From a6725ea46553f6240908cc2eed36462d1b26d3ec Mon Sep 17 00:00:00 2001
From: James Henstridge <james@jamesh.id.au>
Date: Fri, 3 Jun 2022 18:00:03 +0800
Subject: [PATCH] interfaces/builtin: remove the name=org.freedesktop.DBus
 restriction in cups-control AppArmor rules

This seems to have been included erroneously: the org.freedesktop.DBus
bus name is owned by the bus itself rather than any particular peer
connected to the bus. While it makes sense to use in a rule dealing with
communication with the bus, it seems to block legitimate traffic in this
case.
---
 interfaces/builtin/cups_control.go      |  6 +++---
 interfaces/builtin/cups_control_test.go | 10 +++++-----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/interfaces/builtin/cups_control.go b/interfaces/builtin/cups_control.go
index 6a44b386677..3c625d3685f 100644
--- a/interfaces/builtin/cups_control.go
+++ b/interfaces/builtin/cups_control.go
@@ -81,7 +81,7 @@ dbus (send)
     bus=system
     path=/org/cups/cupsd/Notifier
     interface=org.cups.cupsd.Notifier
-    peer=(name=org.freedesktop.DBus,label=unconfined),
+    peer=(label=unconfined),
 
 # Allow daemon to send signals to its snap_daemon processes
 capability kill,
@@ -96,7 +96,7 @@ dbus (send)
     bus=system
     path=/org/cups/cupsd/Notifier
     interface=org.cups.cupsd.Notifier
-    peer=(name=org.freedesktop.DBus,label=###PLUG_SECURITY_TAGS###),
+    peer=(label=###PLUG_SECURITY_TAGS###),
 `
 
 const cupsControlConnectedPlugAppArmor = `
@@ -111,7 +111,7 @@ dbus (receive)
     bus=system
     path=/org/cups/cupsd/Notifier
     interface=org.cups.cupsd.Notifier
-    peer=(name=org.freedesktop.DBus,label=###SLOT_SECURITY_TAGS###),
+    peer=(label=###SLOT_SECURITY_TAGS###),
 `
 
 type cupsControlInterface struct {
diff --git a/interfaces/builtin/cups_control_test.go b/interfaces/builtin/cups_control_test.go
index a220b598dd0..8b5227e5d5f 100644
--- a/interfaces/builtin/cups_control_test.go
+++ b/interfaces/builtin/cups_control_test.go
@@ -106,7 +106,7 @@ func (s *cupsControlSuite) TestAppArmorSpecCore(c *C) {
 	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"})
 	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "# Allow communicating with the cups server for printing and configuration.")
 	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "#include <abstractions/cups-client>")
-	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "peer=(name=org.freedesktop.DBus,label=\"snap.provider.app\"")
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "peer=(label=\"snap.provider.app\"")
 	c.Assert(spec.SnippetForTag("snap.provider.app"), Not(testutil.Contains), "# Allow daemon access to create the CUPS socket")
 
 	// provider to consumer on core for PermanentSlot
@@ -120,7 +120,7 @@ func (s *cupsControlSuite) TestAppArmorSpecCore(c *C) {
 	spec = &apparmor.Specification{}
 	c.Assert(spec.AddConnectedSlot(s.iface, s.plug, s.providerSlot), IsNil)
 	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.provider.app"})
-	c.Assert(spec.SnippetForTag("snap.provider.app"), testutil.Contains, "peer=(name=org.freedesktop.DBus,label=\"snap.consumer.app\"")
+	c.Assert(spec.SnippetForTag("snap.provider.app"), testutil.Contains, "peer=(label=\"snap.consumer.app\"")
 }
 
 func (s *cupsControlSuite) TestAppArmorSpecClassic(c *C) {
@@ -133,7 +133,7 @@ func (s *cupsControlSuite) TestAppArmorSpecClassic(c *C) {
 	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"})
 	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "# Allow communicating with the cups server for printing and configuration.")
 	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "#include <abstractions/cups-client>")
-	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "peer=(name=org.freedesktop.DBus,label=\"{unconfined,/usr/sbin/cupsd,cupsd}\"")
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "peer=(label=\"{unconfined,/usr/sbin/cupsd,cupsd}\"")
 	c.Assert(spec.SnippetForTag("snap.provider.app"), Not(testutil.Contains), "# Allow daemon access to create the CUPS socket")
 
 	// core to consumer on classic is empty for PermanentSlot
@@ -152,7 +152,7 @@ func (s *cupsControlSuite) TestAppArmorSpecClassic(c *C) {
 	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"})
 	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "# Allow communicating with the cups server for printing and configuration.")
 	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "#include <abstractions/cups-client>")
-	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "peer=(name=org.freedesktop.DBus,label=\"snap.provider.app\"")
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "peer=(label=\"snap.provider.app\"")
 	c.Assert(spec.SnippetForTag("snap.provider.app"), Not(testutil.Contains), "# Allow daemon access to create the CUPS socket")
 
 	// provider to consumer on classic for PermanentSlot
@@ -166,7 +166,7 @@ func (s *cupsControlSuite) TestAppArmorSpecClassic(c *C) {
 	spec = &apparmor.Specification{}
 	c.Assert(spec.AddConnectedSlot(s.iface, s.plug, s.providerSlot), IsNil)
 	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.provider.app"})
-	c.Assert(spec.SnippetForTag("snap.provider.app"), testutil.Contains, "peer=(name=org.freedesktop.DBus,label=\"snap.consumer.app\"")
+	c.Assert(spec.SnippetForTag("snap.provider.app"), testutil.Contains, "peer=(label=\"snap.consumer.app\"")
 }
 
 func (s *cupsControlSuite) TestStaticInfo(c *C) {