[Bug 1128467] New: Recently introduced apparmor profile for ghostscript breaks printing
http://bugzilla.suse.com/show_bug.cgi?id=1128467 Bug ID: 1128467 Summary: Recently introduced apparmor profile for ghostscript breaks printing Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: All OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: martin.wilck@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Since the latest ghostscript update, printing basically any document fails with "filter failed" log message. The cups error_log file contains:
D [08/Mar/2019:09:02:07 +0100] [Job 123] Starting renderer with command: gs -dShowAcroForm -q -dBATC D [08/Mar/2019:09:02:07 +0100] [Job 123] PAGE: 1 1 D [08/Mar/2019:09:02:07 +0100] [Job 123] Filetype: PDF D [08/Mar/2019:09:02:07 +0100] [Job 123] Storing temporary files in /var/spool/cups/tmp D [08/Mar/2019:09:02:07 +0100] [Job 123] PID 31260 (/usr/lib/cups/filter/pdftopdf) exited with no errors. D [08/Mar/2019:09:02:07 +0100] [Job 123] File contains 1 pages D [08/Mar/2019:09:02:07 +0100] [Job 123] Starting renderer with command: gs -dShowAcroForm -q -dBATCH -dPARANOIDSAFER -dQUIET -dNOPAUSE -sDEVICE=ijs -sIjsServer=hpijs -dDEVICEWIDTHPOINTS=595 -dDEVICEHEIGHTPOINTS=842 -sDeviceManufacturer=\"HEWLETT-PACKARD\" -sDeviceModel=\"deskjet 5550\" -dDuplex=true -dTumble=false -r600 -sIjsParams=Quality:Quality=0,Quality:ColorMode=2,Quality:MediaType=0,Quality:PenSet=2,PS:MediaPosition=7 -dIjsUseOutputFD -sOutputFile=- /var/spool/cups/tmp/foomatic-gHncRI D [08/Mar/2019:09:02:07 +0100] [Job 123] Starting process \"kid3\" (generation 1) D [08/Mar/2019:09:02:07 +0100] [Job 123] Starting process \"kid4\" (generation 2) D [08/Mar/2019:09:02:07 +0100] [Job 123] Starting process \"renderer\" (generation 2) D [08/Mar/2019:09:02:07 +0100] [Job 123] JCL: \033%-12345X@PJL D [08/Mar/2019:09:02:07 +0100] [Job 123] <job data> D [08/Mar/2019:09:02:07 +0100] [Job 123] GPL Ghostscript 9.26: Can\'t start ijs server \"hpijs\" D [08/Mar/2019:09:02:07 +0100] [Job 123] **** Unable to open the initial device, quitting. D [08/Mar/2019:09:02:07 +0100] [Job 123] renderer exited with status 1 D [08/Mar/2019:09:02:07 +0100] [Job 123] Possible error on renderer command line or PostScript error. Check options.Kid3 exit status: 3 D [08/Mar/2019:09:02:07 +0100] [Job 123] prnt/backend/hp.c 919: ERROR: null print job total=0
Where this last, not very helpful message is the only thing seen in the system journal. strace on cupsd shows this problem:
31268 1552032127.625520 execve("/usr/lib/cups/filter/sh", ["sh", "-c", "hpijs"], 0x7ffc16bdd7a0 /* 35 vars */) = -1 ENOENT (No such file or directory) 31268 1552032127.625613 execve("/usr/bin/sh", ["sh", "-c", "hpijs"], 0x7ffc16bdd7a0 /* 35 vars */) = -1 EACCES (Permission denied) 31268 1552032127.625731 execve("/usr/sbin/sh", ["sh", "-c", "hpijs"], 0x7ffc16bdd7a0 /* 35 vars */) = -1 ENOENT (No such file or directory) 31268 1552032127.625812 execve("/bin/sh", ["sh", "-c", "hpijs"], 0x7ffc16bdd7a0 /* 35 vars */) = -1 EACCES (Permission denied) 31268 1552032127.625922 execve("/usr/bin/sh", ["sh", "-c", "hpijs"], 0x7ffc16bdd7a0 /* 35 vars */) = -1 EACCES (Permission denied)
audit.log shows this:
type=AVC msg=audit(1552000855.174:2629): apparmor="DENIED" operation="exec" profile="/usr/bin/{dvipdf,eps2eps,gs,gsbj,gsdj,gsdj500,gslj,gslp,gsnd,ps2ascii,ps2epsi,ps2pdf,ps2pdf12,ps2pdf13,ps2pdf14,ps2pdfwr,ps2ps,ps2ps2}" name="/bin/bash" pid=2761 comm="gs" requested_mask="x" denied_mask="x" fsuid=4 ouid=0
The problem is obviously caused by
* Thu Feb 07 2019 jsegitz@suse.com - Added apparmor_usr.bin.gs. This profile prevents execution of executables to serve as hardening for the binaries that process ghostscript. This is of limited use but prevents simple exploits.
