<!--
- "$Id: api-filter.shtml 7677 2008-06-19 23:22:19Z mike $"
+ Filter and backend programming introduction for CUPS.
- Filter and backend programming introduction for the Common UNIX Printing
- System (CUPS).
-
- Copyright 2007-2009 by Apple Inc.
+ Copyright 2007-2014 by Apple Inc.
Copyright 1997-2006 by Easy Software Products, all rights reserved.
These coded instructions, statements, and computer programs are the
<h3><a name="SECURITY">Security Considerations</a></h3>
<p>It is always important to use security programming practices. Filters and
-most backends are run as a non-priviledged user, so the major security
+most backends are run as a non-privileged user, so the major security
consideration is resource utilization - filters should not depend on unlimited
amounts of CPU, memory, or disk space, and should protect against conditions
that could lead to excess usage of any resource like infinite loops and
used by the filter since that can lead to an unauthorized disclosure of
information. <em>Always</em> treat input as suspect and validate it!</p>
-<p>If you are developing a backend that runs as root , make sure to check for
+<p>If you are developing a backend that runs as root, make sure to check for
potential buffer overflows, integer under/overflow conditions, and file
accesses since these can lead to privilege escalations. When writing files,
always validate the file path and <em>never</em> allow a user to determine
<p>In addition, some operating systems provide additional security mechanisms
that further limit file system access, even for backends running as root. On
-Mac OS X, for example, no backend may write to a user's home directory.</p>
+OS X, for example, no backend may write to a user's home directory. See the <a href="#SANDBOXING">Sandboxing on OS X</a> section for more information.</p>
</blockquote>
+<h3><a name="SIGNALS">Canceled Jobs and Signal Handling</a></h3>
+
+<p>The scheduler sends <code>SIGTERM</code> when a printing job is canceled or
+held. Filters, backends, and port monitors <em>must</em> catch
+<code>SIGTERM</code> and perform any cleanup necessary to produce a valid output
+file or return the printer to a known good state. The recommended behavior is to
+end the output on the current page, preferably on the current line or object
+being printed.</p>
+
+<p>Filters and backends may also receive <code>SIGPIPE</code> when an upstream or downstream filter/backend exits with a non-zero status. Developers should generally ignore <code>SIGPIPE</code> at the beginning of <code>main()</code> with the following function call:</p>
+
+<pre class="example">
+#include <signal.h>>
+
+...
+
+int
+main(int argc, char *argv[])
+{
+ signal(SIGPIPE, SIG_IGN);
+
+ ...
+}
+</pre>
+
<h3><a name="PERMISSIONS">File Permissions</a></h3>
<p>For security reasons, CUPS will only run filters and backends that are owned
-by root and do not have world write permissions. The recommended permissions for
-filters and backends are 0555 - read and execute but no write. Backends that
-must run as root should use permissions of 0500 - read and execute by root, no
-access for other users. Write permissions can be enabled for the root user
-only.</p>
+by root and do not have world or group write permissions. The recommended
+permissions for filters and backends are 0555 - read and execute but no write.
+Backends that must run as root should use permissions of 0500 - read and execute
+by root, no access for other users. Write permissions can be enabled for the
+root user only.</p>
<p>To avoid a warning message, the directory containing your filter(s) must also
-be owned by root and have world write disabled - permissions of 0755 or 0555 are
-strongly encouraged.</p>
+be owned by root and have world and group write disabled - permissions of 0755
+or 0555 are strongly encouraged.</p>
<h3><a name="TEMPFILES">Temporary Files</a></h3>
<dl class="code">
- <dt>APPLE_LANGUAGES</dt>
+ <dt>APPLE_LANGUAGE</dt>
<dd>The Apple language identifier associated with the job
- (Mac OS X only).</dd>
+ (OS X only).</dd>
<dt>CHARSET</dt>
<dd>The job character set, typically "utf-8".</dd>
<dt>ATTR: attribute=value [attribute=value]</dt>
<dd>Sets the named printer or job attribute(s). Typically this is used
- to set the <code>marker-colors</code>, <code>marker-levels</code>,
+ to set the <code>marker-colors</code>, <code>marker-high-levels</code>,
+ <code>marker-levels</code>, <code>marker-low-levels</code>,
<code>marker-message</code>, <code>marker-names</code>,
<code>marker-types</code>, <code>printer-alert</code>, and
<code>printer-alert-description</code> printer attributes. Standard
<code>marker-types</code> values are listed in <a href='#TABLE1'>Table
- 1</a>.</dd>
+ 1</a>. String values need special handling - see <a href="#ATTR_STRINGS">Reporting Attribute String Values</a> below.</dd>
<dt>CRIT: message</dt>
<dd>Sets the printer-state-message attribute and adds the specified
this is used to update installable options or default media settings
based on the printer configuration.</dd>
- <dt>STATE: printer-state-reason [printer-state-reason ...]</dt>
<dt>STATE: + printer-state-reason [printer-state-reason ...]</dt>
<dt>STATE: - printer-state-reason [printer-state-reason ...]</dt>
- <dd>Sets, adds, or removes printer-state-reason keywords to the
- current queue. Typically this is used to indicate persistent media,
- ink, toner, and configuration conditions or errors on a printer.
