Failed to Print non-PDF document

Question

Failed to Print non-PDF document

Closed this issue 2 months ago · 2 comments

deeplow commented 2 months ago

Description

Failed to print

Steps to Reproduce

SDW 1.0.0

Print ".doc" file (any should fail).

Expected Behavior

File printed

Actual Behavior

After clicking "continue" on the print dialog, the dialog goes away but nothing happens. I would have expected the xpp dialog to show up.

What's actually happening is some memory access issues due to grsec enforcement: (see paste bellow)

However, from paxctld.conf this seems to be a known situation. So I have questions about this being the source of the issue.

Comments

I have tried unoconf in sd-devices and it worked fine. So, there is definitely some part of the program getting restricted from executing it.

Answer 1 · 2024-07-16T16:22:47.000Z

Sorry for the screenshot. It has enough resolution to zoom in, but it was pure lazyness from my side not to copy the logs over.

Jul 16 15:03:59 sd-devices 2024-07-16 15:03:59,832 - securedrop_export.print.service:192(_setup_printer) INFO: Setting up printer sdw-printer
Jul 16 15:03:59 sd-devices sudo:     user : PWD=/home/user ; USER=root ; COMMAND=/usr/sbin/lpadmin -p sdw-printer -E -v usb://HP/LaserJet%20MFP%20M139-M142?serial=VNF5803658 -P /usr/share/cups/model/hp-laserjet_mfp_m139-m142.ppd -u allow:user
Jul 16 15:03:59 sd-devices sudo: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1000)
Jul 16 15:03:59 sd-devices sudo: pam_unix(sudo:session): session closed for user root
Jul 16 15:03:59 sd-devices 2024-07-16 15:03:59,895 - securedrop_export.print.service:276(safe_check_call) INFO: Encountered warning: lpadmin: Printer drivers are deprecated and will stop working in a future version of CUPS.
Jul 16 15:03:59 sd-devices 2024-07-16 15:03:59,895 - securedrop_export.print.service:245(_print_file) INFO: Converting Office document to pdf
Jul 16 15:04:00 sd-devices kernel: [11880.727748] kauditd_printk_skb: 4 callbacks suppressed
Jul 16 15:04:00 sd-devices kernel: [11880.727753] audit: type=1400 audit(1721138640.128:124): apparmor="ALLOWED" operation="open" class="file" profile="libreoffice-soffice" name="/etc/dconf/profile/user" pid=20444 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 16 15:04:00 sd-devices kernel: [11880.727838] audit: type=1400 audit(1721138640.128:125): apparmor="ALLOWED" operation="open" class="file" profile="libreoffice-soffice" name="/etc/dconf/db/local" pid=20444 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 16 15:04:00 sd-devices kernel: [11880.736804] grsec: denied RWX mprotect of <anonymous mapping> by /usr/lib/libreoffice/program/soffice.bin[soffice.bin:20444] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/python3.11[python3:20443] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 15:04:00 sd-devices kernel: [11880.736935] audit: type=1400 audit(1721138640.136:126): apparmor="ALLOWED" operation="mknod" class="file" profile="libreoffice-soffice" name="/home/user/.execoooTixjx5" pid=20444 comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jul 16 15:04:00 sd-devices kernel: [11880.737006] audit: type=1400 audit(1721138640.136:127): apparmor="ALLOWED" operation="open" class="file" profile="libreoffice-soffice" name="/home/user/.execoooTixjx5" pid=20444 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000
Jul 16 15:04:00 sd-devices kernel: [11880.737077] audit: type=1400 audit(1721138640.136:128): apparmor="ALLOWED" operation="unlink" class="file" profile="libreoffice-soffice" name="/home/user/.execoooTixjx5" pid=20444 comm="soffice.bin" requested_mask="d" denied_mask="d" fsuid=1000 ouid=1000
Jul 16 15:04:00 sd-devices kernel: [11880.737148] audit: type=1400 audit(1721138640.136:129): apparmor="ALLOWED" operation="file_mmap" class="file" profile="libreoffice-soffice" name="/home/user/.execoooTixjx5" pid=20444 comm="soffice.bin" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=1000
