git.ipfire.org Git - thirdparty/cups.git/commit

author	Till Kamppeter <till.kamppeter@gmail.com>
	Mon, 1 Mar 2021 17:26:43 +0000 (18:26 +0100)
committer	Till Kamppeter <till.kamppeter@gmail.com>
	Mon, 1 Mar 2021 17:26:43 +0000 (18:26 +0100)
commit	0cdf79ef5e2dcfbb1e1623f30e47b164d109ee40
tree	3d34e57674ce4f56cde4451e56ecc27f3ceff4a2	tree \| snapshot
parent	74418acb40416966f9413aecdf3912915dc59662	commit \| diff

scheduler: Added extra check for administrative tasks from Snaps

Let the scheduler check whether if an administrative request
(create/modify print queue, delete someone else's jobs, ...) from a
client is from a fully confined Snap and then only grant access if the
client Snap plugs "cups-control". If client Snap plugs "cups" instead
it can only print, check status, or remove the caller's own jobs. For
requests from classically confined Snaps or unsnapped clients access
is always granted.

This is to protect arbitrary Snaps from the Snap Store to do
administrative CUPS tasks. The Snap Store allows automatic connection
only of the "cups" interface, not of the cups-control interface.

This facility is optional, to be activated by configure options,
"--enable-snapped-clients" for unsnapped CUPS and
"--enable-snapped-cupsd" when CUPS itself is also in a Snap. The
former accesses the needed information about the client using
libsnapd-glib (which cannot be used from within a Snap) and latter
uses the "snapctl" utility (which only works from within a Snap). In
both cases also libapparmor is needed to determine whether the client
is actually a Snap.

CHANGES.md		diff \| blob \| blame \| history
Makedefs.in		diff \| blob \| blame \| history
config-scripts/cups-snap.m4	[new file with mode: 0644]	blob
config.h.in		diff \| blob \| blame \| history
configure.ac		diff \| blob \| blame \| history
scheduler/Makefile		diff \| blob \| blame \| history
scheduler/auth.c		diff \| blob \| blame \| history