http://bugzilla.suse.com/show_bug.cgi?id=1128467 Martin Wilck changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jsmeix@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1128467 http://bugzilla.suse.com/show_bug.cgi?id=1128467#c1 --- Comment #1 from Martin Wilck --- The problem is in ghostscripts ijs_exec_server() command, which runs

argv[i++] = "sh"; argv[i++] = "-c";

argv[i++] = (char *)server_cmd; argv[i++] = NULL; status = execvp (argv[0], (char * const *)argv);

So that would require the apparmor profile to exec "sh", which would obviously forfeit all confinement. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1128467 http://bugzilla.suse.com/show_bug.cgi?id=1128467#c3 Johannes Meixner changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CONFIRMED URL| |https://developers.hp.com/h | |p-linux-imaging-and-printin | |g/tech_docs/hpijs Found By|--- |Development OS|Other |openSUSE Factory --- Comment #3 from Johannes Meixner --- Right now I described the same in https://bugzilla.suse.com/show_bug.cgi?id=1127934#c4 -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1128467 http://bugzilla.suse.com/show_bug.cgi?id=1128467#c5 --- Comment #5 from Martin Wilck --- Created attachment 799380 --> http://bugzilla.suse.com/attachment.cgi?id=799380&action=edit ijs: ijs_exec_server(): don't use "sh" tentative patch for ghostscript -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1128467 http://bugzilla.suse.com/show_bug.cgi?id=1128467#c7 --- Comment #7 from Martin Wilck --- I'm new to apparmor profiles, but I believe adding /usr/bin/hpijs ix, should fix the issue with the patch from comment 5. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1128467 http://bugzilla.suse.com/show_bug.cgi?id=1128467#c9 --- Comment #9 from Martin Wilck --- (In reply to Johannes Meixner from comment #6)

The automated forwarding to openSUSE_Factory https://build.opensuse.org/request/show/679465 happened on 2019-02-26 and was accepted on 2019-03-01 so that the changed Ghostscript was only in the Printing project for 17 days.

This is fine. I certainly didn't mean to say that you did anything wrong.

I know we have openSUSE users who use packages from "Printing" because usually I get early bug reports when something got broken.

I guess I should start using "Printing", too. I admit I prefer to keep my systems as free from devel repos as I can. But I don't print every day, so I'd be an unreliable beta tester. I fact, I print very rarely from my work computer, no more than once a month I guess. I just stumbled upon this because I wanted to test my hplip changes for bug 1112311.

It seems you assume your particular use case the the usual one so that it must have beed noticed by others right from the start,

How did you infer this? I noticed it, and I created a bug report. Initially I wrote "... breaks printing" in the bug description and added "over IJS" later, when I realized that only hpijs (or similarly working filters, for that matter) would be affected. OTOH, HP printers are common enough to assume that I'll not be the only one who will hit this problem.

See https://bugzilla.suse.com/show_bug.cgi?id=1127934#c3 how you could avoid that issue for now.

