[packages/cups] - updated to 2.4.16 (fixes CVE-2025-58436 CVE-2025-61915)
qboosh
qboosh at pld-linux.org
Sun Dec 7 21:10:05 CET 2025
commit 25f7833e32b592ea14435a260240990b472d66d9
Author: Jakub Bogusz <qboosh at pld-linux.org>
Date: Sun Dec 7 21:10:20 2025 +0100
- updated to 2.4.16 (fixes CVE-2025-58436 CVE-2025-61915)
cups-lspp.patch | 512 ++++++--------------------------------------------------
cups.spec | 13 +-
2 files changed, 58 insertions(+), 467 deletions(-)
---
diff --git a/cups.spec b/cups.spec
index b51e080..5a4d682 100644
--- a/cups.spec
+++ b/cups.spec
@@ -16,13 +16,14 @@
Summary(pl.UTF-8): Ogólny system druku dla Uniksa
Summary(pt_BR.UTF-8): Sistema Unix de Impressão
Name: cups
-Version: 2.4.14
+Version: 2.4.16
Release: 1
Epoch: 1
License: LGPL v2 (libraries), GPL v2 (the rest)
Group: Applications/Printing
+#Source0Download: https://github.com/OpenPrinting/cups/releases
Source0: https://github.com/OpenPrinting/cups/releases/download/v%{version}/cups-%{version}-source.tar.gz
-# Source0-md5: ef5f922e5a774b69b30318f440e746ac
+# Source0-md5: 53cccb5d69eaed7e4c6fe66fa12b11c4
Source1: %{name}.init
Source2: %{name}.pamd
Source3: %{name}.logrotate
@@ -651,7 +652,7 @@ fi
%files lib
%defattr(644,root,root,755)
%dir %attr(755,root,lp) %{_sysconfdir}/%{name}
-%attr(755,root,root) %{_libdir}/libcups.so.2
+%{_libdir}/libcups.so.2
%dir %{_datadir}/cups
%lang(ca) %{_localedir}/ca/cups_ca.po
%lang(cs) %{_localedir}/cs/cups_cs.po
@@ -668,13 +669,13 @@ fi
%files image-lib
%defattr(644,root,root,755)
-%attr(755,root,root) %{_libdir}/libcupsimage.so.2
+%{_libdir}/libcupsimage.so.2
%files devel
%defattr(644,root,root,755)
%attr(755,root,root) %{_bindir}/cups-config
-%attr(755,root,root) %{_libdir}/libcups.so
-%attr(755,root,root) %{_libdir}/libcupsimage.so
+%{_libdir}/libcups.so
+%{_libdir}/libcupsimage.so
%{_includedir}/cups
%{_pkgconfigdir}/cups.pc
%{_mandir}/man1/cups-config.1*
diff --git a/cups-lspp.patch b/cups-lspp.patch
index 2472a1d..ea9b75c 100644
--- a/cups-lspp.patch
+++ b/cups-lspp.patch
@@ -810,9 +810,8 @@ diff -up cups-2.4.8/scheduler/cupsd.h.lspp cups-2.4.8/scheduler/cupsd.h
#include "mime.h"
#if defined(HAVE_CDSASSL)
-diff -up cups-2.4.8/scheduler/ipp.c.lspp cups-2.4.8/scheduler/ipp.c
---- cups-2.4.8/scheduler/ipp.c.lspp 2024-05-14 13:15:22.447678849 +0200
-+++ cups-2.4.8/scheduler/ipp.c 2024-05-14 13:15:22.460678917 +0200
+--- cups-2.4.16/scheduler/ipp.c.orig 2025-12-07 20:32:50.178113555 +0100
++++ cups-2.4.16/scheduler/ipp.c 2025-12-07 20:56:20.933804169 +0100
@@ -12,6 +12,9 @@
* information.