+ <dd>Sets or clears printer-state-reason keywords for the current queue.
+ Typically this is used to indicate persistent media, ink, toner, and
+ configuration conditions or errors on a printer.
<a href='#TABLE2'>Table 2</a> lists the standard state keywords -
- use vendor-prefixed ("com.acme.foo") keywords for custom states.</dd>
+ use vendor-prefixed ("com.example.foo") keywords for custom states. See
+ <a href="#MANAGING_STATE">Managing Printer State in a Filter</a> for more
+ information.
<dt>WARNING: message</dt>
<dd>Sets the printer-state-message attribute and adds the specified
<p>Messages without one of these prefixes are treated as if they began with
the "DEBUG:" prefix string.</p>
-
<div class='table'><table width='80%' summary='Table 1: Standard marker-types Values'>
<caption>Table 1: <a name='TABLE1'>Standard marker-types Values</a></caption>
<thead>
<td>Fuser unit</td>
</tr>
<tr>
- <td>fuserCleaningPad</td>
+ <td>fuser-cleaning-pad</td>
<td>Fuser cleaning pad</td>
</tr>
<tr>
- <td>fuserOil</td>
+ <td>fuser-oil</td>
<td>Fuser oil</td>
</tr>
<tr>
<td>Photo conductor</td>
</tr>
<tr>
- <td>solidWax</td>
+ <td>solid-wax</td>
<td>Wax supply</td>
</tr>
<tr>
<td>Toner supply</td>
</tr>
<tr>
- <td>transferUnit</td>
+ <td>transfer-unit</td>
<td>Transfer unit</td>
</tr>
<tr>
- <td>wasteInk</td>
+ <td>waste-ink</td>
<td>Waste ink tank</td>
</tr>
<tr>
- <td>wasteToner</td>
+ <td>waste-toner</td>
<td>Waste toner tank</td>
</tr>
<tr>
- <td>wasteWax</td>
+ <td>waste-wax</td>
<td>Waste wax tank</td>
</tr>
</tbody>
<tbody>
<tr>
<td>connecting-to-device</td>
- <td>Connecting to printer but not printing yet</td>
+ <td>Connecting to printer but not printing yet.</td>
</tr>
<tr>
<td>cover-open</td>
- <td>A cover is open on the printer</td>
+ <td>The printer's cover is open.</td>
</tr>
<tr>
<td>input-tray-missing</td>
- <td>An input tray is missing from the printer</td>
+ <td>The paper tray is missing.</td>
</tr>
<tr>
<td>marker-supply-empty</td>
- <td>Out of ink</td>
+ <td>The printer is out of ink.</td>
</tr>
<tr>
<td>marker-supply-low</td>
- <td>Low on ink</td>
+ <td>The printer is almost out of ink.</td>
</tr>
<tr>
<td>marker-waste-almost-full</td>
- <td>Waste tank almost full</td>
+ <td>The printer's waste bin is almost full.</td>
</tr>
<tr>
<td>marker-waste-full</td>
- <td>Waste tank full</td>
+ <td>The printer's waste bin is full.</td>
</tr>
<tr>
<td>media-empty</td>
- <td>Out of media</td>
+ <td>The paper tray (any paper tray) is empty.</td>
</tr>
<tr>
<td>media-jam</td>
- <td>Media is jammed in the printer</td>
+ <td>There is a paper jam.</td>
</tr>
<tr>
<td>media-low</td>
- <td>Low on media</td>
+ <td>The paper tray (any paper tray) is almost empty.</td>
+</tr>
+<tr>
+ <td>media-needed</td>
+ <td>The paper tray needs to be filled (for a job that is printing).</td>
</tr>
<tr>
<td>paused</td>
- <td>Stop the printer</td>
+ <td>Stop the printer.</td>
</tr>
<tr>
<td>timed-out</td>
- <td>Unable to connect to printer</td>
+ <td>Unable to connect to printer.</td>
</tr>
<tr>
<td>toner-empty</td>
- <td>Out of toner</td>
+ <td>The printer is out of toner.</td>
</tr>
<tr>
<td>toner-low</td>
- <td>Low on toner</td>
+ <td>The printer is low on toner.</td>
+</tr>
+</tbody>
+</table></div>
+
+
+<h4><a name="ATTR_STRINGS">Reporting Attribute String Values</a></h4>
+
+<p>When reporting string values using "ATTR:" messages, a filter or backend must take special care to appropriately quote those values. The scheduler uses the CUPS option parsing code for attributes, so the general syntax is:</p>
+
+<pre class="example">
+name=simple
+name=simple,simple,...