Sure, I know that disabling apparmor, or this specific profile, would work. But I'm interested in a fix. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1128467 http://bugzilla.suse.com/show_bug.cgi?id=1128467#c11 --- Comment #11 from Johannes Meixner --- FYI regarding HP printers and HPLIP in general: HPLIP provides two printer drivers: The old HPIJS that is declared deprecated/unmaintained/unsupported by HPLIP upstream since a long time (since several years) but as long as it works I keep in in our hplip RPMs. The current HPCUPS that should be normally used. HPCUPS is a "nowadays normal" printer driver where in particular no IJS program spawned by Ghostscript. As far as I see for each HPLIP <model>-hpijs.ppd.gz PPD file there is a matching <model>.ppd.gz PPD file (the PPD files without 'hpijs' use HPCUPS): --------------------------------------------------------------------------- # for hpijs_ppd in $( \ find /usr/share/cups/model/manufacturer-PPDs/ -name '*-hpijs.ppd.gz' ) ; \ do hpcups_ppd=$( echo $hpijs_ppd | sed -e 's/-hpijs//' ) ; \ test -s $hpcups_ppd || echo No $hpcups_ppd ; done No /usr/share/cups/model/manufacturer-PPDs/hplip/HP-Fax3.ppd.gz No /usr/share/cups/model/manufacturer-PPDs/hplip/HP-Fax4.ppd.gz No /usr/share/cups/model/manufacturer-PPDs/hplip/HP-Fax2.ppd.gz No /usr/share/cups/model/manufacturer-PPDs/hplip/HP-Fax.ppd.gz --------------------------------------------------------------------------- Off the top of my head I don't know what the /usr/share/cups/model/manufacturer-PPDs/hplip/HP-Fax*-hpijs.ppd.gz are needed for - of course something related to 'faxing' but I assume when HPIJS is deprecated/unmaintained/unsupported by HPLIP upstream then HPLIP implements nowadays maintained faxing support differently e.g. where no PPD file is needed at all for faxing? I keep the old IJS stuff in Ghostscript basically only for the outdated/deprecated/unmaintained/unsupported HPIJS. I think the current security issues are a good reason to get rid of that old/overcomplicated/insecure stuff and drop first HPIJS and then IJS in Ghostscript for openSUSE_Factory -> openSUSE_Tumbleweed. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1128467 http://bugzilla.suse.com/show_bug.cgi?id=1128467#c13 --- Comment #13 from Johannes Meixner --- Martin Wilck, can you provide some facts behind why you think "lots of printers out there will stop working" regardless that I wrote in comment #11 that "for each HPLIP <model>-hpijs.ppd.gz PPD file there is a matching <model>.ppd.gz PPD file (the PPD files without 'hpijs' use HPCUPS)" so that all models where HPIJS works should be also supported by HPCUPS. In other words: What HP printers out there where HPIJS works do not also work with HPCUPS? In the past when I had a HP inkjet printer I preferred HPIJS for the same reasons and because for my needs it "just worked" so I had no reason to switch to HPCUPS. But I have no longer any inkjet printer (I have a PostScript printer) so I have no longer any personal experience with HPIJS or HPCUPS nor can I test any of them. Simply put: Nowadays I "maintain" HPLIP basically totally blind (HP PostScript printers don't need any HPLIP stuff) which is the reason behind why in practice I do no longer really maintain HPLIP. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1128467 http://bugzilla.suse.com/show_bug.cgi?id=1128467#c15 --- Comment #15 from Martin Wilck --- My request has been accepted, so the fixed ghostscript is already in the "Printing" project now, and it has actually been forwarded to Factory already. (sr#682815) I've tested some more, and I can confirm that hpijs printing doesn't result in failure any more, and that _only_ /usr/bin/hpijs can be exec'd from gs. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1128467 http://bugzilla.suse.com/show_bug.cgi?id=1128467#c17 --- Comment #17 from Johannes Meixner --- Martin Wilck, regarding your comment#14 "transition from HPIJS to HPCUPS": In general when a printer driver is dropped existing print queues that use that driver will no longer work, usually with a not really informative "Filter failed" message: --------------------------------------------------------------------------- # lpadmin -p hpijstest -v file:///dev/null \ -P /usr/share/cups/model/manufacturer-PPDs/hplip/hp-910-hpijs.ppd.gz\ -E # echo hello1 | lp -d hpijstest -t test1 # mv /usr/bin/hpijs /usr/bin/hpijs.away # echo hello2 | lp -d hpijstest -t test2 # lpstat -p hpijstest printer hpijstest is idle. enabled since Mon 11 Mar 2019 09:06:11 CET Filter failed # grep PID /var/log/cups/error_log ... D [11/Mar/2019:09:06:11 +0100] [Job 18] PID 8550 \ (/usr/lib/cups/filter/foomatic-rip) stopped with status 9. # less /var/log/cups/error_log ... D [11/Mar/2019:09:06:11 +0100] [Job 18] Starting renderer with command: gs -dShowAcroForm -q -dBATCH -dPARANOIDSAFER -dQUIET -dNOPAUSE -sDEVICE=ijs -sIjsServer=hpijs -dDEVICEWIDTHPOINTS=612 -dDEVICEHEIGHTPOINTS=792 -sDeviceManufacturer=\"HEWLETT-PACKARD\" -sDeviceModel=\"deskjet 3600\" -r300 -sIjsParams=Quality:Quality=0,Quality:ColorMode=2, Quality:MediaType=0,Quality:PenSet=1 -dIjsUseOutputFD -sOutputFile=- /var/spool/cups/tmp/foomatic-h902Zw ... D [11/Mar/2019:09:06:11 +0100] [Job 18] sh: hpijs: command not found D [11/Mar/2019:09:06:11 +0100] [Job 18] GPL Ghostscript 9.26: Can\'t start ijs server \"hpijs\" D [11/Mar/2019:09:06:11 +0100] [Job 18] **** Unable to open the initial device, quitting. D [11/Mar/2019:09:06:11 +0100] [Job 18] renderer exited with status 1 D [11/Mar/2019:09:06:11 +0100] [Job 18] Possible error on renderer command line or PostScript error. Check options.Kid3 exit status: 3 D [11/Mar/2019:09:06:11 +0100] [Job 18] PID 8550 (/usr/lib/cups/filter/foomatic-rip) stopped with status 9. --------------------------------------------------------------------------- Only with "LogLevel debug" one may notice in /var/log/cups/error_log the "sh: hpijs: command not found" which points to the root cause. Currently I have no good idea for a smooth transition from HPIJS to HPCUPS. In particular I have no idea how to tell the user the root cause why his existing HPIJS queue does no longer work. We might first drop the /usr/share/cups/model/manufacturer-PPDs/hplip/*-hpijs.ppd.gz and /usr/share/cups/model/manufacturer-PPDs/hplip-plugin/*-hpijs.ppd.gz PPD files from the hplip-hpijs and hplip RPMs but keep /usr/bin/hpijs so that uses can no longer set up new print queues with HPIJS but existing queues that use HPIJS will still work (PPDs for existing queues are in /etc/cups/ppd/). Then we could wait (how long?) and hope that very most of the existing queues that use HPIJS somehow faded away. Finally we could drop /usr/bin/hpijs (still existing HPIJS queues will then no longer work as described above). -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1128467 http://bugzilla.suse.com/show_bug.cgi?id=1128467#c21 --- Comment #21 from Johannes Segitz --- (In reply to Martin Wilck from comment #19) I'll move it to a complain only subprofile, then you can test it and provide the audit snippets so we can add the necessary rules. Should be finish in one, two hours -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1128467 http://bugzilla.suse.com/show_bug.cgi?id=1128467#c31 --- Comment #31 from Johannes Segitz --- (In reply to Martin Wilck from comment #30) I'll keep it in complain mode for now a little longer. I added Christians changes (a little bit more generic via wildcards) and will submit this superseding the last request -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1128467 http://bugzilla.suse.com/show_bug.cgi?id=1128467#c33 Johannes Segitz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |RESOLVED Resolution|--- |FIXED --- Comment #33 from Johannes Segitz --- (hopefully) fixed. Please reopen otherwise. Thank you Christian for the work here -- You are receiving this mail because: You are on the CC list for the bug.