rpms/cups
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS cups-2.3.3op2-30.el9

Browse Source
This commit is contained in:
eabdullin 2024-09-30 15:18:37 +00:00
parent 5bf77a1bed
commit ff419e214d
7 changed files with 547 additions and 161 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
SOURCES/0001-Fix-domain-socket-handling.patch Normal file
View File

@ -0,0 +1,86 @@
diff --git a/cups/http-addr.c b/cups/http-addr.c
index 86749c848..5b035e02b 100644
--- a/cups/http-addr.c
+++ b/cups/http-addr.c
@@ -196,31 +196,29 @@ httpAddrListen(http_addr_t *addr, /* I - Address to bind to */
{
mode_t mask; /* Umask setting */
- /*
- * Remove any existing domain socket file...
- */
-
- unlink(addr->un.sun_path);
-
- /*
- * Save the current umask and set it to 0 so that all users can access
- * the domain socket...
- */
-
- mask = umask(0);
-
- /*
- * Bind the domain socket...
- */
+ // Remove any existing domain socket file...
+ if ((status = unlink(addr->un.sun_path)) < 0)
+ {
+ DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno)));
+ if (errno == ENOENT)
+ status = 0;
+ }
- status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr));
+ if (!status)
+ {
+ // Save the current umask and set it to 0 so that all users can access
+ // the domain socket...
+ mask = umask(0);
- /*
- * Restore the umask and fix permissions...
- */
+ // Bind the domain socket...
+ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0)
+ {
+ DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno)));
+ }
- umask(mask);
- chmod(addr->un.sun_path, 0140777);
+ // Restore the umask...
+ umask(mask);
+ }
}
else
#endif /* AF_LOCAL */
diff --git a/scheduler/conf.c b/scheduler/conf.c
index bb6049b2c..4c703c9b9 100644
--- a/scheduler/conf.c
+++ b/scheduler/conf.c
@@ -3062,6 +3062,25 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
cupsd_listener_t *lis; /* New listeners array */
+ /*
+ * If we are launched on-demand, do not use domain sockets from the config
+ * file. Also check that the domain socket path is not too long...
+ */
+
+#ifdef HAVE_ONDEMAND
+ if (*value == '/' && OnDemand)
+ {
+ if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum);
+ continue;
+ }
+#endif // HAVE_ONDEMAND
+
+ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1))
+ {
+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum);
+ continue;
+ }
/*
* Get the address list...

32
SOURCES/0001-cups-dest.c-Write-data-into-etc-cups-lpoptions-if-we.patch Normal file
View File

@ -0,0 +1,32 @@
From 8ae6eb11184dcbd9eaf3c6badd4fad59fcc3863a Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Mon, 15 Aug 2022 17:38:12 +0200
Subject: [PATCH] cups/dest.c: Write data into /etc/cups/lpoptions if we're
root
Fixes #454 , the patch is created by Yair Yarom
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008053).
---
cups/dest.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/cups/dest.c b/cups/dest.c
index f563ce226..a9273ff93 100644
--- a/cups/dest.c
+++ b/cups/dest.c
@@ -2080,7 +2080,11 @@ cupsSetDests2(http_t *http, /* I - Connection to server or @code CUPS_HTTP_
snprintf(filename, sizeof(filename), "%s/lpoptions", cg->cups_serverroot);
- if (cg->home)
+ if (cg->home
+#ifndef _WIN32
+ && getuid() != 0
+#endif /* !_WIN32 */
+ )
{
/*
* Create ~/.cups subdirectory...
--
2.44.0

64
SOURCES/0001-scheduler-Fix-sending-response-headers-to-client.patch Normal file
View File

@ -0,0 +1,64 @@
From d60341b3355fd8825bec00792f301ef99d715a93 Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Wed, 3 Apr 2024 10:39:24 +0200
Subject: [PATCH] scheduler: Fix sending response headers to client
Sometimes headers are not correctly copied into response to the client
(some are missing). It happens because `sent_header` is set prematurely
before the actual send happens. The present code in affected `cupsdWriteClient`
scope looks like code remains from CUPS 1.6.3.
With the change, testing via curl gives reliable results all time.
---
scheduler/client.c | 15 ++++-----------
1 file changed, 4 insertions(+), 11 deletions(-)
diff --git a/scheduler/client.c b/scheduler/client.c
index 62ac21c69..e7e312b8e 100644
--- a/scheduler/client.c
+++ b/scheduler/client.c
@@ -2400,23 +2400,12 @@ cupsdWriteClient(cupsd_client_t *con) /* I - Client connection */
httpSetField(con->http, field, value);
if (field == HTTP_FIELD_LOCATION)
- {
con->pipe_status = HTTP_STATUS_SEE_OTHER;
- con->sent_header = 2;
- }
- else
- con->sent_header = 1;
}
else if (!_cups_strcasecmp(con->header, "Status") && value)
- {
con->pipe_status = (http_status_t)atoi(value);
- con->sent_header = 2;
- }
else if (!_cups_strcasecmp(con->header, "Set-Cookie") && value)
- {
httpSetCookie(con->http, value);
- con->sent_header = 1;
- }
}
/*
@@ -2451,6 +2440,8 @@ cupsdWriteClient(cupsd_client_t *con) /* I - Client connection */
cupsdCloseClient(con);
return;
}
+
+ con->sent_header = 1;
}
else
{
@@ -2459,6 +2450,8 @@ cupsdWriteClient(cupsd_client_t *con) /* I - Client connection */
cupsdCloseClient(con);
return;
}
+
+ con->sent_header = 1;
}
}
else
--
2.44.0

94
SOURCES/cups-check-for-listeners.patch Normal file
View File

@ -0,0 +1,94 @@
diff --git a/scheduler/conf.c b/scheduler/conf.c
index c113eb3..77ce179 100644
--- a/scheduler/conf.c
+++ b/scheduler/conf.c
@@ -573,6 +573,18 @@ cupsdReadConfiguration(void)
cupsdDeleteAllListeners();
+ /*
+ * Allocate Listeners array
+ */
+
+ Listeners = cupsArrayNew(NULL, NULL);
+
+ if (!Listeners)
+ {
+ fprintf(stderr, "Unable to allocate memory for array Listeners.\n");
+ return (0);
+ }
+
old_remote_port = RemotePort;
RemotePort = 0;
@@ -1080,28 +1092,6 @@ cupsdReadConfiguration(void)
}
}
- /*
- * Check that we have at least one listen/port line; if not, report this
- * as an error and exit!
- */
-
- if (cupsArrayCount(Listeners) == 0)
- {
- /*
- * No listeners!
- */
-
- cupsdLogMessage(CUPSD_LOG_EMERG,
- "No valid Listen or Port lines were found in the "
- "configuration file.");
-
- /*
- * Commit suicide...
- */
-
- cupsdEndProcess(getpid(), 0);
- }
-
/*
* Set the default locale using the language and charset...
*/
@@ -3162,17 +3152,6 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
* Allocate another listener...
*/
- if (!Listeners)
- Listeners = cupsArrayNew(NULL, NULL);
-
- if (!Listeners)
- {
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "Unable to allocate %s at line %d - %s.",
- line, linenum, strerror(errno));
- break;
- }
-
if ((lis = calloc(1, sizeof(cupsd_listener_t))) == NULL)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
diff --git a/scheduler/main.c b/scheduler/main.c
index a6e2c3a..b935c52 100644
--- a/scheduler/main.c
+++ b/scheduler/main.c
@@ -2113,6 +2113,21 @@ service_checkin(void)
service_add_listener(fd, 0);
}
#endif /* HAVE_LAUNCHD */
+
+ if (cupsArrayCount(Listeners) == 0)
+ {
+ /*
+ * No listeners!
+ */
+
+ cupsdLogMessage(CUPSD_LOG_EMERG, "No listener sockets present.");
+
+ /*
+ * Commit suicide...
