From: msweet Date: Tue, 1 Jul 2014 17:17:56 +0000 (+0000) Subject: Tweak the sandbox profiles for filters. X-Git-Tag: v2.2b1~588 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fb3777ccd1075b14c5b0f71167d2403107a49f65;p=thirdparty%2Fcups.git Tweak the sandbox profiles for filters. git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@11973 a1ca3aef-8c08-0410-bb20-df032aa958be --- diff --git a/scheduler/process.c b/scheduler/process.c index 9a86917d9d..a3a7980214 100644 --- a/scheduler/process.c +++ b/scheduler/process.c @@ -324,6 +324,9 @@ cupsdCreateProfile(int job_id, /* I - Job ID or 0 for none */ cupsFilePrintf(fp, "\n (literal \"%s\")", domain); } } + /* Allow access to Bluetooth, USB, and notify_post. */ + cupsFilePuts(fp, "(allow iokit*)\n"); + cupsFilePuts(fp, "(allow distributed-notification-post)\n"); if (allow_networking) { /* Allow TCP and UDP networking off the machine... */ @@ -333,21 +336,19 @@ cupsdCreateProfile(int job_id, /* I - Job ID or 0 for none */ " (local udp \"*:*\")\n" " (remote udp \"*:*\"))\n"); - /* Also allow access to Bluetooth, USB, device files, etc. */ - cupsFilePuts(fp, "(allow iokit*)\n"); + /* Also allow access to device files... */ cupsFilePuts(fp, "(allow file-write* file-read-data file-read-metadata file-ioctl\n" " (regex #\"^/dev/\"))\n"); - cupsFilePuts(fp, "(allow distributed-notification-post)\n"); } else { - /* Only allow SNMP (UDP) off the machine... */ + /* Only allow SNMP (UDP) and LPD (TCP) off the machine... */ cupsFilePuts(fp, ")\n"); cupsFilePuts(fp, "(allow network-outbound\n" - " (remote udp \"*:161\"))\n"); + " (remote udp \"*:161\")" + " (remote tcp \"*:515\"))\n"); cupsFilePuts(fp, "(allow network-inbound\n" " (local udp \"localhost:*\"))\n"); - cupsFilePuts(fp, "(deny iokit* (with no-report))\n"); } cupsFileClose(fp);