TagsBug#670528: evince: please include AppArmor profile
April 26th, 2012 - 08:40 am ET by intrigeri | Report spam
Create a new topic
Source: evince
Version: 3.2.1-1+b1
Severity: wishlist
Tags: patch
User: apparmor@packages.debian.org
Usertags: new-profile
thanks
Please include AppArmor profile for evince.
Since it handles untrusted data, and has been affected by a number of
potential security issues in past years relating to its handling of
those, it seems like an ideal candidate for confining:
https://wiki.debian.org/AppArmor
I have been testing evince for a few months, on a Debian sid system,
with the AppArmor profile shipped by Ubuntu's evince (3.3.5-0ubuntu1
and 3.4.0-0ubuntu1). I have not run into any single problem with it.
Attached is a patch that adds this AppArmor support to evince.
Please consider applying it.
Note that enforcing AppArmor profiles is currently opt-in: applying
the attached does not change anything for users unless they enable
AppArmor system-wide themselves.
diff -Naur evince-3.2.1-1.orig/debian/apparmor-profile evince-3.2.1/debian/apparmor-profile
evince-3.2.1-1.orig/debian/apparmor-profile 1970-01-01 01:00:00.000000000 +0100
+++ evince-3.2.1/debian/apparmor-profile 2012-04-08 09:05:20.240673780 +0200
@@ -0,0 +1,147 @@
+# vim:syntax=apparmor
+# Author: Kees Cook <kees@canonical.com>
+# Jamie Strandboge <jamie@canonical.com>
+
+#include <tunables/global>
+
+/usr/bin/evince {
+ #include <abstractions/audio>
+ #include <abstractions/bash>
+ #include <abstractions/cups-client>
+ #include <abstractions/dbus-session>
+ #include <abstractions/evince>
+ #include <abstractions/ibus>
+ #include <abstractions/nameservice>
+ #include <abstractions/launchpad-integration>
+
+ #include <abstractions/ubuntu-browsers>
+ #include <abstractions/ubuntu-console-browsers>
+ #include <abstractions/ubuntu-email>
+ #include <abstractions/ubuntu-console-email>
+ #include <abstractions/ubuntu-media-players>
+
+ # Terminals for using console applications. These abstractions should ideally
+ # have 'ix' to restrict access to what only evince is allowed to do
+ #include <abstractions/ubuntu-gnome-terminal>
+
+ # By default, we won't support launching a terminal program in Xterm or
+ # KDE's konsole. It opens up too many unnecessary files for most users.
+ # People who need this functionality can uncomment the following:
+ ##include <abstractions/ubuntu-xterm>
+ ##include <abstractions/ubuntu-konsole>
+
+ /usr/bin/evince rmPx,
+ /usr/bin/evince-previewer Px,
+ /usr/bin/yelp Cx -> sanitized_helper,
+ /usr/bin/bug-buddy px,
+ /usr/bin/nautilus Cx -> sanitized_helper,
+
+ # For text attachments
+ /usr/bin/gedit ixr,
+
+ # For Send to
+ /usr/bin/nautilus-sendto Cx -> sanitized_helper,
+
+ # allow directory listings (ie 'r' on directories) so browsing via the file
+ # dialog works
+ / r,
+ /**/ r,
+
+ @{HOME}/ r,
+
+ # This is need for saving files in your home directory without an extension.
+ # Changing this to '@{HOME}/** r' makes it require an extension and more
+ # secure (but with 'rw', we still have abstractions/private-files-strict in
+ # effect).
+ @{HOME}/** rw,
+ @{HOME}/.local/share/gvfs-metadata/** l,
+
+ @{HOME}/.gnome2/evince/* rwl,
+ @{HOME}/.gnome2/accels/ rw,
+ @{HOME}/.gnome2/accelsevince rw,
+ @{HOME}/.gnome2/accels/evince rw,
+
+ # from http://live.gnome.org/Evince/Suppor...ntFormats. Allow
+ # read and write for all supported file formats
+ /**.[bB][mM][pP] rw,
+ /**.[dD][jJ][vV][uU] rw,
+ /**.[dD][vV][iI] rw,
+ /**.[gG][iI][fF] rw,
+ /**.[jJ][pP][gG] rw,
+ /**.[jJ][pP][eE][gG] rw,
+ /**.[oO][dD][pP] rw,
+ /**.[fFpP][dD][fF] rw,
+ /**.[pP][nN][mM] rw,
+ /**.[pP][nN][gG] rw,
+ /**.[pP][sS] rw,
+ /**.[eE][pP][sS] rw,
+ /**.[tT][iI][fF] rw,
+ /**.[tT][iI][fF][fF] rw,
+ /**.[xX][pP][mM] rw,
+ /**.[gG][zZ] rw,
+ /**.[bB][zZ]2 rw,
+ /**.[cC][bB][rRzZ7] rw,
+
+ # evince creates a temporary stream file like '.goutputstream-XXXXXX' in the
+ # directory a file is saved. This allows that behavior.