+ */
+
+ cupsdEndProcess(getpid(), 0);
+ }
}

362
SOURCES/cups-lspp.patch
View File

@ -1,21 +1,21 @@
diff -up cups-2.3.0/config.h.in.lspp cups-2.3.0/config.h.in diff --git a/Makedefs.in b/Makedefs.in
--- cups-2.3.0/config.h.in.lspp 2019-08-23 17:19:38.000000000 +0200 index d1b1ae9..4dba556 100644
+++ cups-2.3.0/config.h.in 2019-10-07 12:24:43.058597468 +0200 --- a/Makedefs.in
@@ -684,4 +684,11 @@ static __inline int _cups_abs(int i) { r +++ b/Makedefs.in
# endif /* __GNUC__ || __STDC_VERSION__ */ @@ -161,7 +161,7 @@ ARFLAGS = @ARFLAGS@
#endif /* !HAVE_ABS && !abs */ BACKLIBS = @BACKLIBS@
BUILDDIRS = @BUILDDIRS@
+/* CFLAGS = @CPPFLAGS@ @CFLAGS@
+ * Are we trying to meet LSPP requirements? -COMMONLIBS = @LIBS@
+ */ +COMMONLIBS = @LIBS@ @LIBAUDIT@ @LIBSELINUX@
+ CXXFLAGS = @CPPFLAGS@ @CXXFLAGS@
+#undef WITH_LSPP CXXLIBS = @CXXLIBS@
+ DBUS_NOTIFIER = @DBUS_NOTIFIER@
+ diff --git a/config-scripts/cups-lspp.m4 b/config-scripts/cups-lspp.m4
#endif /* !_CUPS_CONFIG_H_ */ new file mode 100644
diff -up cups-2.3.0/config-scripts/cups-lspp.m4.lspp cups-2.3.0/config-scripts/cups-lspp.m4 index 0000000..55bd1bb
--- cups-2.3.0/config-scripts/cups-lspp.m4.lspp 2019-10-07 12:24:43.058597468 +0200 --- /dev/null
+++ cups-2.3.0/config-scripts/cups-lspp.m4 2019-10-07 12:24:43.058597468 +0200 +++ b/config-scripts/cups-lspp.m4
@@ -0,0 +1,36 @@ @@ -0,0 +1,36 @@
+dnl +dnl
+dnl LSPP code for the Common UNIX Printing System (CUPS). +dnl LSPP code for the Common UNIX Printing System (CUPS).
@ -40,7 +40,7 @@ diff -up cups-2.3.0/config-scripts/cups-lspp.m4.lspp cups-2.3.0/config-scripts/c
+AC_ARG_ENABLE(lspp, [ --enable-lspp turn on auditing and label support, default=no]) +AC_ARG_ENABLE(lspp, [ --enable-lspp turn on auditing and label support, default=no])
+ +
+if test x"$enable_lspp" != xno; then +if test x"$enable_lspp" != xno; then
+ case "$uname" in + case "$(uname)" in
+ Linux) + Linux)
+ AC_CHECK_LIB(audit,audit_log_user_message, [LIBAUDIT="-laudit" AC_SUBST(LIBAUDIT)]) + AC_CHECK_LIB(audit,audit_log_user_message, [LIBAUDIT="-laudit" AC_SUBST(LIBAUDIT)])
+ AC_CHECK_HEADER(libaudit.h) + AC_CHECK_HEADER(libaudit.h)
@ -53,10 +53,28 @@ diff -up cups-2.3.0/config-scripts/cups-lspp.m4.lspp cups-2.3.0/config-scripts/c
+ ;; + ;;
+ esac + esac
+fi +fi
diff -up cups-2.3.0/configure.ac.lspp cups-2.3.0/configure.ac diff --git a/config.h.in b/config.h.in
--- cups-2.3.0/configure.ac.lspp 2019-10-07 12:24:43.058597468 +0200 index 6343e6d..1be3ca1 100644
+++ cups-2.3.0/configure.ac 2019-10-07 12:39:20.122546282 +0200 --- a/config.h.in
@@ -34,6 +34,8 @@ sinclude(config-scripts/cups-dnssd.m4) +++ b/config.h.in
@@ -693,4 +693,12 @@ static __inline int _cups_abs(int i) { return (i < 0 ? -i : i); }
# endif /* __GNUC__ || __STDC_VERSION__ */
#endif /* !HAVE_ABS && !abs */
+
+/*
+ * Are we trying to meet LSPP requirements?
+ */
+
+#undef WITH_LSPP
+
+
#endif /* !_CUPS_CONFIG_H_ */
diff --git a/configure.ac b/configure.ac
index 93a4b97..47587c9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -35,6 +35,8 @@ sinclude(config-scripts/cups-dnssd.m4)
sinclude(config-scripts/cups-startup.m4) sinclude(config-scripts/cups-startup.m4)
sinclude(config-scripts/cups-defaults.m4) sinclude(config-scripts/cups-defaults.m4)
@ -65,9 +83,10 @@ diff -up cups-2.3.0/configure.ac.lspp cups-2.3.0/configure.ac
INSTALL_LANGUAGES="" INSTALL_LANGUAGES=""
UNINSTALL_LANGUAGES="" UNINSTALL_LANGUAGES=""
LANGFILES="" LANGFILES=""
diff -up cups-2.3.0/filter/common.c.lspp cups-2.3.0/filter/common.c diff --git a/filter/common.c b/filter/common.c
--- cups-2.3.0/filter/common.c.lspp 2019-08-23 17:19:38.000000000 +0200 index 672b7c8..f323abd 100644
+++ cups-2.3.0/filter/common.c 2019-10-07 12:24:43.059597461 +0200 --- a/filter/common.c
+++ b/filter/common.c
@@ -11,6 +11,12 @@ @@ -11,6 +11,12 @@
* Include necessary headers... * Include necessary headers...
*/ */
@ -81,7 +100,7 @@ diff -up cups-2.3.0/filter/common.c.lspp cups-2.3.0/filter/common.c
#include "common.h" #include "common.h"
#include <locale.h> #include <locale.h>
@@ -293,6 +299,18 @@ WriteLabelProlog(const char *label, /* I @@ -293,6 +299,18 @@ WriteLabelProlog(const char *label, /* I - Page label */
{ {
const char *classification; /* CLASSIFICATION environment variable */ const char *classification; /* CLASSIFICATION environment variable */
const char *ptr; /* Temporary string pointer */ const char *ptr; /* Temporary string pointer */
@ -100,7 +119,7 @@ diff -up cups-2.3.0/filter/common.c.lspp cups-2.3.0/filter/common.c
/* /*
@@ -315,6 +333,124 @@ WriteLabelProlog(const char *label, /* I @@ -315,6 +333,124 @@ WriteLabelProlog(const char *label, /* I - Page label */
return; return;
} }
@ -221,11 +240,11 @@ diff -up cups-2.3.0/filter/common.c.lspp cups-2.3.0/filter/common.c
+ else + else
+ { + {
+#endif /* !WITH_LSPP */ +#endif /* !WITH_LSPP */
+ +
/* /*
* Set the classification + page label string... * Set the classification + page label string...
*/ */
@@ -395,7 +531,10 @@ WriteLabelProlog(const char *label, /* I @@ -395,7 +531,10 @@ WriteLabelProlog(const char *label, /* I - Page label */
printf(" %.0f moveto ESPpl show\n", top - 14.0); printf(" %.0f moveto ESPpl show\n", top - 14.0);
puts("pop"); puts("pop");
puts("}bind put"); puts("}bind put");
@ -236,10 +255,11 @@ diff -up cups-2.3.0/filter/common.c.lspp cups-2.3.0/filter/common.c
/* /*
diff -up cups-2.3.0/filter/pstops.c.lspp cups-2.3.0/filter/pstops.c diff --git a/filter/pstops.c b/filter/pstops.c
--- cups-2.3.0/filter/pstops.c.lspp 2019-08-23 17:19:38.000000000 +0200 index d251abb..8afff4a 100644
+++ cups-2.3.0/filter/pstops.c 2019-10-07 12:24:43.059597461 +0200 --- a/filter/pstops.c
@@ -3170,6 +3170,18 @@ write_label_prolog(pstops_doc_t *doc, /* +++ b/filter/pstops.c
@@ -3170,6 +3170,18 @@ write_label_prolog(pstops_doc_t *doc, /* I - Document info */
{ {
const char *classification; /* CLASSIFICATION environment variable */ const char *classification; /* CLASSIFICATION environment variable */
const char *ptr; /* Temporary string pointer */ const char *ptr; /* Temporary string pointer */
@ -258,7 +278,7 @@ diff -up cups-2.3.0/filter/pstops.c.lspp cups-2.3.0/filter/pstops.c
/* /*
@@ -3192,6 +3204,124 @@ write_label_prolog(pstops_doc_t *doc, /* @@ -3192,6 +3204,124 @@ write_label_prolog(pstops_doc_t *doc, /* I - Document info */
return; return;
} }
@ -383,7 +403,7 @@ diff -up cups-2.3.0/filter/pstops.c.lspp cups-2.3.0/filter/pstops.c
/* /*
* Set the classification + page label string... * Set the classification + page label string...