*/
@@ -870,7 +869,40 @@ diff -up cups-2.4.8/scheduler/ipp.c.lspp cups-2.4.8/scheduler/ipp.c
cupsdLogMessage(CUPSD_LOG_DEBUG2, "add_job(%p[%d], %p(%s), %p(%s/%s))",
-@@ -1516,6 +1545,106 @@ add_job(cupsd_client_t *con, /* I - Cl
+@@ -1522,6 +1551,32 @@ add_job(cupsd_client_t *con, /* I - Cl
+ return (NULL);
+ }
+
++#ifdef WITH_LSPP
++ if (is_lspp_config())
++ {
++ /*
++ * duplicate the security context and auid of the connection into the job structure
++ */
++ job->scon = strdup(con->scon);
++ job->auid = con->auid;
++
++ /*
++ * add the security context to the request so that on a restart the security
++ * attributes will be able to be restored
++ */
++ ippAddString(con->request, IPP_TAG_JOB, IPP_TAG_NAME, "security-context",
++ NULL, job->scon);
++ }
++ else
++ {
++ /*
++ * Fill in the security context of the job as unlabeled
++ */
++ cupsdLogMessage(CUPSD_LOG_DEBUG, "add_job: setting context of job to %s", UNKNOWN_SL);
++ cupsdSetString(&job->scon, UNKNOWN_SL);
++ }
++#endif /* WITH_LSPP */
++
+ if ((attr = ippFindAttribute(con->request, "print-as-raster", IPP_TAG_BOOLEAN)) != NULL)
+ {
+ if (ippGetBoolean(attr, 0))
+@@ -1536,6 +1591,106 @@ add_job(cupsd_client_t *con, /* I - Cl
attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
@@ -974,43 +1006,10 @@ diff -up cups-2.4.8/scheduler/ipp.c.lspp cups-2.4.8/scheduler/ipp.c
+ }
+#endif /* WITH_LSPP */
+
- if ((job = cupsdAddJob(priority, printer->name)) == NULL)
- {
- send_ipp_status(con, IPP_INTERNAL_ERROR,
-@@ -1524,6 +1653,32 @@ add_job(cupsd_client_t *con, /* I - Cl
- return (NULL);
- }
-
-+#ifdef WITH_LSPP
-+ if (is_lspp_config())
-+ {
-+ /*
-+ * duplicate the security context and auid of the connection into the job structure
-+ */
-+ job->scon = strdup(con->scon);
-+ job->auid = con->auid;
-+
-+ /*
-+ * add the security context to the request so that on a restart the security
-+ * attributes will be able to be restored
-+ */
-+ ippAddString(con->request, IPP_TAG_JOB, IPP_TAG_NAME, "security-context",
-+ NULL, job->scon);
-+ }
-+ else
-+ {
-+ /*
-+ * Fill in the security context of the job as unlabeled
-+ */
-+ cupsdLogMessage(CUPSD_LOG_DEBUG, "add_job: setting context of job to %s", UNKNOWN_SL);
-+ cupsdSetString(&job->scon, UNKNOWN_SL);
-+ }
-+#endif /* WITH_LSPP */
-+
- if (ippGetBoolean(ippFindAttribute(con->request, "print-as-raster", IPP_TAG_BOOLEAN), 0))
- job->print_as_raster = 1;
-
-@@ -1711,6 +1866,29 @@ add_job(cupsd_client_t *con, /* I - Cl
+ job->dtype = printer->type & (CUPS_PRINTER_CLASS | CUPS_PRINTER_REMOTE);
+ job->attrs = con->request;
+ job->dirty = 1;
+@@ -1723,6 +1878,29 @@ add_job(cupsd_client_t *con, /* I - Cl
ippSetString(job->attrs, &attr, 0, printer->job_sheets[0]);
