# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{sbin}/cupsd
@{att} = /att/cupsd/
profile cupsd /{,usr/}{,s}bin/cupsd  flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
  include <abstractions/attached/base>
  include <abstractions/authentication>
  include <abstractions/bus-system>
  include <abstractions/bus/system/org.freedesktop.Avahi.Server>
  include <abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser>
  include <abstractions/bus/system/org.freedesktop.ColorManager>
  include <abstractions/nameservice-strict>
  include <abstractions/python>

  capability audit_write,
  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability fsetid,
  capability kill,
  capability net_admin,
  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability wake_alarm,

  network inet dgram,
  network inet stream,
  network inet6 dgram,
  network inet6 stream,

  network appletalk dgram,
  network ash dgram,
  network ax25 dgram,
  network bluetooth,
  network econet dgram,
  network ipx dgram,
  network netrom seqpacket,
  network rose dgram,
  network x25 seqpacket,

  signal (send) set=(term) peer=cups-notifier-dbus,

  @{exec_path} mr,

  @{sh_path}                 rix,
  @{bin}/cat                 rix,
  @{bin}/chmod               rix,
  @{bin}/cp                  rix,
  @{bin}/{,e}grep            rix,
  @{bin}/gs{,.bin}           rcx -> gs,
  @{bin}/gsc                 rix,
  @{bin}/hostname            rix,
  @{bin}/ippfind             rix,
  @{bin}/mktemp              rix,
  @{bin}/printenv            rix,
  @{python_path}             rix,
  @{bin}/rm                  rix,
  @{bin}/sed                 rix,
  @{bin}/smbspool            rpx,
  @{bin}/touch               rix,
  @{bin}/xz                  rix,
  @{lib}/cups/backend/*      rpx,
  @{lib}/cups/cgi-bin/*.cgi  rix,
  @{lib}/cups/daemon/*       rix,
  @{lib}/cups/driver/*       rix,
  @{lib}/cups/filter/*       rix,
  @{lib}/cups/monitor/*      rix,
  @{lib}/cups/notifier/*     rpx,

  /usr/share/cups/{,**} r,
  /usr/share/poppler/{,**} r,
  /usr/share/ppd/{,**} r,

  /etc/cups/{,**} rw,
  /etc/foomatic/* r,
  /etc/papersize r,
  /etc/paperspecs r,
  /etc/pnm2ppa.conf r,
  /etc/printcap rwl,

  /var/cache/cups/ rw,
  /var/cache/cups/** rwk,
  /var/log/cups/{,*} rw,
  /var/spool/cups/{,**} rw,

  @{run}/cups/{,**} rw,
  @{run}/systemd/notify w,
  @{run}/avahi-daemon/socket rw,

  @{sys}/module/apparmor/parameters/enabled r,

        @{PROC}/@{pids}/fd/ r,
  owner @{PROC}/@{pid}/mounts r,

  owner @{tmp}/*_latest_print_info w,

  /dev/tty rw,

  profile gs flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
    include <abstractions/attached/base>
    include <abstractions/fonts>

    @{bin}/gs{,.bin} mr,

    /usr/share/ghostscript/{,**} r,
    /usr/share/color/icc/ghostscript/{,**} r,

    /etc/papersize r,
    /etc/paperspecs r,

          /var/lib/ghostscript/{,**} r,
    owner /var/spool/cups/tmp/gs_@{rand6} rw,

    owner /tmp/gs_@{rand6} rw,

    include if exists <local/cupsd_gs>
  }

  include if exists <local/cupsd>
}

# vim:syntax=apparmor