*/ */
@@ -3270,7 +3400,10 @@ write_label_prolog(pstops_doc_t *doc, /* @@ -3270,7 +3400,10 @@ write_label_prolog(pstops_doc_t *doc, /* I - Document info */
doc_printf(doc, " %.0f moveto ESPpl show\n", top - 14.0); doc_printf(doc, " %.0f moveto ESPpl show\n", top - 14.0);
doc_puts(doc, "pop\n"); doc_puts(doc, "pop\n");
doc_puts(doc, "}bind put\n"); doc_puts(doc, "}bind put\n");
@ -394,21 +414,10 @@ diff -up cups-2.3.0/filter/pstops.c.lspp cups-2.3.0/filter/pstops.c
/* /*
diff -up cups-2.3.0/Makedefs.in.lspp cups-2.3.0/Makedefs.in diff --git a/scheduler/client.c b/scheduler/client.c
--- cups-2.3.0/Makedefs.in.lspp 2019-10-07 12:24:43.059597461 +0200 index cef4115..e186e4c 100644
+++ cups-2.3.0/Makedefs.in 2019-10-07 12:37:19.200565805 +0200 --- a/scheduler/client.c
@@ -174,7 +174,7 @@ IPPFIND_MAN = @IPPFIND_MAN@ +++ b/scheduler/client.c
LDFLAGS = @LDFLAGS@
LINKCUPS = @LINKCUPS@
LINKCUPSSTATIC = ../cups/$(LIBCUPSSTATIC) $(LIBS)
-LIBS = $(LIBGSSAPI) $(DNSSDLIBS) $(SSLLIBS) $(LIBZ) $(COMMONLIBS)
+LIBS = $(LIBGSSAPI) $(DNSSDLIBS) $(SSLLIBS) $(LIBZ) $(COMMONLIBS) @LIBAUDIT@ @LIBSELINUX@
ONDEMANDFLAGS = @ONDEMANDFLAGS@
ONDEMANDLIBS = @ONDEMANDLIBS@
OPTIM = @OPTIM@
diff -up cups-2.3.0/scheduler/client.c.lspp cups-2.3.0/scheduler/client.c
--- cups-2.3.0/scheduler/client.c.lspp 2019-08-23 17:19:38.000000000 +0200
+++ cups-2.3.0/scheduler/client.c 2019-10-07 12:33:10.459693580 +0200
@@ -19,12 +19,20 @@ @@ -19,12 +19,20 @@
#define _HTTP_NO_PRIVATE #define _HTTP_NO_PRIVATE
#include "cupsd.h" #include "cupsd.h"
@ -430,7 +439,7 @@ diff -up cups-2.3.0/scheduler/client.c.lspp cups-2.3.0/scheduler/client.c
/* /*
@@ -265,6 +273,59 @@ cupsdAcceptClient(cupsd_listener_t *lis) @@ -263,6 +271,59 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
} }
#endif /* HAVE_TCPD_H */ #endif /* HAVE_TCPD_H */
@ -464,7 +473,7 @@ diff -up cups-2.3.0/scheduler/client.c.lspp cups-2.3.0/scheduler/client.c
+ httpClose(con->http); + httpClose(con->http);
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "getsockopt() failed"); + cupsdLogClient(con, CUPSD_LOG_ERROR, "getsockopt() failed");
+ free(con); + free(con);
+ return; + return;
+ } + }
+ +
+ /* + /*
@ -475,7 +484,7 @@ diff -up cups-2.3.0/scheduler/client.c.lspp cups-2.3.0/scheduler/client.c
+ httpClose(con->http); + httpClose(con->http);
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "getpeercon() failed"); + cupsdLogClient(con, CUPSD_LOG_ERROR, "getpeercon() failed");
+ free(con); + free(con);
+ return; + return;
+ } + }
+ +
+ cupsdLogClient(con, CUPSD_LOG_INFO, "client context=%s", con->scon); + cupsdLogClient(con, CUPSD_LOG_INFO, "client context=%s", con->scon);
@ -490,7 +499,19 @@ diff -up cups-2.3.0/scheduler/client.c.lspp cups-2.3.0/scheduler/client.c
#ifdef AF_LOCAL #ifdef AF_LOCAL
if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL) if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
{ {
@@ -558,6 +619,13 @@ cupsdReadClient(cupsd_client_t *con) /* @@ -517,6 +578,11 @@ cupsdCloseClient(cupsd_client_t *con) /* I - Client to close */
}
#endif /* HAVE_AUTHORIZATION_H */
+#ifdef WITH_LSPP
+ if (con->scon)
+ cupsdClearString(&con->scon);
+#endif /* WITH_LSPP */
+
/*
* Re-enable new client connections if we are going back under the
* limit...
@@ -556,6 +622,13 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */
struct stat filestats; /* File information */ struct stat filestats; /* File information */
mime_type_t *type; /* MIME type of file */ mime_type_t *type; /* MIME type of file */
static unsigned request_id = 0; /* Request ID for temp files */ static unsigned request_id = 0; /* Request ID for temp files */
@ -504,10 +525,10 @@ diff -up cups-2.3.0/scheduler/client.c.lspp cups-2.3.0/scheduler/client.c
status = HTTP_STATUS_CONTINUE; status = HTTP_STATUS_CONTINUE;
@@ -1679,6 +1747,73 @@ cupsdReadClient(cupsd_client_t *con) /* @@ -1675,7 +1748,73 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */
fchmod(con->file, 0640);
fchown(con->file, RunUser, Group);
fcntl(con->file, F_SETFD, fcntl(con->file, F_GETFD) | FD_CLOEXEC); fcntl(con->file, F_SETFD, fcntl(con->file, F_GETFD) | FD_CLOEXEC);
}
+#ifdef WITH_LSPP +#ifdef WITH_LSPP
+ if (strncmp(con->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) != 0) + if (strncmp(con->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) != 0)
+ { + {
@ -568,17 +589,17 @@ diff -up cups-2.3.0/scheduler/client.c.lspp cups-2.3.0/scheduler/client.c
+ cupsdCloseClient(con); + cupsdCloseClient(con);
+ return; + return;
+ } + }
+ cupsdLogClient(con, CUPSD_LOG_DEBUG2, "%s set to %s", + cupsdLogClient(con, CUPSD_LOG_DEBUG2, "%s set to %s",
+ con->filename, context_str(tmpcon)); + con->filename, context_str(tmpcon));
+ context_free(tmpcon); + context_free(tmpcon);
+ context_free(clicon); + context_free(clicon);
+ } }
+#endif /* WITH_LSPP */ +#endif /* WITH_LSPP */
+ + }
if (httpGetState(con->http) != HTTP_STATE_POST_SEND) if (httpGetState(con->http) != HTTP_STATE_POST_SEND)
{ {
if (!httpWait(con->http, 0)) @@ -3173,6 +3312,49 @@ is_path_absolute(const char *path) /* I - Input path */
@@ -3174,6 +3309,49 @@ is_path_absolute(const char *path) /* I
return (1); return (1);
} }
@ -628,9 +649,10 @@ diff -up cups-2.3.0/scheduler/client.c.lspp cups-2.3.0/scheduler/client.c
/* /*
* 'pipe_command()' - Pipe the output of a command to the remote client. * 'pipe_command()' - Pipe the output of a command to the remote client.
