From: Till Kamppeter <till.kamppeter@gmail.com>
Date: Wed, 10 Mar 2021 20:48:18 +0000 (+0100)
Subject: scheduler: Admin task check: Grant access when client is our Snap
X-Git-Tag: v2.4b1~194
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=09c4144fd87522b5cbdb4b77bbb6598cd1701772;p=thirdparty%2Fcups.git

scheduler: Admin task check: Grant access when client is our Snap

If the client Snap is the same as our cupsd is snapped in, grant
access without calling "snapctl". This makes the checks faster and
less resource-consuming if the inquiries are from the command line
tools or the included cups-browsed.
---

diff --git a/config-scripts/cups-snap.m4 b/config-scripts/cups-snap.m4
index f3c539d05c..cff05f2590 100644
--- a/config-scripts/cups-snap.m4
+++ b/config-scripts/cups-snap.m4
@@ -9,6 +9,12 @@ dnl
 
 AC_ARG_ENABLE([snapped_cupsd], AS_HELP_STRING([--enable-snapped-cupsd], [enable support for packaging CUPS in a Snap]))
 AC_ARG_ENABLE([snapped_clients], AS_HELP_STRING([--enable-snapped-clients], [enable support for CUPS controlling admin access from snapped clients]))
+AC_ARG_WITH([our-snap-name], AS_HELP_STRING([--with-our-snap-name], [Set name of the Snap we are snapped in, only needed with --enable-snapped-cupsd, default=cups]), [
+    OUR_SNAP_NAME="$withval"
+], [
+    OUR_SNAP_NAME="cups"
+])
+AC_DEFINE_UNQUOTED([OUR_SNAP_NAME], ["$OUR_SNAP_NAME"], [Name of the Snap we are snapped in.])
 AC_ARG_WITH([snapctl], AS_HELP_STRING([--with-snapctl], [Set path for snapctl, only needed with --enable-snapped-cupsd, default=/usr/bin/snapctl]), [
     SNAPCTL="$withval"
 ], [
diff --git a/config.h.in b/config.h.in
index 268ce4877a..7f91b82a6c 100644
--- a/config.h.in
+++ b/config.h.in
@@ -659,6 +659,7 @@
 #undef HAVE_SNAPDGLIB
 #undef HAVE_SNAPD_CLIENT_RUN_SNAPCTL2_SYNC
 #undef HAVE_SNAPCTL_IS_CONNECTED
+#undef OUR_SNAP_NAME
 #undef SNAPCTL
 #undef CUPS_CONTROL_SLOT
 #undef SUPPORT_SNAPPED_CUPSD
diff --git a/scheduler/auth.c b/scheduler/auth.c
index 004dba9c9f..1ecab1c0d1 100644
--- a/scheduler/auth.c
+++ b/scheduler/auth.c
@@ -1624,6 +1624,15 @@ cupsdCheckAdminTask(cupsd_client_t *con) /* I - Connection */
       } else
 	cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdCheckAdminTask: AppArmor profile of client process: %s", context);
 
+#  ifdef OUR_SNAP_NAME
+      /* Is the client one of the utilities of our Snap? */
+      if (!strncmp(context, "snap." OUR_SNAP_NAME ".", strlen(OUR_SNAP_NAME) + 6))
+      {
+	cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdCheckAdminTask: Client Snap is the same Snap we are running in, access granted");
+	goto snap_check_done;
+      }
+#  endif /* OUR_SNAP_NAME */
+
 #  ifdef SUPPORT_SNAPPED_CUPSD
 
      /*