ippSetString(job->attrs, &attr, 1, printer->job_sheets[1]);
}
@@ -1040,7 +1039,7 @@ diff -up cups-2.4.8/scheduler/ipp.c.lspp cups-2.4.8/scheduler/ipp.c
job->job_sheets = attr;
-@@ -1741,6 +1919,9 @@ add_job(cupsd_client_t *con, /* I - Cl
+@@ -1753,6 +1931,9 @@ add_job(cupsd_client_t *con, /* I - Cl
"job-sheets=\"%s,none\", "
"job-originating-user-name=\"%s\"",
Classification, job->username);
@@ -1050,7 +1049,7 @@ diff -up cups-2.4.8/scheduler/ipp.c.lspp cups-2.4.8/scheduler/ipp.c
}
else if (attr->num_values == 2 &&
strcmp(attr->values[0].string.text,
-@@ -1759,6 +1940,9 @@ add_job(cupsd_client_t *con, /* I - Cl
+@@ -1771,6 +1952,9 @@ add_job(cupsd_client_t *con, /* I - Cl
"job-originating-user-name=\"%s\"",
attr->values[0].string.text,
attr->values[1].string.text, job->username);
@@ -1060,7 +1059,7 @@ diff -up cups-2.4.8/scheduler/ipp.c.lspp cups-2.4.8/scheduler/ipp.c
}
else if (strcmp(attr->values[0].string.text, Classification) &&
strcmp(attr->values[0].string.text, "none") &&
-@@ -1779,6 +1963,9 @@ add_job(cupsd_client_t *con, /* I - Cl
+@@ -1791,6 +1975,9 @@ add_job(cupsd_client_t *con, /* I - Cl
"job-originating-user-name=\"%s\"",
attr->values[0].string.text,
attr->values[1].string.text, job->username);
@@ -1070,7 +1069,7 @@ diff -up cups-2.4.8/scheduler/ipp.c.lspp cups-2.4.8/scheduler/ipp.c
}
}
else if (strcmp(attr->values[0].string.text, Classification) &&
-@@ -1819,8 +2006,52 @@ add_job(cupsd_client_t *con, /* I - Cl
+@@ -1831,8 +2018,52 @@ add_job(cupsd_client_t *con, /* I - Cl
"job-sheets=\"%s\", "
"job-originating-user-name=\"%s\"",
Classification, job->username);
@@ -1123,7 +1122,7 @@ diff -up cups-2.4.8/scheduler/ipp.c.lspp cups-2.4.8/scheduler/ipp.c
/*
* See if we need to add the starting sheet...
-@@ -3647,6 +3878,128 @@ check_rss_recipient(
+@@ -3667,6 +3898,128 @@ check_rss_recipient(
}
@@ -1252,7 +1251,7 @@ diff -up cups-2.4.8/scheduler/ipp.c.lspp cups-2.4.8/scheduler/ipp.c
/*
* 'check_quotas()' - Check quotas for a printer and user.
*/
-@@ -4102,6 +4455,15 @@ copy_banner(cupsd_client_t *con, /* I -
+@@ -4122,6 +4475,15 @@ copy_banner(cupsd_client_t *con, /* I -
char attrname[255], /* Name of attribute */
*s; /* Pointer into name */
ipp_attribute_t *attr; /* Attribute */
@@ -1268,7 +1267,7 @@ diff -up cups-2.4.8/scheduler/ipp.c.lspp cups-2.4.8/scheduler/ipp.c
cupsdLogMessage(CUPSD_LOG_DEBUG2,
-@@ -4137,6 +4499,85 @@ copy_banner(cupsd_client_t *con, /* I -
+@@ -4157,6 +4519,85 @@ copy_banner(cupsd_client_t *con, /* I -
fchmod(cupsFileNumber(out), 0640);
fchown(cupsFileNumber(out), RunUser, Group);
@@ -1354,7 +1353,7 @@ diff -up cups-2.4.8/scheduler/ipp.c.lspp cups-2.4.8/scheduler/ipp.c
/*
* Try the localized banner file under the subdirectory...