diff -up cups-2.3.0/scheduler/client.h.lspp cups-2.3.0/scheduler/client.h diff --git a/scheduler/client.h b/scheduler/client.h
--- cups-2.3.0/scheduler/client.h.lspp 2019-08-23 17:19:38.000000000 +0200 index fc7af54..c665d0c 100644
+++ cups-2.3.0/scheduler/client.h 2019-10-07 12:24:43.113597079 +0200 --- a/scheduler/client.h
+++ b/scheduler/client.h
@@ -13,6 +13,13 @@ @@ -13,6 +13,13 @@
#endif /* HAVE_AUTHORIZATION_H */ #endif /* HAVE_AUTHORIZATION_H */
@ -656,19 +678,21 @@ diff -up cups-2.3.0/scheduler/client.h.lspp cups-2.3.0/scheduler/client.h
}; };
#define HTTP(con) ((con)->http) #define HTTP(con) ((con)->http)
@@ -136,6 +147,9 @@ extern void cupsdStartListening(void); @@ -137,6 +148,10 @@ extern void cupsdStopListening(void);
extern void cupsdStopListening(void);
extern void cupsdUpdateCGI(void); extern void cupsdUpdateCGI(void);
extern void cupsdWriteClient(cupsd_client_t *con); extern void cupsdWriteClient(cupsd_client_t *con);
+#ifdef WITH_LSPP +#ifdef WITH_LSPP
+extern uid_t client_pid_to_auid(pid_t clipid); +extern uid_t client_pid_to_auid(pid_t clipid);
+#endif /* WITH_LSPP */ +#endif /* WITH_LSPP */
+
#ifdef HAVE_SSL #ifdef HAVE_SSL
extern int cupsdEndTLS(cupsd_client_t *con); extern int cupsdEndTLS(cupsd_client_t *con);
diff -up cups-2.3.0/scheduler/conf.c.lspp cups-2.3.0/scheduler/conf.c extern int cupsdStartTLS(cupsd_client_t *con);
--- cups-2.3.0/scheduler/conf.c.lspp 2019-10-07 12:24:43.049597531 +0200 diff --git a/scheduler/conf.c b/scheduler/conf.c
+++ cups-2.3.0/scheduler/conf.c 2019-10-07 12:24:43.113597079 +0200 index 21386cd..a52e9a6 100644
--- a/scheduler/conf.c
+++ b/scheduler/conf.c
@@ -37,6 +37,9 @@ @@ -37,6 +37,9 @@
# define INADDR_NONE 0xffffffff # define INADDR_NONE 0xffffffff
#endif /* !INADDR_NONE */ #endif /* !INADDR_NONE */
@ -700,7 +724,7 @@ diff -up cups-2.3.0/scheduler/conf.c.lspp cups-2.3.0/scheduler/conf.c
/* /*
@@ -864,6 +874,25 @@ cupsdReadConfiguration(void) @@ -877,6 +887,25 @@ cupsdReadConfiguration(void)
RunUser = getuid(); RunUser = getuid();
@ -726,7 +750,7 @@ diff -up cups-2.3.0/scheduler/conf.c.lspp cups-2.3.0/scheduler/conf.c
cupsdLogMessage(CUPSD_LOG_INFO, "Remote access is %s.", cupsdLogMessage(CUPSD_LOG_INFO, "Remote access is %s.",
RemotePort ? "enabled" : "disabled"); RemotePort ? "enabled" : "disabled");
@@ -1275,7 +1304,19 @@ cupsdReadConfiguration(void) @@ -1269,7 +1298,19 @@ cupsdReadConfiguration(void)
cupsdClearString(&Classification); cupsdClearString(&Classification);
if (Classification) if (Classification)
@ -746,7 +770,7 @@ diff -up cups-2.3.0/scheduler/conf.c.lspp cups-2.3.0/scheduler/conf.c
/* /*
* Check the MaxClients setting, and then allocate memory for it... * Check the MaxClients setting, and then allocate memory for it...
@@ -3830,6 +3871,18 @@ read_location(cups_file_t *fp, /* I - C @@ -3857,6 +3898,18 @@ read_location(cups_file_t *fp, /* I - Configuration file */
return ((FatalErrors & CUPSD_FATAL_CONFIG) ? 0 : linenum); return ((FatalErrors & CUPSD_FATAL_CONFIG) ? 0 : linenum);
} }
@ -765,10 +789,11 @@ diff -up cups-2.3.0/scheduler/conf.c.lspp cups-2.3.0/scheduler/conf.c
/* /*
* 'read_policy()' - Read a <Policy name> definition. * 'read_policy()' - Read a <Policy name> definition.
diff -up cups-2.3.0/scheduler/conf.h.lspp cups-2.3.0/scheduler/conf.h diff --git a/scheduler/conf.h b/scheduler/conf.h
--- cups-2.3.0/scheduler/conf.h.lspp 2019-08-23 17:19:38.000000000 +0200 index 7d5eb40..3c27828 100644
+++ cups-2.3.0/scheduler/conf.h 2019-10-07 12:24:43.113597079 +0200 --- a/scheduler/conf.h
@@ -243,6 +243,13 @@ VAR char *ServerKeychain VALUE(NULL); +++ b/scheduler/conf.h
@@ -245,6 +245,13 @@ VAR char *ServerKeychain VALUE(NULL);
/* Keychain holding cert + key */ /* Keychain holding cert + key */
#endif /* HAVE_SSL */ #endif /* HAVE_SSL */
@ -782,7 +807,7 @@ diff -up cups-2.3.0/scheduler/conf.h.lspp cups-2.3.0/scheduler/conf.h
#ifdef HAVE_ONDEMAND #ifdef HAVE_ONDEMAND
VAR int IdleExitTimeout VALUE(60); VAR int IdleExitTimeout VALUE(60);
/* Time after which an idle cupsd will exit */ /* Time after which an idle cupsd will exit */
@@ -261,6 +268,9 @@ VAR int HaveServerCreds VALUE(0); @@ -263,6 +270,9 @@ VAR int HaveServerCreds VALUE(0);
VAR gss_cred_id_t ServerCreds; /* Server's GSS credentials */ VAR gss_cred_id_t ServerCreds; /* Server's GSS credentials */
#endif /* HAVE_GSSAPI */ #endif /* HAVE_GSSAPI */
@ -792,9 +817,10 @@ diff -up cups-2.3.0/scheduler/conf.h.lspp cups-2.3.0/scheduler/conf.h
/* /*
* Prototypes... * Prototypes...
diff -up cups-2.3.0/scheduler/cupsd.h.lspp cups-2.3.0/scheduler/cupsd.h diff --git a/scheduler/cupsd.h b/scheduler/cupsd.h
--- cups-2.3.0/scheduler/cupsd.h.lspp 2019-08-23 17:19:38.000000000 +0200 index bc1350e..64d57d1 100644
+++ cups-2.3.0/scheduler/cupsd.h 2019-10-07 12:31:38.458480578 +0200 --- a/scheduler/cupsd.h
+++ b/scheduler/cupsd.h
@@ -8,6 +8,8 @@ @@ -8,6 +8,8 @@
* information. * information.
*/ */
@ -819,10 +845,11 @@ diff -up cups-2.3.0/scheduler/cupsd.h.lspp cups-2.3.0/scheduler/cupsd.h
#include "mime.h" #include "mime.h"
#if defined(HAVE_CDSASSL) #if defined(HAVE_CDSASSL)
diff -up cups-2.3.0/scheduler/ipp.c.lspp cups-2.3.0/scheduler/ipp.c diff --git a/scheduler/ipp.c b/scheduler/ipp.c
--- cups-2.3.0/scheduler/ipp.c.lspp 2019-10-07 12:24:43.016597764 +0200 index 19d6608..728d164 100644
+++ cups-2.3.0/scheduler/ipp.c 2019-10-07 12:31:01.243798920 +0200 --- a/scheduler/ipp.c
@@ -11,6 +11,9 @@ +++ b/scheduler/ipp.c
@@ -12,6 +12,9 @@
* information. * information.
*/ */
@ -832,7 +859,7 @@ diff -up cups-2.3.0/scheduler/ipp.c.lspp cups-2.3.0/scheduler/ipp.c
/* /*
* Include necessary headers... * Include necessary headers...
*/ */
@@ -27,6 +30,14 @@ extern int mbr_group_name_to_uuid(const @@ -28,6 +31,12 @@ extern int mbr_group_name_to_uuid(const char* name, uuid_t uu);
extern int mbr_check_membership_by_id(uuid_t user, gid_t group, int* ismember); extern int mbr_check_membership_by_id(uuid_t user, gid_t group, int* ismember);
#endif /* __APPLE__ */ #endif /* __APPLE__ */
@ -841,13 +868,11 @@ diff -up cups-2.3.0/scheduler/ipp.c.lspp cups-2.3.0/scheduler/ipp.c
+#include <selinux/selinux.h> +#include <selinux/selinux.h>
+#include <selinux/context.h> +#include <selinux/context.h>
+#include <selinux/avc.h> +#include <selinux/avc.h>
+#include <selinux/flask.h>
+#include <selinux/av_permissions.h>
+#endif /* WITH_LSPP */ +#endif /* WITH_LSPP */
/* /*
* Local functions... * Local functions...