I believe this was introduced while working on bug 1117336. I'm all for security, but isn't it bit harsh to break printing completely without explicit warning or notice, and without any error messages that might give users a clue where to look? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1128467
Martin Wilck
http://bugzilla.suse.com/show_bug.cgi?id=1128467
Martin Wilck
http://bugzilla.suse.com/show_bug.cgi?id=1128467
Martin Wilck
http://bugzilla.suse.com/show_bug.cgi?id=1128467
http://bugzilla.suse.com/show_bug.cgi?id=1128467#c1
--- Comment #1 from Martin Wilck
argv[i++] = "sh"; argv[i++] = "-c";
argv[i++] = (char *)server_cmd; argv[i++] = NULL; status = execvp (argv[0], (char * const *)argv);
So that would require the apparmor profile to exec "sh", which would obviously forfeit all confinement. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1128467
http://bugzilla.suse.com/show_bug.cgi?id=1128467#c2
Matthias Gerstner
Since the latest ghostscript update, printing basically any document fails with "filter failed" log message. [...] I believe this was introduced while working on bug 1117336. I'm all for security, but isn't it bit harsh to break printing completely without explicit warning or notice, and without any error messages that might give users a clue where to look?
Thank you for your analysis. This is certainly caused by the recent change in the AppArmor profile. We did of course not intend to break printing. We are working on hardening Ghostscript as far as possible, which is difficult, because it is used extensively in printing but also from various contexts to potentially interpret untrusted data. Sadly, to some extent, Tumbleweed as a rolling release also means that users end up to be testers. Which helps us also, however, in fixing these things and we rely on reports such as this one. I'm assigning this to Johannes who introduced the new profile. He is currently on a trip so fixing it may take a couple of days. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1128467
http://bugzilla.suse.com/show_bug.cgi?id=1128467#c3
Johannes Meixner
http://bugzilla.suse.com/show_bug.cgi?id=1128467
http://bugzilla.suse.com/show_bug.cgi?id=1128467#c4
--- Comment #4 from Martin Wilck
*FoomaticRIPCommandLine: "gs -q -dBATCH -dPARANOIDSAFER -dQUIET -dNOPA&& USE -sDEVICE=ijs -sIjsServer=hpijs%A%B%C -dIjsUseOutputFD%Z -sOutputFi&& le=- -"
So, maybe we could fix this by changing ghostscript's ijs_exec_server() such that it only execp()'s certain kown commands, such as "hpijs", rather than invoking them with the shell directly, and add those commands to the apparmor profile. Thoughts? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1128467
http://bugzilla.suse.com/show_bug.cgi?id=1128467#c5
--- Comment #5 from Martin Wilck
http://bugzilla.suse.com/show_bug.cgi?id=1128467
http://bugzilla.suse.com/show_bug.cgi?id=1128467#c6
--- Comment #6 from Johannes Meixner
http://bugzilla.suse.com/show_bug.cgi?id=1128467
http://bugzilla.suse.com/show_bug.cgi?id=1128467#c7
--- Comment #7 from Martin Wilck
http://bugzilla.suse.com/show_bug.cgi?id=1128467
http://bugzilla.suse.com/show_bug.cgi?id=1128467#c8
Martin Wilck
http://bugzilla.suse.com/show_bug.cgi?id=1128467
http://bugzilla.suse.com/show_bug.cgi?id=1128467#c9
--- Comment #9 from Martin Wilck
The automated forwarding to openSUSE_Factory https://build.opensuse.org/request/show/679465 happened on 2019-02-26 and was accepted on 2019-03-01 so that the changed Ghostscript was only in the Printing project for 17 days.
This is fine. I certainly didn't mean to say that you did anything wrong.
I know we have openSUSE users who use packages from "Printing" because usually I get early bug reports when something got broken.
I guess I should start using "Printing", too. I admit I prefer to keep my systems as free from devel repos as I can. But I don't print every day, so I'd be an unreliable beta tester. I fact, I print very rarely from my work computer, no more than once a month I guess. I just stumbled upon this because I wanted to test my hplip changes for bug 1112311.
It seems you assume your particular use case the the usual one so that it must have beed noticed by others right from the start,
How did you infer this? I noticed it, and I created a bug report. Initially I wrote "... breaks printing" in the bug description and added "over IJS" later, when I realized that only hpijs (or similarly working filters, for that matter) would be affected. OTOH, HP printers are common enough to assume that I'll not be the only one who will hit this problem.