-@@ -4231,6 +4672,24 @@ copy_banner(cupsd_client_t *con, /* I -
+@@ -4251,6 +4692,24 @@ copy_banner(cupsd_client_t *con, /* I -
else
s = attrname;
@@ -1379,7 +1378,7 @@ diff -up cups-2.4.8/scheduler/ipp.c.lspp cups-2.4.8/scheduler/ipp.c
if (!strcmp(s, "printer-name"))
{
cupsFilePuts(out, job->dest);
-@@ -6681,6 +7140,22 @@ get_job_attrs(cupsd_client_t *con, /* I
+@@ -6744,6 +7203,22 @@ get_job_attrs(cupsd_client_t *con, /* I
exclude = cupsdGetPrivateAttrs(policy, con, printer, job->username);
@@ -1402,7 +1401,7 @@ diff -up cups-2.4.8/scheduler/ipp.c.lspp cups-2.4.8/scheduler/ipp.c
/*
* Copy attributes...
*/
-@@ -7079,6 +7554,11 @@ get_jobs(cupsd_client_t *con, /* I - C
+@@ -7142,6 +7617,11 @@ get_jobs(cupsd_client_t *con, /* I - C
if (username[0] && _cups_strcasecmp(username, job->username))
continue;
@@ -1414,7 +1413,7 @@ diff -up cups-2.4.8/scheduler/ipp.c.lspp cups-2.4.8/scheduler/ipp.c
if (count > 0)
ippAddSeparator(con->response);
-@@ -11810,6 +12290,11 @@ validate_user(cupsd_job_t *job, /* I
+@@ -11969,6 +12449,11 @@ validate_user(cupsd_job_t *job, /* I
strlcpy(username, get_username(con), userlen);
@@ -1426,415 +1425,6 @@ diff -up cups-2.4.8/scheduler/ipp.c.lspp cups-2.4.8/scheduler/ipp.c
/*
* Check the username against the owner...
*/
-diff -up cups-2.4.8/scheduler/job.c.lspp cups-2.4.8/scheduler/job.c
---- cups-2.4.8/scheduler/job.c.lspp 2024-04-26 13:38:21.000000000 +0200
-+++ cups-2.4.8/scheduler/job.c 2024-05-14 13:16:41.100084985 +0200
-@@ -9,6 +9,9 @@
- * information.
- */
-
-+/* Copyright (C) 2005 Trusted Computer Solutions, Inc. */
-+/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */
-+
- #include "cupsd.h"
- #include <grp.h>
- #include <cups/backend.h>
-@@ -24,6 +27,14 @@
- # endif /* HAVE_IOKIT_PWR_MGT_IOPMLIBPRIVATE_H */
- #endif /* __APPLE__ */
-
-+#ifdef WITH_LSPP
-+#include <libaudit.h>
-+#include <selinux/selinux.h>
-+#include <selinux/context.h>
-+#include <selinux/avc.h>
-+#include <selinux/flask.h>
-+#include <selinux/av_permissions.h>
-+#endif /* WITH_LSPP */
-
- /*
- * Design Notes for Job Management
-@@ -544,6 +555,14 @@ cupsdContinueJob(cupsd_job_t *job) /* I
- /* PRINTER env variable */
- *printer_state_reasons = NULL;
- /* PRINTER_STATE_REASONS env var */
-+#ifdef WITH_LSPP
-+ char *audit_message = NULL; /* Audit message string */
-+ context_t jobcon; /* SELinux context of the job */
-+ char *label_template = NULL; /* SL to put in classification
-+ env var */
-+ const char *mls_label = NULL; /* SL to put in classification
-+ env var */
-+#endif /* WITH_LSPP */
-
-
- cupsdLogMessage(CUPSD_LOG_DEBUG2,
-@@ -1070,6 +1089,67 @@ cupsdContinueJob(cupsd_job_t *job) /* I
- if (final_content_type[0])
- envp[envc ++] = final_content_type;
-
-+#ifdef WITH_LSPP
-+ if (is_lspp_config())
-+ {
-+ if (!job->scon || strncmp(job->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) == 0)
-+ {
-+ if (AuditLog != -1)
-+ {
-+ audit_message = NULL;