+name='complex value'
+name="complex value"
+name='"complex value"','"complex value"',...
+</pre>
+
+<p>Simple values are strings that do not contain spaces, quotes, backslashes, or the comma and can be placed verbatim in the "ATTR:" message, for example:</p>
+
+<pre class="example">
+int levels[4] = { 40, 50, 60, 70 }; /* CMYK */
+
+fputs("ATTR: marker-colors=#00FFFF,#FF00FF,#FFFF00,#000000\n", stderr);
+fputs("ATTR: marker-high-levels=100,100,100,100\n", stderr);
+fprintf(stderr, "ATTR: marker-levels=%d,%d,%d,%d\n", levels[0], levels[1],
+ levels[2], levels[3], levels[4]);
+fputs("ATTR: marker-low-levels=5,5,5,5\n", stderr);
+fputs("ATTR: marker-types=toner,toner,toner,toner\n", stderr);
+</pre>
+
+<p>Complex values that contains spaces, quotes, backslashes, or the comma must be quoted. For a single value a single set of quotes is sufficient:</p>
+
+<pre class="example">
+fputs("ATTR: marker-message='Levels shown are approximate.'\n", stderr);
+</pre>
+
+<p>When multiple values are reported, each value must be enclosed by a set of single and double quotes:</p>
+
+<pre class="example">
+fputs("ATTR: marker-names='\"Cyan Toner\"','\"Magenta Toner\"',"
+ "'\"Yellow Toner\"','\"Black Toner\"'\n", stderr);
+</pre>
+
+<p>The IPP backend includes a <var>quote_string</var> function that may be used to properly quote a complex value in an "ATTR:" message:</p>
+
+<pre class="example">
+static const char * /* O - Quoted string */
+quote_string(const char *s, /* I - String */
+ char *q, /* I - Quoted string buffer */
+ size_t qsize) /* I - Size of quoted string buffer */
+{
+ char *qptr, /* Pointer into string buffer */
+ *qend; /* End of string buffer */
+
+
+ qptr = q;
+ qend = q + qsize - 5;
+
+ if (qend < q)
+ {
+ *q = '\0';
+ return (q);
+ }
+
+ *qptr++ = '\'';
+ *qptr++ = '\"';
+
+ while (*s && qptr < qend)
+ {
+ if (*s == '\\' || *s == '\"' || *s == '\'')
+ {
+ if (qptr < (qend - 4))
+ {
+ *qptr++ = '\\';
+ *qptr++ = '\\';
+ *qptr++ = '\\';
+ }
+ else
+ break;
+ }
+
+ *qptr++ = *s++;
+ }
+
+ *qptr++ = '\"';
+ *qptr++ = '\'';
+ *qptr = '\0';
+
+ return (q);
+}
+</pre>
+
+
+<h4><a name="MANAGING_STATE">Managing Printer State in a Filter</a></h4>
+
+<p>Filters are responsible for managing the state keywords they set using
+"STATE:" messages. Typically you will update <em>all</em> of the keywords that
+are used by the filter at startup, for example:</p>
+
+<pre class="example">
+if (foo_condition != 0)
+ fputs("STATE: +com.example.foo\n", stderr);
+else
+ fputs("STATE: -com.example.foo\n", stderr);
+
+if (bar_condition != 0)
+ fputs("STATE: +com.example.bar\n", stderr);
+else
+ fputs("STATE: -com.example.bar\n", stderr);
+</pre>
+
+<p>Then as conditions change, your filter sends "STATE: +keyword" or "STATE:
+-keyword" messages as necessary to set or clear the corresponding keyword,
+respectively.</p>
+
+<p>State keywords are often used to notify the user of issues that span across
+jobs, for example "media-empty-warning" that indicates one or more paper trays
+are empty. These keywords should not be cleared unless the corresponding issue
+no longer exists.</p>
+
+<p>Filters should clear job-related keywords on startup and exit so that they
+do not remain set between jobs. For example, "connecting-to-device" is a job
+sub-state and not an issue that applies when a job is not printing.</p>
+
+<blockquote><b>Note:</b>
+
+<p>"STATE:" messages often provide visible alerts to the user. For example,
+on OS X setting a printer-state-reason value with an "-error" or
+"-warning" suffix will cause the printer's dock item to bounce if the
+corresponding reason is localized with a cupsIPPReason keyword in the
+printer's PPD file.</p>
+
+<p>When providing a vendor-prefixed keyword, <em>always</em> provide the
+corresponding standard keyword (if any) to allow clients to respond to the
+condition correctly. For example, if you provide a vendor-prefixed keyword
+for a low cyan ink condition ("com.example.cyan-ink-low") you must also set the