See https://bugzilla.suse.com/show_bug.cgi?id=1127934#c3 how you could avoid that issue for now.
Sure, I know that disabling apparmor, or this specific profile, would work. But I'm interested in a fix. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1128467
http://bugzilla.suse.com/show_bug.cgi?id=1128467#c10
Martin Wilck
http://bugzilla.suse.com/show_bug.cgi?id=1128467
http://bugzilla.suse.com/show_bug.cgi?id=1128467#c11
--- Comment #11 from Johannes Meixner
http://bugzilla.suse.com/show_bug.cgi?id=1128467
http://bugzilla.suse.com/show_bug.cgi?id=1128467#c12
--- Comment #12 from Martin Wilck
http://bugzilla.suse.com/show_bug.cgi?id=1128467
http://bugzilla.suse.com/show_bug.cgi?id=1128467#c13
--- Comment #13 from Johannes Meixner
http://bugzilla.suse.com/show_bug.cgi?id=1128467
http://bugzilla.suse.com/show_bug.cgi?id=1128467#c14
--- Comment #14 from Martin Wilck
Martin Wilck, can you provide some facts behind why you think "lots of printers out there will stop working" regardless that I wrote in comment #11 that "for each HPLIP <model>-hpijs.ppd.gz PPD file there is a matching <model>.ppd.gz PPD file (the PPD files without 'hpijs' use HPCUPS)" so that all models where HPIJS works should be also supported by HPCUPS.
What will happen to printers configured with hpijs, like mine? Will they be auto-magically be switched over to hpcups? If yes, who'll take care of mapping the different options of the two drivers to each other (think default paper size, quality)? Or will they suddenly be dysfunctional, or disappear? What will the user experience be for users who need to change / transition?
In other words: What HP printers out there where HPIJS works do not also work with HPCUPS?
That wasn't my point. I believe you that hpcups "works" with almost all models. I was talking about the transition. I just checked: on all SUSE systems I use, hpijs was configured for my officejet, and for my (meanwhile dead) Envy 5530 as well. I swear I have not actively overridden hpcups by hpijs. These printers have been set up on various systems using hp-setup from hplip 3.16.10 to 3.17.9. So it's not unlikely that others out there are using the same configuration. I have one Fedora system where the printer runs with hpcups (don't ask me why, it wasn't a concious decision either). I've just made the test on my OfficeJet 6950 - quality-wise, the output is about the same, perhaps the hpcups output is even slightly better, and it actually prints borderless photos, which I haven't figured out how to do with hpijs. OTOH, hpcups didn't get the bottom margin right on A4 and hpijs did. Altogether I agree that hpcups is probably a better, at least equally good, driver. I'm not generally against phasing out hpijs, but I don't think it's a good idea to do it as a reaction to the regression reported in this bug, and I do think it should be done with a suitable transition phase during which the hpijs is marked as deprecated and suggestions to switch the driver are made to users in some way. If users do that before the phasing-out happens, the transition will be smooth - it's no problem at all to use several printer queues with different drivers at the same time. (Btw, my OfficeJet has that "HP Fax 4" functionality. hp-setup configures it automatically for printers that support fax. I've never used it because my printer has no Fax connection). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1128467
http://bugzilla.suse.com/show_bug.cgi?id=1128467#c15
--- Comment #15 from Martin Wilck
http://bugzilla.suse.com/show_bug.cgi?id=1128467
Marcus Meissner
http://bugzilla.suse.com/show_bug.cgi?id=1128467
http://bugzilla.suse.com/show_bug.cgi?id=1128467#c17
--- Comment #17 from Johannes Meixner
http://bugzilla.suse.com/show_bug.cgi?id=1128467
http://bugzilla.suse.com/show_bug.cgi?id=1128467#c18
Johannes Segitz
http://bugzilla.suse.com/show_bug.cgi?id=1128467
http://bugzilla.suse.com/show_bug.cgi?id=1128467#c21
--- Comment #21 from Johannes Segitz
http://bugzilla.suse.com/show_bug.cgi?id=1128467
http://bugzilla.suse.com/show_bug.cgi?id=1128467#c22
--- Comment #22 from Johannes Segitz
http://bugzilla.suse.com/show_bug.cgi?id=1128467
http://bugzilla.suse.com/show_bug.cgi?id=1128467#c31
--- Comment #31 from Johannes Segitz
http://bugzilla.suse.com/show_bug.cgi?id=1128467
http://bugzilla.suse.com/show_bug.cgi?id=1128467#c32
--- Comment #32 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1128467
http://bugzilla.suse.com/show_bug.cgi?id=1128467#c33
Johannes Segitz
participants (1)
-
bugzilla_noreply@novell.com