-+ cupsdSetStringf(&audit_message, "job=%d auid=%u acct=%s printer=%s title=%s",
-+ job->id, job->auid, job->username, job->printer->name, title);
-+ audit_log_user_message(AuditLog, AUDIT_USER_UNLABELED_EXPORT, audit_message,
-+ ServerName, NULL, NULL, 1);
-+ cupsdClearString(&audit_message);
-+ }
-+ }
-+ else
-+ {
-+ jobcon = context_new(job->scon);
-+
-+ if ((attr = ippFindAttribute(job->attrs, "job-sheets", IPP_TAG_NAME)) == NULL)
-+ label_template = strdup(Classification);
-+ else if (attr->num_values > 1 &&
-+ strcmp(attr->values[1].string.text, "none") != 0)
-+ label_template = strdup(attr->values[1].string.text);
-+ else
-+ label_template = strdup(attr->values[0].string.text);
-+
-+ if (_cups_strcasecmp(label_template, MLS_CONFIG) == 0)
-+ mls_label = context_range_get(jobcon);
-+ else if (_cups_strcasecmp(label_template, TE_CONFIG) == 0)
-+ mls_label = context_type_get(jobcon);
-+ else if (_cups_strcasecmp(label_template, SELINUX_CONFIG) == 0)
-+ mls_label = context_str(jobcon);
-+ else
-+ mls_label = label_template;
-+
-+ if (mls_label && (PerPageLabels || banner_page))
-+ {
-+ snprintf(classification, sizeof(classification), "CLASSIFICATION=LSPP:%s", mls_label);
-+ envp[envc ++] = classification;
-+ }
-+
-+ if ((AuditLog != -1) && !banner_page)
-+ {
-+ audit_message = NULL;
-+ cupsdSetStringf(&audit_message, "job=%d auid=%u acct=%s printer=%s title=%s"
-+ " obj=%s label=%s", job->id, job->auid, job->username,
-+ job->printer->name, title, job->scon, mls_label?mls_label:"none");
-+ audit_log_user_message(AuditLog, AUDIT_USER_LABELED_EXPORT, audit_message,
-+ ServerName, NULL, NULL, 1);
-+ cupsdClearString(&audit_message);
-+ }
-+ context_free(jobcon);
-+ free(label_template);
-+ }
-+ }
-+ else
-+ /*
-+ * Fall through to the non-LSPP behavior
-+ */
-+#endif /* WITH_LSPP */
- if (Classification && !banner_page)
- {
- if ((attr = ippFindAttribute(job->attrs, "job-sheets",
-@@ -1856,6 +1936,22 @@ cupsdLoadJob(cupsd_job_t *job) /* I - J
- ippSetString(job->attrs, &job->reasons, 0, "job-completed-successfully");
- }
-
-+#ifdef WITH_LSPP
-+ if ((attr = ippFindAttribute(job->attrs, "security-context", IPP_TAG_NAME)) != NULL)
-+ cupsdSetString(&job->scon, attr->values[0].string.text);
-+ else if (is_lspp_config())
-+ {
-+ /*
-+ * There was no security context so delete the job
-+ */
-+ cupsdLogJob(job, CUPSD_LOG_ERROR,
-+ "Missing or bad security-context attribute "
-+ "in control file \"%s\"!",
-+ jobfile);
-+ goto error;
-+ }
-+#endif /* WITH_LSPP */
-+
- job->impressions = ippFindAttribute(job->attrs, "job-impressions-completed", IPP_TAG_INTEGER);
- job->sheets = ippFindAttribute(job->attrs, "job-media-sheets-completed", IPP_TAG_INTEGER);
- job->job_sheets = ippFindAttribute(job->attrs, "job-sheets", IPP_TAG_NAME);
-@@ -2268,6 +2364,14 @@ cupsdSaveJob(cupsd_job_t *job) /* I - J
- {
- char filename[1024]; /* Job control filename */
- cups_file_t *fp; /* Job file */
-+#ifdef WITH_LSPP