Jul 16 15:04:01 sd-devices kernel: [11881.686303] grsec: denied RWX mprotect of <anonymous mapping> by /usr/bin/python3.11[python3:20443] uid/euid:1000/1000 gid/egid:1000/1000, parent /opt/venvs/securedrop-export/bin/send-to-usb[send-to-usb:20413] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 15:04:01 sd-devices kernel: [11881.688011] grsec: denied RWX mprotect of <anonymous mapping> by /usr/bin/python3.11[python3:20443] uid/euid:1000/1000 gid/egid:1000/1000, parent /opt/venvs/securedrop-export/bin/send-to-usb[send-to-usb:20413] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 15:04:01 sd-devices kernel: [11881.689595] grsec: denied RWX mprotect of <anonymous mapping> by /usr/bin/python3.11[python3:20443] uid/euid:1000/1000 gid/egid:1000/1000, parent /opt/venvs/securedrop-export/bin/send-to-usb[send-to-usb:20413] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 15:04:01 sd-devices kernel: [11881.691410] grsec: denied RWX mprotect of <anonymous mapping> by /usr/bin/python3.11[python3:20443] uid/euid:1000/1000 gid/egid:1000/1000, parent /opt/venvs/securedrop-export/bin/send-to-usb[send-to-usb:20413] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 15:04:01 sd-devices kernel: [11881.692287] grsec: denied RWX mprotect of <anonymous mapping> by /usr/bin/python3.11[python3:20443] uid/euid:1000/1000 gid/egid:1000/1000, parent /opt/venvs/securedrop-export/bin/send-to-usb[send-to-usb:20413] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 15:04:01 sd-devices kernel: [11881.693882] grsec: denied RWX mprotect of <anonymous mapping> by /usr/bin/python3.11[python3:20443] uid/euid:1000/1000 gid/egid:1000/1000, parent /opt/venvs/securedrop-export/bin/send-to-usb[send-to-usb:20413] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 15:04:01 sd-devices kernel: [11881.694723] grsec: more alerts, logging disabled for 10 seconds
Jul 16 15:04:01 sd-devices dbus-daemon[667]: [system] Activating via systemd: service name='org.freedesktop.Avahi' unit='dbus-org.freedesktop.Avahi.service' requested by ':1.2725' (uid=0 pid=20153 comm="")
Jul 16 15:04:01 sd-devices dbus-daemon[667]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.Avahi.service': Unit dbus-org.freedesktop.Avahi.service not found.
Jul 16 15:04:01 sd-devices kernel: [11882.331483] audit: type=1400 audit(1721138641.732:130): apparmor="ALLOWED" operation="mknod" class="file" profile="libreoffice-soffice" name="/home/user/.execoooPSlREA" pid=20444 comm="cppu_threadpool" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jul 16 15:04:01 sd-devices kernel: [11882.331558] audit: type=1400 audit(1721138641.732:131): apparmor="ALLOWED" operation="open" class="file" profile="libreoffice-soffice" name="/home/user/.execoooPSlREA" pid=20444 comm="cppu_threadpool" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000
Jul 16 15:04:01 sd-devices kernel: [11882.331622] audit: type=1400 audit(1721138641.732:132): apparmor="ALLOWED" operation="unlink" class="file" profile="libreoffice-soffice" name="/home/user/.execoooPSlREA" pid=20444 comm="cppu_threadpool" requested_mask="d" denied_mask="d" fsuid=1000 ouid=1000
Jul 16 15:04:01 sd-devices kernel: [11882.331698] audit: type=1400 audit(1721138641.732:133): apparmor="ALLOWED" operation="file_mmap" class="file" profile="libreoffice-soffice" name="/home/user/.execoooPSlREA" pid=20444 comm="cppu_threadpool" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=1000
Jul 16 15:04:02 sd-devices 2024-07-16 15:04:02,173 - securedrop_export.main:79(entrypoint) ERROR: 
Jul 16 15:04:02 sd-devices 2024-07-16 15:04:02,173 - securedrop_export.main:81(entrypoint) ERROR: Encountered exception ERROR_PRINT, exiting
Jul 16 15:04:02 sd-devices 2024-07-16 15:04:02,174 - securedrop_export.main:176(_write_status) INFO: Write status ERROR_PRINT
Jul 16 15:04:02 sd-devices qubes.OpenInVM+-sd-app: ERROR_PRINT

Answer 2 · 2024-07-16T23:14:28.000Z

On 4.1, those loglines are present, but printing .doc (etc) files is successful. On 4.2, I can reproduce the issue. I don't think it's a grsec problem, I think it's a client bug / QProcess problem - if you inspect the client loglines, the client thinks printing has occurred successfully. I think the qprocess for conversion is completing and signaling to the client "a process is complete!" and so the client exits before the actual print operation can occur, but I'm not totally sure (and that isn't a compelling reason why it wouldn't work on 4.2). I'll investigate more tomorrow.