@@ -51,6 +62,9 @@ static void cancel_all_jobs(cupsd_client @@ -52,6 +61,9 @@ static void cancel_all_jobs(cupsd_client_t *con, ipp_attribute_t *uri);
static void cancel_job(cupsd_client_t *con, ipp_attribute_t *uri); static void cancel_job(cupsd_client_t *con, ipp_attribute_t *uri);
static void cancel_subscription(cupsd_client_t *con, int id); static void cancel_subscription(cupsd_client_t *con, int id);
static int check_rss_recipient(const char *recipient); static int check_rss_recipient(const char *recipient);
@ -857,7 +882,7 @@ diff -up cups-2.3.0/scheduler/ipp.c.lspp cups-2.3.0/scheduler/ipp.c
static int check_quotas(cupsd_client_t *con, cupsd_printer_t *p); static int check_quotas(cupsd_client_t *con, cupsd_printer_t *p);
static void close_job(cupsd_client_t *con, ipp_attribute_t *uri); static void close_job(cupsd_client_t *con, ipp_attribute_t *uri);
static void copy_attrs(ipp_t *to, ipp_t *from, cups_array_t *ra, static void copy_attrs(ipp_t *to, ipp_t *from, cups_array_t *ra,
@@ -1240,6 +1254,21 @@ add_job(cupsd_client_t *con, /* I - Cl @@ -1241,6 +1253,21 @@ add_job(cupsd_client_t *con, /* I - Client connection */
"time-at-creation", "time-at-creation",
"time-at-processing" "time-at-processing"
}; };
@ -879,7 +904,7 @@ diff -up cups-2.3.0/scheduler/ipp.c.lspp cups-2.3.0/scheduler/ipp.c
cupsdLogMessage(CUPSD_LOG_DEBUG2, "add_job(%p[%d], %p(%s), %p(%s/%s))", cupsdLogMessage(CUPSD_LOG_DEBUG2, "add_job(%p[%d], %p(%s), %p(%s/%s))",
@@ -1568,6 +1597,106 @@ add_job(cupsd_client_t *con, /* I - Cl @@ -1569,6 +1596,106 @@ add_job(cupsd_client_t *con, /* I - Client connection */
attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME); attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
@ -916,18 +941,18 @@ diff -up cups-2.3.0/scheduler/ipp.c.lspp cups-2.3.0/scheduler/ipp.c
+ /* + /*
+ * The printer does not exist, so for now assume it's a FileDevice + * The printer does not exist, so for now assume it's a FileDevice
+ */ + */
+ tclass = SECCLASS_FILE; + tclass = string_to_security_class("file");
+ avr = FILE__WRITE; + avr = string_to_av_perm(tclass, "write");
+ } + }
+ else if (S_ISCHR(printerstat.st_mode)) + else if (S_ISCHR(printerstat.st_mode))
+ { + {
+ tclass = SECCLASS_CHR_FILE; + tclass = string_to_security_class("chr_file");
+ avr = CHR_FILE__WRITE; + avr = string_to_av_perm(tclass, "write");
+ } + }
+ else if (S_ISREG(printerstat.st_mode)) + else if (S_ISREG(printerstat.st_mode))
+ { + {
+ tclass = SECCLASS_FILE; + tclass = string_to_security_class("file");
+ avr = FILE__WRITE; + avr = string_to_av_perm(tclass, "write");
+ } + }
+ else + else
+ { + {
@ -986,7 +1011,7 @@ diff -up cups-2.3.0/scheduler/ipp.c.lspp cups-2.3.0/scheduler/ipp.c
if ((job = cupsdAddJob(priority, printer->name)) == NULL) if ((job = cupsdAddJob(priority, printer->name)) == NULL)
{ {
send_ipp_status(con, IPP_INTERNAL_ERROR, send_ipp_status(con, IPP_INTERNAL_ERROR,
@@ -1576,6 +1705,32 @@ add_job(cupsd_client_t *con, /* I - Cl @@ -1577,6 +1704,32 @@ add_job(cupsd_client_t *con, /* I - Client connection */
return (NULL); return (NULL);
} }
@ -1019,7 +1044,7 @@ diff -up cups-2.3.0/scheduler/ipp.c.lspp cups-2.3.0/scheduler/ipp.c
job->dtype = printer->type & (CUPS_PRINTER_CLASS | CUPS_PRINTER_REMOTE); job->dtype = printer->type & (CUPS_PRINTER_CLASS | CUPS_PRINTER_REMOTE);
job->attrs = con->request; job->attrs = con->request;
job->dirty = 1; job->dirty = 1;
@@ -1763,6 +1918,29 @@ add_job(cupsd_client_t *con, /* I - Cl @@ -1764,6 +1917,29 @@ add_job(cupsd_client_t *con, /* I - Client connection */
ippSetString(job->attrs, &attr, 0, printer->job_sheets[0]); ippSetString(job->attrs, &attr, 0, printer->job_sheets[0]);
ippSetString(job->attrs, &attr, 1, printer->job_sheets[1]); ippSetString(job->attrs, &attr, 1, printer->job_sheets[1]);
} }
@ -1049,7 +1074,7 @@ diff -up cups-2.3.0/scheduler/ipp.c.lspp cups-2.3.0/scheduler/ipp.c
job->job_sheets = attr; job->job_sheets = attr;
@@ -1793,6 +1971,9 @@ add_job(cupsd_client_t *con, /* I - Cl @@ -1794,6 +1970,9 @@ add_job(cupsd_client_t *con, /* I - Client connection */
"job-sheets=\"%s,none\", " "job-sheets=\"%s,none\", "
"job-originating-user-name=\"%s\"", "job-originating-user-name=\"%s\"",
Classification, job->username); Classification, job->username);
@ -1059,7 +1084,7 @@ diff -up cups-2.3.0/scheduler/ipp.c.lspp cups-2.3.0/scheduler/ipp.c
} }
else if (attr->num_values == 2 && else if (attr->num_values == 2 &&
strcmp(attr->values[0].string.text, strcmp(attr->values[0].string.text,
@@ -1811,6 +1992,9 @@ add_job(cupsd_client_t *con, /* I - Cl @@ -1812,6 +1991,9 @@ add_job(cupsd_client_t *con, /* I - Client connection */
"job-originating-user-name=\"%s\"", "job-originating-user-name=\"%s\"",
attr->values[0].string.text, attr->values[0].string.text,
attr->values[1].string.text, job->username); attr->values[1].string.text, job->username);
@ -1069,7 +1094,7 @@ diff -up cups-2.3.0/scheduler/ipp.c.lspp cups-2.3.0/scheduler/ipp.c
} }
else if (strcmp(attr->values[0].string.text, Classification) && else if (strcmp(attr->values[0].string.text, Classification) &&
strcmp(attr->values[0].string.text, "none") && strcmp(attr->values[0].string.text, "none") &&
@@ -1831,6 +2015,9 @@ add_job(cupsd_client_t *con, /* I - Cl @@ -1832,6 +2014,9 @@ add_job(cupsd_client_t *con, /* I - Client connection */
"job-originating-user-name=\"%s\"", "job-originating-user-name=\"%s\"",
attr->values[0].string.text, attr->values[0].string.text,
attr->values[1].string.text, job->username); attr->values[1].string.text, job->username);
@ -1079,7 +1104,7 @@ diff -up cups-2.3.0/scheduler/ipp.c.lspp cups-2.3.0/scheduler/ipp.c
} }
} }
else if (strcmp(attr->values[0].string.text, Classification) && else if (strcmp(attr->values[0].string.text, Classification) &&
@@ -1871,8 +2058,52 @@ add_job(cupsd_client_t *con, /* I - Cl @@ -1872,9 +2057,55 @@ add_job(cupsd_client_t *con, /* I - Client connection */
"job-sheets=\"%s\", " "job-sheets=\"%s\", "
"job-originating-user-name=\"%s\"", "job-originating-user-name=\"%s\"",
Classification, job->username); Classification, job->username);
@ -1121,18 +1146,21 @@ diff -up cups-2.3.0/scheduler/ipp.c.lspp cups-2.3.0/scheduler/ipp.c
+ cupsdClearString(&audit_message); + cupsdClearString(&audit_message);
+ } + }
} }
+
+ if (userheader)
+ free(userheader);
+ if (userfooter)
+ free(userfooter);
+#endif /* WITH_LSPP */ +#endif /* WITH_LSPP */
} }
+
+#ifdef WITH_LSPP
+ if (userheader)
+ free(userheader);
+ if (userfooter)
+ free(userfooter);
+#endif /* WITH_LSPP */
+
+
/* /*
* See if we need to add the starting sheet... * See if we need to add the starting sheet...
@@ -3648,6 +3879,128 @@ check_rss_recipient( */
@@ -3649,6 +3880,128 @@ check_rss_recipient(
} }
@ -1187,8 +1215,8 @@ diff -up cups-2.3.0/scheduler/ipp.c.lspp cups-2.3.0/scheduler/ipp.c
+ { + {
+ cupsdLogJob(job, CUPSD_LOG_ERROR, "check_context: unable avc_init"); + cupsdLogJob(job, CUPSD_LOG_ERROR, "check_context: unable avc_init");
+ return -1; + return -1;
+ } + }
+ } + }
+ if (avc_context_to_sid(con->scon, &clisid) != 0) + if (avc_context_to_sid(con->scon, &clisid) != 0)
+ { + {
+ cupsdLogJob(job, CUPSD_LOG_ERROR, + cupsdLogJob(job, CUPSD_LOG_ERROR,
@ -1204,8 +1232,8 @@ diff -up cups-2.3.0/scheduler/ipp.c.lspp cups-2.3.0/scheduler/ipp.c
+ return -1; + return -1;
+ } + }
+ avc_entry_ref_init(&avcref); + avc_entry_ref_init(&avcref);
+ tclass = SECCLASS_FILE; + tclass = string_to_security_class("file");
+ avr = FILE__READ; + avr = string_to_av_perm(tclass, "read");
+ +
+ /* + /*
+ * Perform the check with the client as the subject, first with the job as the object + * Perform the check with the client as the subject, first with the job as the object
@ -1261,7 +1289,7 @@ diff -up cups-2.3.0/scheduler/ipp.c.lspp cups-2.3.0/scheduler/ipp.c
/* /*
* 'check_quotas()' - Check quotas for a printer and user. * 'check_quotas()' - Check quotas for a printer and user.