-+ security_context_t spoolcon; /* context of the job control file */
-+ context_t jobcon; /* contex_t container for job->scon */
-+ context_t tmpcon; /* Temp context to swap the level */
-+ char *jobclearance; /* SELinux low end clearance */
-+ const char *jobrange; /* SELinux sensitivity range */
-+ char *jobrange_copy; /* SELinux sensitivity range */
-+#endif /* WITH_LSPP */
-
-
- cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdSaveJob(job=%p(%d)): job->attrs=%p",
-@@ -2290,6 +2394,78 @@ cupsdSaveJob(cupsd_job_t *job) /* I - J
-
- fchown(cupsFileNumber(fp), RunUser, Group);
-
-+#ifdef WITH_LSPP
-+ if (job->scon && strncmp(job->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) != 0)
-+ {
-+ if (getfilecon(filename, &spoolcon) == -1)
-+ {
-+ cupsdLogJob(job, CUPSD_LOG_ERROR,
-+ "Unable to get context of job control file \"%s\" - %s.",
-+ filename, strerror(errno));
-+ return;
-+ }
-+ jobcon = context_new(job->scon);
-+ tmpcon = context_new(spoolcon);
-+ freecon(spoolcon);
-+ if (!jobcon || !tmpcon)
-+ {
-+ if (jobcon)
-+ context_free(jobcon);
-+ if (tmpcon)
-+ context_free(tmpcon);
-+ cupsdLogJob(job, CUPSD_LOG_ERROR, "Unable to get SELinux contexts");
-+ return;
-+ }
-+ jobrange = context_range_get(jobcon);
-+ if (jobrange)
-+ {
-+ jobrange_copy = strdup(jobrange);
-+ if ((jobclearance = strtok(jobrange_copy, "-")) != NULL)
-+ {
-+ if (context_range_set(tmpcon, jobclearance) == -1)
-+ {
-+ cupsdLogJob(job, CUPSD_LOG_ERROR,
-+ "Unable to set the range for "
-+ "job control file \"%s\" - %s.",
-+ filename, strerror(errno));
-+ free(jobrange_copy);
-+ context_free(tmpcon);
-+ context_free(jobcon);
-+ return;
-+ }
-+ }
-+ else
-+ {
-+ if (context_range_set(tmpcon, (context_range_get(jobcon))) == -1)
-+ {
-+ cupsdLogJob(job, CUPSD_LOG_ERROR,
-+ "Unable to set the range for "
-+ "job control file \"%s\" - %s.",
-+ filename, strerror(errno));
-+ free(jobrange_copy);
-+ context_free(tmpcon);
-+ context_free(jobcon);
-+ return;
-+ }
-+ }
-+ free(jobrange_copy);
-+ }
-+ if (setfilecon(filename, context_str(tmpcon)) == -1)
-+ {
-+ cupsdLogJob(job, CUPSD_LOG_ERROR,
-+ "Unable to set context of job control file \"%s\" - %s.",
-+ filename, strerror(errno));
-+ context_free(tmpcon);
-+ context_free(jobcon);
-+ return;
-+ }
-+ cupsdLogJob(job, CUPSD_LOG_DEBUG2, "New spool file context=%s",
-+ context_str(tmpcon));
-+ context_free(tmpcon);
-+ context_free(jobcon);
-+ }
-+#endif /* WITH_LSPP */
-+
- job->attrs->state = IPP_IDLE;
-
- if (ippWriteIO(fp, (ipp_iocb_t)cupsFileWrite, 1, NULL,
-@@ -4020,6 +4196,19 @@ get_options(cupsd_job_t *job, /* I - Jo
- banner_page)
- continue;
-
-+#ifdef WITH_LSPP
-+ /*
-+ * In LSPP mode refuse to honor the page-label
-+ */
-+ if (is_lspp_config() &&
-+ !strcmp(attr->name, "page-label"))
-+ {
-+ cupsdLogJob(job, CUPSD_LOG_DEBUG,
-+ "Ignoring page-label option due to LSPP mode");
-+ continue;
-+ }
-+#endif /* WITH_LSPP */
-+
- /*
- * Otherwise add them to the list...