+ owner /**/.goutputstream-* w,
+}
+
+/usr/bin/evince-previewer {
+ #include <abstractions/audio>
+ #include <abstractions/bash>
+ #include <abstractions/cups-client>
+ #include <abstractions/dbus-session>
+ #include <abstractions/evince>
+ #include <abstractions/ibus>
+ #include <abstractions/nameservice>
+ #include <abstractions/launchpad-integration>
+
+ #include <abstractions/ubuntu-browsers>
+ #include <abstractions/ubuntu-console-browsers>
+ #include <abstractions/ubuntu-email>
+ #include <abstractions/ubuntu-console-email>
+ #include <abstractions/ubuntu-media-players>
+
+ # Terminals for using console applications. These abstractions should ideally
+ # have 'ix' to restrict access to what only evince is allowed to do
+ #include <abstractions/ubuntu-gnome-terminal>
+
+ # By default, we won't support launching a terminal program in Xterm or
+ # KDE's konsole. It opens up too many unnecessary files for most users.
+ # People who need this functionality can uncomment the following:
+ ##include <abstractions/ubuntu-xterm>
+
+ /usr/bin/evince-previewer mr,
+ /usr/bin/yelp Cx -> sanitized_helper,
+ /usr/bin/bug-buddy px,
+
+ # Lenient, but remember we still have abstractions/private-files-strict in
+ # effect).
+ @{HOME}/ r,
+ @{HOME}/** r,
+}
+
+/usr/bin/evince-thumbnailer {
+ #include <abstractions/evince>
+
+ # The thumbnailer doesn't need access to everything in the nameservice
+ # abstraction. Allow reading of /etc/passwd and /etc/group, but suppress
+ # logging denial of nsswitch.conf.
+ /etc/passwd r,
+ /etc/group r,
+ deny /etc/nsswitch.conf r,
+
+ # TCP/UDP network access for NFS
+ network inet stream,
+ network inet6 stream,
+ network inet dgram,
+ network inet6 dgram,
+
+ /usr/bin/evince-thumbnailer mr,
+
+ # Lenient, but remember we still have abstractions/private-files-strict in
+ # effect).
+ @{HOME}/ r,
+ @{HOME}/** rw,
+}
diff -Naur evince-3.2.1-1.orig/debian/apparmor-profile.abstraction evince-3.2.1/debian/apparmor-profile.abstraction
evince-3.2.1-1.orig/debian/apparmor-profile.abstraction 1970-01-01 01:00:00.000000000 +0100
+++ evince-3.2.1/debian/apparmor-profile.abstraction 2012-04-08 09:05:42.808930386 +0200
@@ -0,0 +1,112 @@
+# vim:syntax=apparmor
+#
+# abstraction used by evince binaries
+#
+
+ #include <abstractions/gnome>
+ #include <abstractions/p11-kit>
+ #include <abstractions/ubuntu-helpers>
+
+ @{PROC}/[0-9]*/fd/ r,
+ @{PROC}/[0-9]*/mountinfo r,
+ owner @{PROC}/[0-9]*/auxv r,
+ owner @{PROC}/[0-9]*/status r,
+
+ # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
+ # Possibly move to an abstraction if anything else needs it.
+ deny /run/udev/data/** r,
+
+ # move out to the gnome abstraction if anyone else needs these
+ /dev/.udev/{data,db}/* r,
+ /etc/udev/udev.conf r,
+ /sys/devices/**/block/**/uevent r,
+
+ # apport
+ /etc/default/apport r,
+
+ # evince specific
+ /etc/ r,
+ /etc/fstab r,
+ /etc/texmf/ r,
+ /etc/texmf/** r,
+ /etc/xpdf/* r,
+
+ /usr/bin/gs-esp ixr,
+ /usr/bin/mktexpk Cx -> sanitized_helper,
+ /usr/bin/mktextfm Cx -> sanitized_helper,
+ /usr/bin/dvipdfm Cx -> sanitized_helper,
+ /usr/bin/dvipdfmx Cx -> sanitized_helper,
+
+ # supported archivers
+ /bin/gzip ixr,
+ /bin/bzip2 ixr,
+ /usr/bin/unrar* ixr,
+ /usr/bin/unzip ixr,
+ /usr/bin/7zr ixr,
+ /usr/lib/p7zip/7zr ixr,
+ /usr/bin/7za ixr,
+ /usr/lib/p7zip/7za ixr,
+ /usr/bin/zipnote ixr,
+ /bin/tar ixr,
+
+ # allow read access to anything in /usr/share, for plugins and input methods
+ /usr/local/share/** r,
+ /usr/share/** r,
+ /usr/lib/ghostscript/** mr,
+ /var/lib/ghostscript/** r,
+ /var/lib/texmf/** r,
+
+ # from http://live.gnome.org/Evince/Suppor...ntFormats. Allow
+ # read for all supported file formats
+ /**.[bB][mM][pP] r,
+ /**.[dD][jJ][vV][uU] r,
+ /**.[dD][vV][iI] r,
+ /**.[gG][iI][fF] r,
+ /**.[jJ][pP][gG] r,
+ /**.[jJ][pP][eE][gG] r,
+ /**.[oO][dD][pP] r,
+ /**.[fFpP][dD][fF] r,
+ /**.[pP][nN][mM] r,
+ /**.[pP][nN][gG] r,
+ /**.[pP][sS] r,
+ /**.[eE][pP][sS] r,
+ /**.[tT][iI][fF] r,
+ /**.[tT][iI][fF][fF] r,
+ /**.[xX][pP][mM] r,
+ /**.[gG][zZ] r,
+ /**.[bB][zZ]2 r,
+ /**.[cC][bB][rRzZ7] r,
+
+ # Use abstractions/private-files instead of abstractions/private-files-strict
+ # and add the sensitive files manually to work around LP: #451422. The goal
+ # is to disallow access to the .mozilla folder in general, but to allow
+ # access to the Cache directory, which the browser may tell evince to open
+ # from directly.