*/ */
@@ -4103,6 +4456,15 @@ copy_banner(cupsd_client_t *con, /* I - @@ -4104,6 +4457,15 @@ copy_banner(cupsd_client_t *con, /* I - Client connection */
char attrname[255], /* Name of attribute */ char attrname[255], /* Name of attribute */
*s; /* Pointer into name */ *s; /* Pointer into name */
ipp_attribute_t *attr; /* Attribute */ ipp_attribute_t *attr; /* Attribute */
@ -1277,7 +1305,7 @@ diff -up cups-2.3.0/scheduler/ipp.c.lspp cups-2.3.0/scheduler/ipp.c
cupsdLogMessage(CUPSD_LOG_DEBUG2, cupsdLogMessage(CUPSD_LOG_DEBUG2,
@@ -4138,6 +4500,85 @@ copy_banner(cupsd_client_t *con, /* I - @@ -4139,6 +4501,85 @@ copy_banner(cupsd_client_t *con, /* I - Client connection */
fchmod(cupsFileNumber(out), 0640); fchmod(cupsFileNumber(out), 0640);
fchown(cupsFileNumber(out), RunUser, Group); fchown(cupsFileNumber(out), RunUser, Group);
@ -1363,7 +1391,7 @@ diff -up cups-2.3.0/scheduler/ipp.c.lspp cups-2.3.0/scheduler/ipp.c
/* /*
* Try the localized banner file under the subdirectory... * Try the localized banner file under the subdirectory...
@@ -4232,6 +4673,24 @@ copy_banner(cupsd_client_t *con, /* I - @@ -4233,6 +4674,24 @@ copy_banner(cupsd_client_t *con, /* I - Client connection */
else else
s = attrname; s = attrname;
@ -1388,7 +1416,7 @@ diff -up cups-2.3.0/scheduler/ipp.c.lspp cups-2.3.0/scheduler/ipp.c
if (!strcmp(s, "printer-name")) if (!strcmp(s, "printer-name"))
{ {
cupsFilePuts(out, job->dest); cupsFilePuts(out, job->dest);
@@ -6439,6 +6898,22 @@ get_job_attrs(cupsd_client_t *con, /* I @@ -6443,6 +6902,22 @@ get_job_attrs(cupsd_client_t *con, /* I - Client connection */
exclude = cupsdGetPrivateAttrs(policy, con, printer, job->username); exclude = cupsdGetPrivateAttrs(policy, con, printer, job->username);
@ -1411,7 +1439,7 @@ diff -up cups-2.3.0/scheduler/ipp.c.lspp cups-2.3.0/scheduler/ipp.c
/* /*
* Copy attributes... * Copy attributes...
*/ */
@@ -6836,6 +7311,11 @@ get_jobs(cupsd_client_t *con, /* I - C @@ -6840,6 +7315,11 @@ get_jobs(cupsd_client_t *con, /* I - Client connection */
if (username[0] && _cups_strcasecmp(username, job->username)) if (username[0] && _cups_strcasecmp(username, job->username))
continue; continue;
@ -1423,7 +1451,7 @@ diff -up cups-2.3.0/scheduler/ipp.c.lspp cups-2.3.0/scheduler/ipp.c
if (count > 0) if (count > 0)
ippAddSeparator(con->response); ippAddSeparator(con->response);
@@ -11445,6 +11925,11 @@ validate_user(cupsd_job_t *job, /* I @@ -11441,6 +11921,11 @@ validate_user(cupsd_job_t *job, /* I - Job */
strlcpy(username, get_username(con), userlen); strlcpy(username, get_username(con), userlen);
@ -1435,9 +1463,10 @@ diff -up cups-2.3.0/scheduler/ipp.c.lspp cups-2.3.0/scheduler/ipp.c
/* /*
* Check the username against the owner... * Check the username against the owner...
*/ */
diff -up cups-2.3.0/scheduler/job.c.lspp cups-2.3.0/scheduler/job.c diff --git a/scheduler/job.c b/scheduler/job.c
--- cups-2.3.0/scheduler/job.c.lspp 2019-10-07 12:24:43.024597707 +0200 index 834e170..dbc64c3 100644
+++ cups-2.3.0/scheduler/job.c 2019-10-07 12:30:13.092210820 +0200 --- a/scheduler/job.c
+++ b/scheduler/job.c
@@ -8,6 +8,9 @@ @@ -8,6 +8,9 @@
* information. * information.
*/ */
@ -1448,7 +1477,7 @@ diff -up cups-2.3.0/scheduler/job.c.lspp cups-2.3.0/scheduler/job.c
/* /*
* Include necessary headers... * Include necessary headers...
*/ */
@@ -23,6 +26,14 @@ @@ -23,6 +26,12 @@
# endif /* HAVE_IOKIT_PWR_MGT_IOPMLIBPRIVATE_H */ # endif /* HAVE_IOKIT_PWR_MGT_IOPMLIBPRIVATE_H */
#endif /* __APPLE__ */ #endif /* __APPLE__ */
@ -1457,13 +1486,11 @@ diff -up cups-2.3.0/scheduler/job.c.lspp cups-2.3.0/scheduler/job.c
+#include <selinux/selinux.h> +#include <selinux/selinux.h>
+#include <selinux/context.h> +#include <selinux/context.h>
+#include <selinux/avc.h> +#include <selinux/avc.h>
+#include <selinux/flask.h>
+#include <selinux/av_permissions.h>
+#endif /* WITH_LSPP */ +#endif /* WITH_LSPP */
/* /*
* Design Notes for Job Management * Design Notes for Job Management
@@ -544,6 +555,14 @@ cupsdContinueJob(cupsd_job_t *job) /* I @@ -545,6 +554,14 @@ cupsdContinueJob(cupsd_job_t *job) /* I - Job */
/* PRINTER_STATE_REASONS env var */ /* PRINTER_STATE_REASONS env var */
rip_max_cache[255]; rip_max_cache[255];
/* RIP_MAX_CACHE env variable */ /* RIP_MAX_CACHE env variable */
@ -1478,7 +1505,7 @@ diff -up cups-2.3.0/scheduler/job.c.lspp cups-2.3.0/scheduler/job.c
cupsdLogMessage(CUPSD_LOG_DEBUG2, cupsdLogMessage(CUPSD_LOG_DEBUG2,
@@ -1080,6 +1099,67 @@ cupsdContinueJob(cupsd_job_t *job) /* I @@ -1066,6 +1083,67 @@ cupsdContinueJob(cupsd_job_t *job) /* I - Job */
if (final_content_type[0]) if (final_content_type[0])
envp[envc ++] = final_content_type; envp[envc ++] = final_content_type;
@ -1497,7 +1524,7 @@ diff -up cups-2.3.0/scheduler/job.c.lspp cups-2.3.0/scheduler/job.c
+ cupsdClearString(&audit_message); + cupsdClearString(&audit_message);
+ } + }
+ } + }
+ else + else
+ { + {
+ jobcon = context_new(job->scon); + jobcon = context_new(job->scon);
+ +
@ -1546,7 +1573,19 @@ diff -up cups-2.3.0/scheduler/job.c.lspp cups-2.3.0/scheduler/job.c
if (Classification && !banner_page) if (Classification && !banner_page)
{ {
if ((attr = ippFindAttribute(job->attrs, "job-sheets", if ((attr = ippFindAttribute(job->attrs, "job-sheets",
@@ -1858,6 +1938,22 @@ cupsdLoadJob(cupsd_job_t *job) /* I - J @@ -1400,6 +1478,11 @@ cupsdDeleteJob(cupsd_job_t *job, /* I - Job */
cupsdClearString(&job->username);
cupsdClearString(&job->dest);
+
+#ifdef WITH_LSPP
+ cupsdClearString(&job->scon);
+#endif
+
for (i = 0;
i < (int)(sizeof(job->auth_env) / sizeof(job->auth_env[0]));
i ++)
@@ -1844,6 +1927,22 @@ cupsdLoadJob(cupsd_job_t *job) /* I - Job */
ippSetString(job->attrs, &job->reasons, 0, "none"); ippSetString(job->attrs, &job->reasons, 0, "none");
} }
@ -1569,7 +1608,7 @@ diff -up cups-2.3.0/scheduler/job.c.lspp cups-2.3.0/scheduler/job.c
job->impressions = ippFindAttribute(job->attrs, "job-impressions-completed", IPP_TAG_INTEGER); job->impressions = ippFindAttribute(job->attrs, "job-impressions-completed", IPP_TAG_INTEGER);
job->sheets = ippFindAttribute(job->attrs, "job-media-sheets-completed", IPP_TAG_INTEGER); job->sheets = ippFindAttribute(job->attrs, "job-media-sheets-completed", IPP_TAG_INTEGER);
job->job_sheets = ippFindAttribute(job->attrs, "job-sheets", IPP_TAG_NAME); job->job_sheets = ippFindAttribute(job->attrs, "job-sheets", IPP_TAG_NAME);
@@ -2273,6 +2369,14 @@ cupsdSaveJob(cupsd_job_t *job) /* I - J @@ -2259,6 +2358,14 @@ cupsdSaveJob(cupsd_job_t *job) /* I - Job */
{ {
char filename[1024]; /* Job control filename */ char filename[1024]; /* Job control filename */
cups_file_t *fp; /* Job file */ cups_file_t *fp; /* Job file */
@ -1584,7 +1623,7 @@ diff -up cups-2.3.0/scheduler/job.c.lspp cups-2.3.0/scheduler/job.c
cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdSaveJob(job=%p(%d)): job->attrs=%p", cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdSaveJob(job=%p(%d)): job->attrs=%p",
@@ -2295,6 +2399,78 @@ cupsdSaveJob(cupsd_job_t *job) /* I - J @@ -2281,6 +2388,78 @@ cupsdSaveJob(cupsd_job_t *job) /* I - Job */
fchown(cupsFileNumber(fp), RunUser, Group); fchown(cupsFileNumber(fp), RunUser, Group);
@ -1663,7 +1702,7 @@ diff -up cups-2.3.0/scheduler/job.c.lspp cups-2.3.0/scheduler/job.c
job->attrs->state = IPP_IDLE; job->attrs->state = IPP_IDLE;
if (ippWriteIO(fp, (ipp_iocb_t)cupsFileWrite, 1, NULL, if (ippWriteIO(fp, (ipp_iocb_t)cupsFileWrite, 1, NULL,
@@ -3995,6 +4171,19 @@ get_options(cupsd_job_t *job, /* I - Jo @@ -3981,6 +4160,19 @@ get_options(cupsd_job_t *job, /* I - Job */
banner_page) banner_page)
continue; continue;
@ -1683,7 +1722,7 @@ diff -up cups-2.3.0/scheduler/job.c.lspp cups-2.3.0/scheduler/job.c
/* /*
* Otherwise add them to the list... * Otherwise add them to the list...