+"marker-supply-low-warning" keyword. In such cases you should also refrain
+from localizing the vendor-prefixed keyword in the PPD file - otherwise both
+the generic and vendor-specific keyword will be shown in the user
+interface.</p>
+
+</blockquote>
+
+<h4><a name="REPORTING_SUPPLIES">Reporting Supply Levels</a></h4>
+
+<p>CUPS tracks several "marker-*" attributes for ink/toner supply level
+reporting. These attributes allow applications to display the current supply
+levels for a printer without printer-specific software. <a href="#TABLE3">Table 3</a> lists the marker attributes and what they represent.</p>
+
+<p>Filters set marker attributes by sending "ATTR:" messages to stderr. For
+example, a filter supporting an inkjet printer with black and tri-color ink
+cartridges would use the following to initialize the supply attributes:</p>
+
+<pre class="example">
+fputs("ATTR: marker-colors=#000000,#00FFFF#FF00FF#FFFF00\n", stderr);
+fputs("ATTR: marker-low-levels=5,10\n", stderr);
+fputs("ATTR: marker-names=Black,Tri-Color\n", stderr);
+fputs("ATTR: marker-types=ink,ink\n", stderr);
+</pre>
+
+<p>Then periodically the filter queries the printer for its current supply
+levels and updates them with a separate "ATTR:" message:</p>
+
+<pre class="example">
+int black_level, tri_level;
+...
+fprintf(stderr, "ATTR: marker-levels=%d,%d\n", black_level, tri_level);
+</pre>
+
+<div class='table'><table width='80%' summary='Table 3: Supply Level Attributes'>
+<caption>Table 3: <a name='TABLE3'>Supply Level Attributes</a></caption>
+<thead>
+<tr>
+ <th>Attribute</th>
+ <th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+ <td>marker-colors</td>
+ <td>A list of comma-separated colors; each color is either "none" or one or
+ more hex-encoded sRGB colors of the form "#RRGGBB".</td>
+</tr>
+<tr>
+ <td>marker-high-levels</td>
+ <td>A list of comma-separated "almost full" level values from 0 to 100; a
+ value of 100 should be used for supplies that are consumed/emptied like ink
+ cartridges.</td>
+</tr>
+<tr>
+ <td>marker-levels</td>
+ <td>A list of comma-separated level values for each supply. A value of -1
+ indicates the level is unavailable, -2 indicates unknown, and -3 indicates
+ the level is unknown but has not yet reached capacity. Values from 0 to 100
+ indicate the corresponding percentage.</td>
+</tr>
+<tr>
+ <td>marker-low-levels</td>
+ <td>A list of comma-separated "almost empty" level values from 0 to 100; a
+ value of 0 should be used for supplies that are filled like waste ink
+ tanks.</td>
+</tr>
+<tr>
+ <td>marker-message</td>
+ <td>A human-readable supply status message for the user like "12 pages of
+ ink remaining."</td>
+</tr>
+<tr>
+ <td>marker-names</td>
+ <td>A list of comma-separated supply names like "Cyan Ink", "Fuser",
+ etc.</td>
+</tr>
+<tr>
+ <td>marker-types</td>
+ <td>A list of comma-separated supply types; the types are listed in
+ <a href="#TABLE1">Table 1</a>.</td>
</tr>
</tbody>
</table></div>
<p>Filters can communicate with the backend via the
<a href="#cupsBackChannelRead"><code>cupsBackChannelRead</code></a> and
<a href="#cupsSideChannelDoRequest"><code>cupsSideChannelDoRequest</code></a>
-functions. The
+functions. The
<a href="#cupsBackChannelRead"><code>cupsBackChannelRead</code></a> function
reads data that has been sent back from the device and is typically used to
obtain status and configuration information. For example, the following code
status = <a href="#cupsSideChannelDoRequest">cupsSideChannelDoRequest</a>(CUPS_SC_CMD_GET_DEVICE_ID, data, &datalen, 1.0);
/* Use the returned value if OK was returned and the length is non-zero */
-if (status == CUPS_SC_STATUS_OK && datalen > 0)
+if (status == CUPS_SC_STATUS_OK && datalen > 0)
data[datalen] = '\0';
else
data[0] = '\0';
</pre>
+<h4><a name="DRAIN_OUTPUT">Forcing All Output to a Printer</a></h4>
+
+<p>The
+<a href="#cupsSideChannelDoRequest"><code>cupsSideChannelDoRequest</code></a>
+function allows you to tell the backend to send all pending data to the printer.
