications of letting cupsd read /dev/tty.
I also had an alert for a write request to /dev/tty while trying to change the printer configuration but don't know the security implications either and the above works anyway if the printer is already configured.

On a DCP-115C I had also these comments:

Sep 3 21:17:55 evo kernel: [15943.224073] audit(1188847075.345:827): REJECTING w access to /usr/local/Brother/inf/brMFC210Crc (brprintconfij2(18466) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Sep 3 21:17:55 evo kernel: [15943.227368] audit(1188847075.345:828): REJECTING w access to /usr/local/Brother/inf/brMFC210Crc (brprintconfij2(18468) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Sep 3 21:17:55 evo kernel: [15943.230126] audit(1188847075.345:829): REJECTING w access to /usr/local/Brother/inf/brMFC210Crc (brprintconfij2(18469) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Sep 3 21:17:55 evo kernel: [15943.233095] audit(1188847075.345:830): REJECTING w access to /usr/local/Brother/inf/brMFC210Crc (brprintconfij2(18470) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Sep 3 21:17:56 evo kernel: [15943.592320] audit(1188847075.845:831): REJECTING w access to /usr/local/Brother/inf/brMFC210Crc (brprintconfij2(18471) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Sep 3 21:17:56 evo kernel: [15943.707341] audit(1188847075.845:832): REJECTING w access to /usr/local/Brother/inf/brMFC210Crc (brprintconfij2(18472) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Sep 3 21:17:56 evo kernel: [15943.709683] audit(1188847075.845:833): REJECTING w access to /usr/local/Brother/inf/brMFC210Crc (brprintconfij2(18473) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Sep 3 21:17:56 evo kernel: [15943.711941] audit(1188847075.845:834): REJECTING w access to /usr/local/Brother/inf/brMFC210Crc (brprintconfij2(18474) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Sep 3 21:17:56 evo kernel: [15943.714119] audit(1188847075.845:835): REJECTING w access to /usr/local/Brother/inf/brMFC210Crc (brprintconfij2(18475) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Sep 3 21:17:56 evo kernel: [15943.716304] audit(1188847075.845:836): REJECTING w access to /usr/local/Brother/inf/brMFC210Crc (brprintconfij2(18476) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Sep 3 21:17:56 evo kernel: [15943.718490] audit(1188847075.845:837): REJECTING w access to /usr/local/Brother/inf/brMFC210Crc (brprintconfij2(18477) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Sep 3 21:17:56 evo kernel: [15943.721960] audit(1188847075.845:838): REJECTING w access to /usr/local/Brother/inf/brMFC210Crc (brprintconfij2(18478) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Sep 3 21:17:56 evo kernel: [15943.724152] audit(1188847075.845:839): REJECTING w access to /usr/local/Brother/inf/brMFC210Crc (brprintconfij2(18479) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Sep 3 21:17:56 evo kernel: [15943.726315] audit(1188847075.845:840): REJECTING w access to /usr/local/Brother/inf/brMFC210Crc (brprintconfij2(18480) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Sep 3 21:17:56 evo kernel: [15943.728542] audit(1188847075.845:841): REJECTING w access to /usr/local/Brother/inf/brMFC210Crc (brprintconfij2(18481) profile /usr/sbin/cupsd active /usr/sbin/cupsd)
Sep 3 21:17:56 evo kernel: [15943.730809] audit(1188847075.845:842): REJECTING w access to /usr/local/Brother/inf/brMFC210Crc (brprintconfij2(18482) profile /usr/sbin/cupsd active /usr/sb...

Hallo,

that doesn't work for me. I have a Lexmark printer so I added

# third-party printer drivers; no known structure here
  /opt/** rix,
  /usr/local/z600llpddk/* rix,
 /dev/tty r,

but no change, I can't print, documents are listed permanently as pending.

On Mon 2007-09-03@20:36:36 -0000, alistairi wrote:
> Hallo,
>
> that doesn't work for me. I have a Lexmark printer so I added
>
> # third-party printer drivers; no known structure here
> /opt/** rix,
> /usr/local/z600llpddk/* rix,
>
*** The above line should have 2 stars.

==
hk

Thanks for the feedback. Now it's:

 # third-party printer drivers; no known structure here
  /opt/** rix,
  /usr/local/z600llpddk/** rix,
  /dev/tty r,

but it still don't print

On Tue 2007-09-04@07:29:22 -0000, alistairi wrote:
> Thanks for the feedback. Now it's:
>
> # third-party printer drivers; no known structure here
> /opt/** rix,
> /usr/local/z600llpddk/** rix,
> /dev/tty r,
>
>
> but it still don't print
>
*** Do you have more messages in /var/log/messages ? Like "REJECTED .... w
...?" Try adding the files listed with the relevant keys (r, w, ix, or a
combination of those).

==
hk

No, I gets of PERMITTING ... messages.

This was also in the duplicate bug I (inadvertantly) registered: bug 132624. I filed some cupsd error logs etc there.

There was a significant number of updates this morning, including cups.

Now I have the message in /var/log/messages:

Sep 9 10:44:59 localhost kernel: [ 4061.227559] audit(1189327499.473:4): operation="profile_replace" info="failed to unpack profile" name="/usr/lib/cups/backend/cups-pdf" pid=6127

and the PERMITTING message have disappeared ...

