It is possible to bypass the AppArmor cupsd sandbox by invoking the dnssd backend using an alternate name that has been hard linked to dnssd. Both Debian and Ubuntu use AppArmor and shipped the mdns backend in this manner, in contrast to macOS and other systems that use symbolic links. Invoking the mdns backend causes the AppArmor profile to treat the backend as 3rd party, removing sandbox restrictions. References: https://blog.gdssecurity.com/labs/2018/7/11/cups-local-privilege-escalation-and-sandbox-escapes.html Upstream patch: https://github.com/apple/cups/commit/d47f6aec436e0e9df6554436e391471097686ecc
Statement: This issue did not affect the versions of cups as shipped with Red Hat Enterprise Linux as they did not include support for AppArmor.