+This is most often needed when sending query commands to the printer. For example:</p>
+
+<pre class="example">
+#include <cups/cups.h>
+#include <cups/sidechannel.h>
+
+char data[1024];
+int datalen = sizeof(data);
+<a href="#cups_sc_status_t">cups_sc_status_t</a> status;
+
+/* Flush pending output to stdout */
+fflush(stdout);
+
+/* Drain output to backend, waiting for up to 30 seconds */
+status = <a href="#cupsSideChannelDoRequest">cupsSideChannelDoRequest</a>(CUPS_SC_CMD_DRAIN_OUTPUT, data, &datalen, 30.0);
+
+/* Read the response if the output was sent */
+if (status == CUPS_SC_STATUS_OK)
+{
+ ssize_t bytes;
+
+ /* Wait up to 10.0 seconds for back-channel data */
+ bytes = cupsBackChannelRead(data, sizeof(data), 10.0);
+ /* do something with the data from the printer */
+}
+</pre>
+
<h3><a name="COMMUNICATING_FILTER">Communicating with Filters</a></h3>
<p>Backends communicate with filters using the reciprocal functions
<a href="#cupsSideChannelSNMPWalk">cupsSNMPSideChannelWalk</a>(".1.3.6.1.2.1.43", 5.0, my_callback, my_data);
</pre>
+
+<h2><a name="SANDBOXING">Sandboxing on OS X</a></h2>
+
+<p>Starting with OS X 10.6, filters and backends are run inside a security "sandbox" which further limits (beyond the normal UNIX user/group permissions) what a filter or backend can do. This helps to both secure the printing system from malicious software and enforce the functional separation of components in the CUPS filter chain. What follows is a list of actions that are explicitly allowed for all filters and backends:</p>
+
+<ol>
+
+ <li>Reading of files: pursuant to normal UNIX file permissions, filters and backends can read files for the current job from the <var>/private/var/spool/cups</var> directory and other files on mounted filesystems <em>except</em> for user home directories under <var>/Users</var>.</li>
+
+ <li>Writing of files: pursuant to normal UNIX file permissions, filters and backends can read/write files to the cache directory specified by the <code>CUPS_CACHEDIR</code> environment variable, to the state directory specified by the <code>CUPS_STATEDIR</code> environment variable, to the temporary directory specified by the <code>TMPDIR</code> environment variable, and under the <var>/private/var/db</var>, <var>/private/var/folders</var>, <var>/private/var/lib</var>, <var>/private/var/mysql</var>, <var>/private/var/run</var>, <var>/private/var/spool</var> (except <var>/private/var/spool/cups</var>), <var>/Library/Application Support</var>, <var>/Library/Caches</var>, <var>/Library/Logs</var>, <var>/Library/Preferences</var>, <var>/Library/WebServer</var>, and <var>/Users/Shared</var> directories.</li>
+
+ <li>Execution of programs: pursuant to normal UNIX file permissions, filters and backends can execute any program not located under the <var>/Users</var> directory. Child processes inherit the sandbox and are subject to the same restrictions as the parent.</li>
+
+ <li>Bluetooth and USB: backends can access Bluetooth and USB printers through IOKit. <em>Filters cannot access Bluetooth and USB printers directly.</em></li>
+
+ <li>Network: filters and backends can access UNIX domain sockets under the <var>/private/tmp</var>, <var>/private/var/run</var>, and <var>/private/var/tmp</var> directories. Backends can also create IPv4 and IPv6 TCP (outgoing) and UDP (incoming and outgoing) socket, and bind to local source ports. <em>Filters cannot directly create IPv4 and IPv6 TCP or UDP sockets.</em></li>
+
+ <li>Notifications: filters and backends can send notifications via the Darwin <code>notify_post()</code> API.</li>
+
+</ol>
+
+<blockquote><b>Note:</b> The sandbox profile used in CUPS 2.0 still allows some actions that are not listed above - these privileges will be removed over time until the profile matches the list above.</blockquote>
projects / thirdparty / cups.git / blobdiff