- */
-@@ -4834,6 +5023,18 @@ start_job(cupsd_job_t *job, /* I -
- cupsd_printer_t *printer) /* I - Printer to print job */
- {
- const char *filename; /* Support filename */
-+#ifdef WITH_LSPP
-+ char *audit_message = NULL; /* Audit message string */
-+ char *printerfile = NULL; /* Device file pointed to by the printer */
-+ security_id_t clisid; /* SELinux SID for the client */
-+ security_id_t psid; /* SELinux SID for the printer */
-+ context_t printercon; /* Printer's context string */
-+ struct stat printerstat; /* Printer's stat buffer */
-+ security_context_t devcon; /* Printer's SELinux context */
-+ struct avc_entry_ref avcref; /* Pointer to the access vector cache */
-+ security_class_t tclass; /* Object class for the SELinux check */
-+ access_vector_t avr; /* Access method being requested */
-+#endif /* WITH_LSPP */
- ipp_attribute_t *cancel_after = ippFindAttribute(job->attrs,
- "job-cancel-after",
- IPP_TAG_INTEGER);
-@@ -5022,6 +5223,113 @@ start_job(cupsd_job_t *job, /* I -
- fcntl(job->side_pipes[1], F_SETFD,
- fcntl(job->side_pipes[1], F_GETFD) | FD_CLOEXEC);
-
-+#ifdef WITH_LSPP
-+ if (is_lspp_config())
-+ {
-+ /*
-+ * Perform an access check before printing, but only if the printer starts with /dev/
-+ */
-+ printerfile = strstr(printer->device_uri, "/dev/");
-+ if (printerfile == NULL && (strncmp(printer->device_uri, "file:/", 6) == 0))
-+ printerfile = printer->device_uri + strlen("file:");
-+
-+ if (printerfile != NULL)
-+ {
-+ cupsdLogJob(job, CUPSD_LOG_DEBUG,
-+ "Attempting to check access on printer device %s",
-+ printerfile);
-+ if (lstat(printerfile, &printerstat) < 0)
-+ {
-+ if (errno != ENOENT)
-+ {
-+ cupsdLogJob(job, CUPSD_LOG_ERROR,
-+ "Unable to stat the printer");
-+ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL);
-+ return ;
-+ }
-+ /*
-+ * The printer does not exist, so for now assume it's a FileDevice
-+ */
-+ tclass = SECCLASS_FILE;
-+ avr = FILE__WRITE;
-+ }
-+ else if (S_ISCHR(printerstat.st_mode))
-+ {
-+ tclass = SECCLASS_CHR_FILE;
-+ avr = CHR_FILE__WRITE;
-+ }
-+ else if (S_ISREG(printerstat.st_mode))
-+ {
-+ tclass = SECCLASS_FILE;
-+ avr = FILE__WRITE;
-+ }
-+ else
-+ {
-+ cupsdLogJob(job, CUPSD_LOG_ERROR,
-+ "StartJob: Printer is not a character device or "
-+ "regular file");
-+ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL);
-+ return ;
-+ }
-+ static int avc_initialized = 0;
-+ if (!avc_initialized++)
-+ avc_init("cupsd_dequeue_", NULL, NULL, NULL, NULL);
-+ avc_entry_ref_init(&avcref);
-+ if (avc_context_to_sid(job->scon, &clisid) != 0)
-+ {
-+ cupsdLogJob(job, CUPSD_LOG_ERROR,
-+ "Unable to determine the SELinux sid for the job");
-+ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL);
-+ return ;
-+ }
