Upgrading Ubuntu Breaks Printer (cupsys)

During an upgrade of Ubuntu my printing capability was suddenly cut short. A red sign appeared on my printer icon on my task bar and any printed documents would be queued but not printed.

The Symptoms

A quick look in /var/log/cupsd/error_log gave the following clue:

Filter "brightq-CPCA" for printer "print" not available: Permission denied

In my case the printer driver is a proprietary driver called "BrightQTM" provided by Codehost Inc. The proprietary driver is for a Canon ImageRunner 2200 (ir2200).

I accessed the web interface for cups bu pointing my brower to http://localhost:631. I tried to restart a job that was still queued and got this error message on the screen:

"Unable to start filter "brightq-CPCA" - Permission denied."

Another check of /var/log/cups/error_log showed more information:

E  Unable to execute /usr/lib/cups/filter/brightq-CPCA: Permission denied
E [Job 76] Unable to start filter "brightq-CPCA" - Permission denied.
E Restart-Job: Unauthorized
E Unable to execute /usr/lib/cups/filter/brightq-CPCA: Permission denied
E [Job 76] Unable to start filter "brightq-CPCA" - Permission denied.

The syslog gave up some information as well:

kernel: [14228.196000] audit(1202243051.870:8):  type=1503 operation="inode_permission" requested_mask="x" denied_mask="x" name="/usr/local/brightq/filters/brightq-CPCA" pid=5049 profile="/usr/sbin/cupsd"
kernel: [14257.180000] audit(1202243080.872:9):  type=1503 operation="inode_permission" requested_mask="x" denied_mask="x" name="/usr/local/brightq/filters/brightq-CPCA" pid=5049 profile="/usr/sbin/cupsd"

The Cause

Some quick search engine lookups of the error messages indicated that the problem revolves around a security tool created by Novell/openSUSE called AppArmor. AppArmor runs in the kernel and uses the Linux Security Modules (LSM) framework. Basically a profile is created for each binary that specifies (or confines) how that file can interact with other files on the system.

In this case the binary "/usr/sbin/cupsd" wants to execute (x) "/usr/local/brightq/filters/brightq-CPCA". Because the proprietary driver is not included in a normal Ubuntu installation AppArmour considers the binary foreign and protects the system from running a file it does not trust. AppArmor is simply doing it's job!

When the cupsys package was updated line 7 of /etc/apparmor/usr.local.cupsd was changed from:

/usr/sbin/cupsd flags=(complain) {

to:

/usr/sbin/cupsd {

The old /etc/apparmor/usr.local.cupsd file allowed /usr/sbin/cupsd to access files by forcing only complaints. The new /etc/apparmor/usr.local.cupsd file is more strict and hence third party drivers are not loaded anymore.

A Workaround

This workaround will work for all proprietary drivers. As many people will have their drivers in different locations this quick-fix is the simplest way to tell AppArmour to allow access to proprietary printer drivers by allowing access to everything (security risk!). By telling AppArmor to only "complain" rather than enforce policies for the cupsd binary printing will be allowed to continue:

sudo aa-complain cupsd

This of course leaves your system vulnerable to other proprietary printer drivers infecting your system. A better and relatively more secure option is to tell AppArmor to allow the third party driver. Note that I say relatively more secure: the profile located at /etc/apparmor/usr.local.cupsd has many entries that are wide open. However it is always a good idea to follow good security practices:

The Fix

I am going to edit the AppArmor profile for /usr/sbin/cupsys and add an entry for my third party driver. Open /etc/apparmor.d/usr.sbin.cupsd:

sudo gedit /etc/apparmor.d/usr.sbin.cupsd

Move to line 100 and change the configuration to read:

  # third-party printer drivers; no known structure here
  /opt/** rix,

  # FIXME: no policy ATM for hplip
  /usr/bin/hpijs Ux,

  # Add third party driver here
  /usr/local/brightq/filters/brightq-CPCA Ux,

}

NOTE: replace /usr/local/brightq/filters/brightq-CPCA with your driver. You can determine the path to the file by looking at your /var/log/syslog file for "audit" events (see the last error message in "The Cause" section).

Setting a program to run Unconstrained Execute Mode (Ux) is similiar to running a program setuid. Note that this is "wide-open" as the binary driver runs without any restrictions. While this is generally undesirable there are many cases that require the freedom especially with third party closed source drivers.

Now reload AppArmor:

sudo /etc/init.d/apparmor reload

You may get an error message:

Reloading AppArmor profiles  Skipping profile /etc/apparmor.d/usr.sbin.cupsd.dpkg-old
: Warning.

Removing /etc/apparmor.d/usr.sbin.cupsd.dpkg-old will eliminate the warning:

sudo rm /etc/apparmor.d/usr.sbin.cupsd.dpkg-old

That's it! Happy printing.

Links

 
 

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Thanks but still having issues with Canon UFRII drivers

Hi Dallas:

Thanks for the info. This got me around the issue of pstoufr2cpca not running on Ubuntu 11.10. But now the job goes to the printq and seems to complete successfully, but still nothing comes out of the printer.

Any Ideas?

re: Thanks but still having issues with Canon UFRII drivers

Hi Pete, what do the log files in /var/log/cups/ say?

Thanks for this fix for my

Thanks for this fix for my installation of Ubuntu 11.04. Your description was clear and worthwhile in understanding what was happening.

However, I had 3 differences:
1) My network printer is a Brother 4070CDW color laser printer
2) My /var/log/cupsd/error_log was empty
3) My /etc/apparmor.d/usr.sbin.cupsd already contained

# third-party printer drivers; no known structure here
/opt/** rix,

# FIXME: no policy ATM for hplip and Brother drivers
/usr/bin/hpijs Ux,
/usr/Brother/** Ux,

All I needed to do was issue the command:

sudo aa-complain cupsd

Once that was run, the previously configured printer showed up and CUPS was running fine.

Again, thanks,

Reg

Thanks for this tip. I just

Thanks for this tip. I just spent 2 hours going round in circles trying to sort this issue and you fixed it in a second. Really appreciate it.

Richard

Thanks

Thank you SO much. I couldn't figure out for the life of me what was going on. All I got was that cryptic error message. I did a complete re-install of CUPS, and was about to redo the Ubuntu installation.

Thanks a lot!
Ash

Thanks

Thanks for the info, this is indeed very useful.

RE: Thanks

np John; I remember feeling the same way the first couple of times I ran into the CUPS/apparmor issue.

Post new comment

The content of this field is kept private and will not be shown publicly.
By submitting this form, you accept the Mollom privacy policy.