*/ */
@@ -4805,6 +4994,18 @@ start_job(cupsd_job_t *job, /* I - @@ -4791,6 +4983,18 @@ start_job(cupsd_job_t *job, /* I - Job ID */
cupsd_printer_t *printer) /* I - Printer to print job */ cupsd_printer_t *printer) /* I - Printer to print job */
{ {
const char *filename; /* Support filename */ const char *filename; /* Support filename */
@ -1702,7 +1741,7 @@ diff -up cups-2.3.0/scheduler/job.c.lspp cups-2.3.0/scheduler/job.c
ipp_attribute_t *cancel_after = ippFindAttribute(job->attrs, ipp_attribute_t *cancel_after = ippFindAttribute(job->attrs,
"job-cancel-after", "job-cancel-after",
IPP_TAG_INTEGER); IPP_TAG_INTEGER);
@@ -4993,6 +5194,113 @@ start_job(cupsd_job_t *job, /* I - @@ -4979,6 +5183,113 @@ start_job(cupsd_job_t *job, /* I - Job ID */
fcntl(job->side_pipes[1], F_SETFD, fcntl(job->side_pipes[1], F_SETFD,
fcntl(job->side_pipes[1], F_GETFD) | FD_CLOEXEC); fcntl(job->side_pipes[1], F_GETFD) | FD_CLOEXEC);
@ -1733,18 +1772,18 @@ diff -up cups-2.3.0/scheduler/job.c.lspp cups-2.3.0/scheduler/job.c
+ /* + /*
+ * The printer does not exist, so for now assume it's a FileDevice + * The printer does not exist, so for now assume it's a FileDevice
+ */ + */
+ tclass = SECCLASS_FILE; + tclass = string_to_security_class("file");
+ avr = FILE__WRITE; + avr = string_to_av_perm(tclass, "write");
+ } + }
+ else if (S_ISCHR(printerstat.st_mode)) + else if (S_ISCHR(printerstat.st_mode))
+ { + {
+ tclass = SECCLASS_CHR_FILE; + tclass = string_to_security_class("chr_file");
+ avr = CHR_FILE__WRITE; + avr = string_to_av_perm(tclass, "write");
+ } + }
+ else if (S_ISREG(printerstat.st_mode)) + else if (S_ISREG(printerstat.st_mode))
+ { + {
+ tclass = SECCLASS_FILE; + tclass = string_to_security_class("file");
+ avr = FILE__WRITE; + avr = string_to_av_perm(tclass, "write");
+ } + }
+ else + else
+ { + {
@ -1816,9 +1855,10 @@ diff -up cups-2.3.0/scheduler/job.c.lspp cups-2.3.0/scheduler/job.c
/* /*
* Now start the first file in the job... * Now start the first file in the job...
*/ */
diff -up cups-2.3.0/scheduler/job.h.lspp cups-2.3.0/scheduler/job.h diff --git a/scheduler/job.h b/scheduler/job.h
--- cups-2.3.0/scheduler/job.h.lspp 2019-08-23 17:19:38.000000000 +0200 index 2400ea9..cc05450 100644
+++ cups-2.3.0/scheduler/job.h 2019-10-07 12:29:54.364371023 +0200 --- a/scheduler/job.h
+++ b/scheduler/job.h
@@ -7,6 +7,13 @@ @@ -7,6 +7,13 @@
* Licensed under Apache License v2.0. See the file "LICENSE" for more information. * Licensed under Apache License v2.0. See the file "LICENSE" for more information.
*/ */
@ -1833,7 +1873,7 @@ diff -up cups-2.3.0/scheduler/job.h.lspp cups-2.3.0/scheduler/job.h
/* /*
* Constants... * Constants...
*/ */
@@ -84,6 +91,10 @@ struct cupsd_job_s /**** Job request * @@ -84,6 +91,10 @@ struct cupsd_job_s /**** Job request ****/
int progress; /* Printing progress */ int progress; /* Printing progress */
int num_keywords; /* Number of PPD keywords */ int num_keywords; /* Number of PPD keywords */
cups_option_t *keywords; /* PPD keywords */ cups_option_t *keywords; /* PPD keywords */
@ -1844,9 +1884,10 @@ diff -up cups-2.3.0/scheduler/job.h.lspp cups-2.3.0/scheduler/job.h
}; };
typedef struct cupsd_joblog_s /**** Job log message ****/ typedef struct cupsd_joblog_s /**** Job log message ****/
diff -up cups-2.3.0/scheduler/main.c.lspp cups-2.3.0/scheduler/main.c diff --git a/scheduler/main.c b/scheduler/main.c
--- cups-2.3.0/scheduler/main.c.lspp 2019-10-07 12:24:43.037597616 +0200 index 47968e6..2802625 100644
+++ cups-2.3.0/scheduler/main.c 2019-10-07 12:24:43.119597037 +0200 --- a/scheduler/main.c
+++ b/scheduler/main.c
@@ -57,6 +57,9 @@ @@ -57,6 +57,9 @@
# include <sys/param.h> # include <sys/param.h>
#endif /* HAVE_SYS_PARAM_H */ #endif /* HAVE_SYS_PARAM_H */
@ -1857,7 +1898,7 @@ diff -up cups-2.3.0/scheduler/main.c.lspp cups-2.3.0/scheduler/main.c
/* /*
* Local functions... * Local functions...
@@ -123,6 +126,9 @@ main(int argc, /* I - Number of comm @@ -123,6 +126,9 @@ main(int argc, /* I - Number of command-line args */
#if defined(HAVE_SIGACTION) && !defined(HAVE_SIGSET) #if defined(HAVE_SIGACTION) && !defined(HAVE_SIGSET)
struct sigaction action; /* Actions for POSIX signals */ struct sigaction action; /* Actions for POSIX signals */
#endif /* HAVE_SIGACTION && !HAVE_SIGSET */ #endif /* HAVE_SIGACTION && !HAVE_SIGSET */
@ -1867,7 +1908,7 @@ diff -up cups-2.3.0/scheduler/main.c.lspp cups-2.3.0/scheduler/main.c
#ifdef __APPLE__ #ifdef __APPLE__
int use_sysman = 1; /* Use system management functions? */ int use_sysman = 1; /* Use system management functions? */
#else #else
@@ -495,6 +501,25 @@ main(int argc, /* I - Number of comm @@ -495,6 +501,25 @@ main(int argc, /* I - Number of command-line args */
exit(errno); exit(errno);
} }
@ -1893,7 +1934,7 @@ diff -up cups-2.3.0/scheduler/main.c.lspp cups-2.3.0/scheduler/main.c
/* /*
* Let the system know we are busy while we bring up cupsd... * Let the system know we are busy while we bring up cupsd...