-+ if (getfilecon(printerfile, &devcon) == -1)
-+ {
-+ cupsdLogJob(job, CUPSD_LOG_ERROR,
-+ "Unable to get the SELinux context of %s",
-+ printerfile);
-+ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL);
-+ return ;
-+ }
-+ printercon = context_new(devcon);
-+ cupsdLogJob(job, CUPSD_LOG_DEBUG,
-+ "Printer context %s client context %s",
-+ context_str(printercon), job->scon);
-+ context_free(printercon);
-+
-+ if (avc_context_to_sid(devcon, &psid) != 0)
-+ {
-+ cupsdLogJob(job, CUPSD_LOG_ERROR,
-+ "Unable to determine the SELinux sid for the printer");
-+ freecon(devcon);
-+ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL);
-+ return ;
-+ }
-+ freecon(devcon);
-+
-+ if (avc_has_perm(clisid, psid, tclass, avr, &avcref, NULL) != 0)
-+ {
-+ /*
-+ * The access check failed, so cancel the job and send an audit message
-+ */
-+ if (AuditLog != -1)
-+ {
-+ audit_message = NULL;
-+ cupsdSetStringf(&audit_message, "job=%d auid=%u acct=%s obj=%s canceled"
-+ " unable to access printer=%s", job->id,
-+ job->auid, (job->username)?job->username:"?", job->scon, printer->name);
-+ audit_log_user_message(AuditLog, AUDIT_USER_LABELED_EXPORT, audit_message,
-+ ServerName, NULL, NULL, 0);
-+ cupsdClearString(&audit_message);
-+ }
-+
-+ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL);
-+
-+ return ;
-+ }
-+ }
-+ }
-+#endif /* WITH_LSPP */
-+
- /*
- * Now start the first file in the job...
- */
-diff -up cups-2.4.8/scheduler/job.h.lspp cups-2.4.8/scheduler/job.h
---- cups-2.4.8/scheduler/job.h.lspp 2024-04-26 13:38:21.000000000 +0200
-+++ cups-2.4.8/scheduler/job.h 2024-05-14 13:15:22.461678922 +0200
-@@ -8,6 +8,13 @@
- * Licensed under Apache License v2.0. See the file "LICENSE" for more information.
- */
-
-+/* Copyright (C) 2005 Trusted Computer Solutions, Inc. */
-+/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */
-+
-+#ifdef WITH_LSPP
-+#include <selinux/selinux.h>
-+#endif /* WITH_LSPP */
-+
- /*
- * Constants...
- */
-@@ -85,6 +92,10 @@ struct cupsd_job_s /**** Job request *
- int progress; /* Printing progress */
- int num_keywords; /* Number of PPD keywords */
- cups_option_t *keywords; /* PPD keywords */
-+#ifdef WITH_LSPP
-+ security_context_t scon; /* Security context of job */
-+ uid_t auid; /* Audit loginuid for this job */
-+#endif /* WITH_LSPP */
- };
-
- typedef struct cupsd_joblog_s /**** Job log message ****/
diff -up cups-2.4.8/scheduler/main.c.lspp cups-2.4.8/scheduler/main.c
--- cups-2.4.8/scheduler/main.c.lspp 2024-04-26 13:38:21.000000000 +0200
+++ cups-2.4.8/scheduler/main.c 2024-05-14 13:15:22.461678922 +0200
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/cups.git/commitdiff/25f7833e32b592ea14435a260240990b472d66d9
More information about the pld-cvs-commit
mailing list