http://bugzilla.suse.com/show_bug.cgi?id=1128467 Bug ID: 1128467 Summary: Recently introduced apparmor profile for ghostscript breaks printing Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: All OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: martin.wilck@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Since the latest ghostscript update, printing basically any document fails with "filter failed" log message. The cups error_log file contains:
D [08/Mar/2019:09:02:07 +0100] [Job 123] Starting renderer with command: gs -dShowAcroForm -q -dBATC D [08/Mar/2019:09:02:07 +0100] [Job 123] PAGE: 1 1 D [08/Mar/2019:09:02:07 +0100] [Job 123] Filetype: PDF D [08/Mar/2019:09:02:07 +0100] [Job 123] Storing temporary files in /var/spool/cups/tmp D [08/Mar/2019:09:02:07 +0100] [Job 123] PID 31260 (/usr/lib/cups/filter/pdftopdf) exited with no errors. D [08/Mar/2019:09:02:07 +0100] [Job 123] File contains 1 pages D [08/Mar/2019:09:02:07 +0100] [Job 123] Starting renderer with command: gs -dShowAcroForm -q -dBATCH -dPARANOIDSAFER -dQUIET -dNOPAUSE -sDEVICE=ijs -sIjsServer=hpijs -dDEVICEWIDTHPOINTS=595 -dDEVICEHEIGHTPOINTS=842 -sDeviceManufacturer=\"HEWLETT-PACKARD\" -sDeviceModel=\"deskjet 5550\" -dDuplex=true -dTumble=false -r600 -sIjsParams=Quality:Quality=0,Quality:ColorMode=2,Quality:MediaType=0,Quality:PenSet=2,PS:MediaPosition=7 -dIjsUseOutputFD -sOutputFile=- /var/spool/cups/tmp/foomatic-gHncRI D [08/Mar/2019:09:02:07 +0100] [Job 123] Starting process \"kid3\" (generation 1) D [08/Mar/2019:09:02:07 +0100] [Job 123] Starting process \"kid4\" (generation 2) D [08/Mar/2019:09:02:07 +0100] [Job 123] Starting process \"renderer\" (generation 2) D [08/Mar/2019:09:02:07 +0100] [Job 123] JCL: \033%-12345X@PJL D [08/Mar/2019:09:02:07 +0100] [Job 123] <job data> D [08/Mar/2019:09:02:07 +0100] [Job 123] GPL Ghostscript 9.26: Can\'t start ijs server \"hpijs\" D [08/Mar/2019:09:02:07 +0100] [Job 123] **** Unable to open the initial device, quitting. D [08/Mar/2019:09:02:07 +0100] [Job 123] renderer exited with status 1 D [08/Mar/2019:09:02:07 +0100] [Job 123] Possible error on renderer command line or PostScript error. Check options.Kid3 exit status: 3 D [08/Mar/2019:09:02:07 +0100] [Job 123] prnt/backend/hp.c 919: ERROR: null print job total=0
Where this last, not very helpful message is the only thing seen in the system journal. strace on cupsd shows this problem:
31268 1552032127.625520 execve("/usr/lib/cups/filter/sh", ["sh", "-c", "hpijs"], 0x7ffc16bdd7a0 /* 35 vars */) = -1 ENOENT (No such file or directory) 31268 1552032127.625613 execve("/usr/bin/sh", ["sh", "-c", "hpijs"], 0x7ffc16bdd7a0 /* 35 vars */) = -1 EACCES (Permission denied) 31268 1552032127.625731 execve("/usr/sbin/sh", ["sh", "-c", "hpijs"], 0x7ffc16bdd7a0 /* 35 vars */) = -1 ENOENT (No such file or directory) 31268 1552032127.625812 execve("/bin/sh", ["sh", "-c", "hpijs"], 0x7ffc16bdd7a0 /* 35 vars */) = -1 EACCES (Permission denied) 31268 1552032127.625922 execve("/usr/bin/sh", ["sh", "-c", "hpijs"], 0x7ffc16bdd7a0 /* 35 vars */) = -1 EACCES (Permission denied)
audit.log shows this:
type=AVC msg=audit(1552000855.174:2629): apparmor="DENIED" operation="exec" profile="/usr/bin/{dvipdf,eps2eps,gs,gsbj,gsdj,gsdj500,gslj,gslp,gsnd,ps2ascii,ps2epsi,ps2pdf,ps2pdf12,ps2pdf13,ps2pdf14,ps2pdfwr,ps2ps,ps2ps2}" name="/bin/bash" pid=2761 comm="gs" requested_mask="x" denied_mask="x" fsuid=4 ouid=0
The problem is obviously caused by
* Thu Feb 07 2019 jsegitz@suse.com - Added apparmor_usr.bin.gs. This profile prevents execution of executables to serve as hardening for the binaries that process ghostscript. This is of limited use but prevents simple exploits.
I believe this was introduced while working on bug 1117336. I'm all for security, but isn't it bit harsh to break printing completely without explicit warning or notice, and without any error messages that might give users a clue where to look? -- You are receiving this mail because: You are on the CC list for the bug.