*/ */
@@ -1201,6 +1226,11 @@ main(int argc, /* I - Number of comm @@ -1204,6 +1229,11 @@ main(int argc, /* I - Number of command-line args */
cupsdStopSelect(); cupsdStopSelect();
@ -1905,10 +1946,11 @@ diff -up cups-2.3.0/scheduler/main.c.lspp cups-2.3.0/scheduler/main.c
return (!stop_scheduler); return (!stop_scheduler);
} }
diff -up cups-2.3.0/scheduler/printers.c.lspp cups-2.3.0/scheduler/printers.c diff --git a/scheduler/printers.c b/scheduler/printers.c
--- cups-2.3.0/scheduler/printers.c.lspp 2019-08-23 17:19:38.000000000 +0200 index 234d441..248bdba 100644
+++ cups-2.3.0/scheduler/printers.c 2019-10-07 12:29:17.956658129 +0200 --- a/scheduler/printers.c
@@ -8,6 +8,8 @@ +++ b/scheduler/printers.c
@@ -9,6 +9,8 @@
* information. * information.
*/ */
@ -1917,7 +1959,7 @@ diff -up cups-2.3.0/scheduler/printers.c.lspp cups-2.3.0/scheduler/printers.c
/* /*
* Include necessary headers... * Include necessary headers...
*/ */
@@ -32,6 +34,10 @@ @@ -33,6 +35,10 @@
# include <asl.h> # include <asl.h>
#endif /* __APPLE__ */ #endif /* __APPLE__ */
@ -1928,7 +1970,7 @@ diff -up cups-2.3.0/scheduler/printers.c.lspp cups-2.3.0/scheduler/printers.c
/* /*
* Local functions... * Local functions...
@@ -2252,6 +2258,13 @@ cupsdSetPrinterAttrs(cupsd_printer_t *p) @@ -2288,6 +2294,13 @@ cupsdSetPrinterAttrs(cupsd_printer_t *p)/* I - Printer to setup */
ipp_attribute_t *attr; /* Attribute data */ ipp_attribute_t *attr; /* Attribute data */
char *name, /* Current user/group name */ char *name, /* Current user/group name */
*filter; /* Current filter */ *filter; /* Current filter */
@ -1942,7 +1984,7 @@ diff -up cups-2.3.0/scheduler/printers.c.lspp cups-2.3.0/scheduler/printers.c
/* /*
@@ -2378,6 +2391,45 @@ cupsdSetPrinterAttrs(cupsd_printer_t *p) @@ -2412,6 +2425,45 @@ cupsdSetPrinterAttrs(cupsd_printer_t *p)/* I - Printer to setup */
attr->values[1].string.text = _cupsStrAlloc(Classification ? attr->values[1].string.text = _cupsStrAlloc(Classification ?
Classification : p->job_sheets[1]); Classification : p->job_sheets[1]);
} }

12
SOURCES/cups-socket-remove-on-stop.patch Normal file
View File

@ -0,0 +1,12 @@
diff --git a/scheduler/cups.socket.in b/scheduler/cups.socket.in
index 613b977a6..1deee826a 100644
--- a/scheduler/cups.socket.in
+++ b/scheduler/cups.socket.in
@@ -4,6 +4,7 @@ PartOf=org.cups.cupsd.service
[Socket]
ListenStream=@CUPS_DEFAULT_DOMAINSOCKET@
+RemoveOnStop=on
[Install]
WantedBy=sockets.target

58
SPECS/cups.spec
View File

@ -24,7 +24,7 @@ Summary: CUPS printing system
Name: cups Name: cups
Epoch: 1 Epoch: 1
Version: 2.3.3%{OP_VER} Version: 2.3.3%{OP_VER}
Release: 24%{?dist} Release: 30%{?dist}
License: ASL 2.0 License: ASL 2.0
Url: http://www.cups.org/ Url: http://www.cups.org/
# Apple stopped uploading the new versions into github, use OpenPrinting fork # Apple stopped uploading the new versions into github, use OpenPrinting fork
@ -132,6 +132,24 @@ Patch37: cups-preservejobfiles-leak.patch
Patch38: 0001-scheduler-conf.c-Print-to-stderr-if-we-don-t-open-cu.patch Patch38: 0001-scheduler-conf.c-Print-to-stderr-if-we-don-t-open-cu.patch
# RHEL-19495 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents # RHEL-19495 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents
Patch39: 0001-httpAddrConnect2-Check-for-error-if-POLLHUP-is-in-va.patch Patch39: 0001-httpAddrConnect2-Check-for-error-if-POLLHUP-is-in-va.patch
# https://github.com/OpenPrinting/cups/pull/927
Patch40: 0001-scheduler-Fix-sending-response-headers-to-client.patch
# RHEL-32727 lpoptions with root writes to ~/.cups/lpoptions
# https://github.com/OpenPrinting/cups/pull/456
Patch41: 0001-cups-dest.c-Write-data-into-etc-cups-lpoptions-if-we.patch
# RHEL-39940 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
# https://github.com/OpenPrinting/cups/commit/a436956
Patch42: 0001-Fix-domain-socket-handling.patch
# RHEL-39940 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
# https://github.com/OpenPrinting/cups/commit/3448c52
Patch43: cups-socket-remove-on-stop.patch
# RHEL-39940 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
# https://github.com/OpenPrinting/cups/commit/7adb508
# https://github.com/OpenPrinting/cups/commit/824f49f
# https://github.com/OpenPrinting/cups/commit/56b9728
# https://github.com/OpenPrinting/cups/commit/74f437b
# https://github.com/OpenPrinting/cups/commit/fb0c914
Patch44: cups-check-for-listeners.patch
##### Patches removed because IMHO they aren't no longer needed ##### Patches removed because IMHO they aren't no longer needed
@ -393,6 +411,23 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
%patch38 -p1 -b .log-stderr %patch38 -p1 -b .log-stderr
# RHEL-19495 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents # RHEL-19495 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents
%patch39 -p1 -b .cupsgetjobs-pollhup %patch39 -p1 -b .cupsgetjobs-pollhup
# https://github.com/OpenPrinting/cups/pull/927
%patch40 -p1 -b .sent-headers
# RHEL-32727 lpoptions with root writes to ~/.cups/lpoptions
%patch41 -p1 -b .root-lpoptions
# RHEL-39940 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
# https://github.com/OpenPrinting/cups/commit/a436956
%patch42 -p1 -b .cve2024-35235
# RHEL-39940 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
# https://github.com/OpenPrinting/cups/commit/3448c52
%patch43 -p1 -b .cups-socket-remove-on-stop.patch
# RHEL-39940 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
# https://github.com/OpenPrinting/cups/commit/7adb508
# https://github.com/OpenPrinting/cups/commit/824f49f
# https://github.com/OpenPrinting/cups/commit/56b9728
# https://github.com/OpenPrinting/cups/commit/74f437b
# https://github.com/OpenPrinting/cups/commit/fb0c914
%patch44 -p1 -b .cups-check-for-listeners.patch
%if %{lspp} %if %{lspp}
# LSPP support. # LSPP support.
@ -827,6 +862,27 @@ rm -f %{cups_serverbin}/backend/smb
%{_mandir}/man7/ippeveps.7.gz %{_mandir}/man7/ippeveps.7.gz
%changelog %changelog
* Thu Aug 15 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-30
- RHEL-6526 cups source rpm doesn't actually build lspp support
- fix memory leaks from LSPP
* Wed Jun 19 2024 Pavol Zacik <pzacik@redhat.com> - 1:2.3.3op2-29
- Revert the cups-libs license identifier to the "legacy" format
* Tue Jun 18 2024 Pavol Zacik <pzacik@redhat.com> - 1:2.3.3op2-28
- RHEL-39940 cups: Cupsd Listen arbitrary chmod 0140777
- Delete the domain socket file after stopping the cups.socket service
- Fix cupsd Listener checks
* Mon Jun 10 2024 Pavol Zacik <pzacik@redhat.com> - 1:2.3.3op2-27
- CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
* Mon Apr 15 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-26
- RHEL-32727 lpoptions with root writes to ~/.cups/lpoptions
* Fri Apr 05 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-25
- RHEL-29764 cups doesn't send Content-Type header back to client when Set-Cookie is seen first
* Mon Feb 26 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-24 * Mon Feb 26 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-24
- revert RHEL-19205 - new packages are not needed - revert RHEL-19205 - new packages are not needed