Tried "sudo aa-complain cupsd" again but no help.

Still no print output :-(

I resolved the problem by installing Gutsy on another PC. After the installation of the Lexmark drivers I went to System -> Administration -> Printers to add the printer, and noticed that there were TWO drivers listed:

1. Lexmark Z600 Series USB #1
    Device URI: usb://Lexmark%20/Z600%20Series

2. Lexmark Printer
    Device URI: z600:/dev/usb/lp0

Driver 1. does not work, driver 2 works. Going back to first PC and changing driver to "Lexmark Printer" results in being able to print.

I forgot to add: I didn't make any changes to /etc/apparmor.d/usr.sbin.cupsd on the second PC, I only followed the instructions to install the driver on a "fresh" version of Gutsy, updated with todays updates. Otherwise NO other actions.

Hallo,

It gets interesting again: in this mornings update to Gutsy the Update attempted to install a new driver for the Lexmark Z600 which had the Device URI: usb://Lexmark%20/Z600%20Series , i.e. one that doesn't work and is known not to work

Till's proposal "it should allow everything for sub processes in /usr/lib/cups/filter/*" sounds good and appropriate, unfortunately that does not work due to bug 139105. So I need to open up /usr/local similar to /opt/ for the time being. So I have to sacrifice some security by opening up the policy for cupsd itself much more than necessary.

Fixed in bzr head.

cupsys (1.3.0-4ubuntu1) gutsy; urgency=low

  * Merge bugfixes from Debian.
  * debian/local/apparmor-profile: Append slashes to directory names, since
    AppArmor 2.1 wants it that way.
  * debian/local/apparmor-profile: Open up the profile for third-party printer
    drivers (like Turboprint, and other stuff in /usr/local/). This requires
    opening up the profile much more than necessary, due to AppArmor bug
    #139105. (LP: #133818)

cupsys (1.3.0-4) unstable; urgency=low

  * Install PO files again, but this time under /usr/share/cups/locale. cups
    has its own crazy PO file parser.
  * Add debian/patches/str2488-fix-localedir.dpatch: Make the --localedir
    configure option actually work (taken from upstream SVN, STR#2488)
  * debian/rules: Add --enable-gssapi to ensure that the package is built with
    Kerberos support.
  * debian/rules: Use -Wl,--as-needed linker flag. This drops a few
    unnecessary dependencies and should make checklib much happier.
  * Add debian/patches/str2508-dont_kill_edit-config.tmpl.dpatch: Do not kill
    edit-config.tmpl on distclean. Forwarded upstream as STR#2508.
    (Closes: #441697)
  * Add debian/patches/str2505_localize.dpatch: Fix localization of web
    interface (STR#2505, Closes: #440256)

 -- Martin Pitt <email address hidden> Wed, 12 Sep 2007 15:34:13 +0200

Hi,

Printing with Canon binary driver doesn't work with current profile (gutsy, cupsys-1.3.0-4ubuntu4).

Sep 19 09:33:15 anne kernel: [66232.470179] audit(1190187195.358:7): operation="inode_permission" requested_mask="x" denied_mask="x" name="/usr/local/bin/lgmonmp160" pid=28304 profile="/usr/sbin/cupsd

In fact, that's the backend (/usr/lib/cups/backend/cnij_usb) which launch the /usr/local/bin/lgmonmp160 exec.
If it can be useful, i make a specific profile to make this backend work, see the attachment.

Hi,

not every problem with 3rd-party drivers is the fault of app-armor. I'm using a custum kernel and printing stoped working although i'm not using app-armor at all, see bug 151668

maybe my work-around will help, especially for brother drivers:

sudo apt-get install csh

Another data point... I'm using CodeHost's BrightQ driver for the Canon ImageRunner 8500. I tried modifying /etc/apparmor.d/usr.sbin.cupsd, adding in:

      /usr/local/brightq/** rix,

No joy. Here's a slightly cleaned up section of /var/log/messages (sans the timestamps and the pid's, plus some intelligent word-wrapping.):

Oct 26 16:13:04 xxxxx kernel: [237029.923656] audit(1193429583.778:67):

    type=1503 operation="inode_permission"
    requested_mask="a" denied_mask="a"
    name="/dev/tty" profile="/usr/sbin/cupsd"

    type=1503 operation="inode_permission"
    requested_mask="r" denied_mask="r"
    name="/etc/codehost.conf" profile="/usr/sbin/cupsd"

    type=1503 operation="inode_permission"
    requested_mask="w" denied_mask="w"
    name="/etc/krb5.conf" profile="/usr/sbin/cupsd"

    type=1503 operation="inode_permission"
    requested_mask="x" denied_mask="x"
    name="/usr/local/brightq/filters/brightq-ps" profile="/usr/sbin/cupsd"

    type=1503 operation="sysctl"
    requested_mask="r" denied_mask="r"
    name="/proc/sys/dev/parport/parport0/autoprobe" profile="/usr/sbin/cupsd"

Since it may help with testing, I thought the more savvy among you might want to know:
The Canon / CodeHost / BrightQ driver software can be downloaded from:

http://canon.codehost.com/

resolved for me after:

apt-get install hplip-cups hplip

Thanks to the info provided in this bugreport, esp: Comment #3