+
+ #include <abstractions/private-files>
+ audit deny @{HOME}/.gnupg/** mrwkl,
+ audit deny @{HOME}/.ssh/** mrwkl,
+ audit deny @{HOME}/.gnome2_private/** mrwkl,
+ audit deny @{HOME}/.kde/share/apps/kwallet/** mrwkl,
+ audit deny @{HOME}/.pki/nssdb/** w,
+
+ audit deny @{HOME}/.mozilla/*/*/* mrwkl,
+ audit deny @{HOME}/.mozilla/**/bookmarkbackups/** mrwkl,
+ audit deny @{HOME}/.mozilla/**/chrome/** mrwkl,
+ audit deny @{HOME}/.mozilla/**/extensions/** mrwkl,
+ audit deny @{HOME}/.mozilla/**/gm_scripts/** mrwkl,
+
+ audit deny @{HOME}/.config/chromium/** mrwkl,
+ audit deny @{HOME}/.evolution/** mrwkl,
+ audit deny @{HOME}/.config/evolution/** mrwkl,
+ audit deny @{HOME}/.kde/share/config/** mrwkl,
+ audit deny @{HOME}/.kde/share/apps/kmail/** mrwkl,
+ audit deny @{HOME}/.{,mozilla-}thunderbird/*/* mrwkl,
+ audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/** mrwkl,
+
+ # When LP: #451422 is fixed, change the above to simply be:
+ ##include <abstractions/private-files-strict>
+ #owner @{HOME}/.mozilla/**/*Cache/* r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.bin.evince>
diff -Naur evince-3.2.1-1.orig/debian/control evince-3.2.1/debian/control
evince-3.2.1-1.orig/debian/control 2011-10-18 00:43:44.000000000 +0200
+++ evince-3.2.1/debian/control 2012-04-08 10:24:32.986983300 +0200
@@ -10,6 +10,7 @@
Uploaders: Emilio Pozuelo Monfort <pochu@debian.org>, Frederic Peters <fpeters@debian.org>, Michael Biebl <biebl@debian.org>
Build-Depends: cdbs (>= 0.4.90),
debhelper (>= 8),
+ dh-apparmor,
dh-autoreconf,
intltool (>= 0.35.0),
gnome-pkg-tools (>= 0.10),
@@ -58,7 +59,7 @@
Provides: pdf-viewer,
postscript-viewer,
djvu-viewer
-Suggests: unrar, poppler-data, nautilus
+Suggests: unrar, poppler-data, nautilus, apparmor
Description: Document (PostScript, PDF) viewer
Evince is a simple multi-page document viewer. It can display and print
PostScript (PS), Encapsulated PostScript (EPS), DJVU, DVI and Portable
@@ -99,7 +100,7 @@
Provides: pdf-viewer,
postscript-viewer,
djvu-viewer
-Suggests: gvfs, unrar, poppler-data, nautilus
+Suggests: gvfs, unrar, poppler-data, nautilus, apparmor
Description: Document (PostScript, PDF) viewer (GTK+ version)
Evince is a simple multi-page document viewer. It can display and print
PostScript (PS), Encapsulated PostScript (EPS), DJVU, DVI and Portable
diff -Naur evince-3.2.1-1.orig/debian/control.in evince-3.2.1/debian/control.in
evince-3.2.1-1.orig/debian/control.in 2011-10-14 23:01:18.000000000 +0200
+++ evince-3.2.1/debian/control.in 2012-04-08 09:26:04.276114918 +0200
@@ -5,6 +5,7 @@
Uploaders: @GNOME_TEAM@
Build-Depends: cdbs (>= 0.4.90),
debhelper (>= 8),
+ dh-apparmor,
dh-autoreconf,
intltool (>= 0.35.0),
gnome-pkg-tools (>= 0.10),
@@ -53,7 +54,7 @@
Provides: pdf-viewer,
postscript-viewer,
djvu-viewer
-Suggests: unrar, poppler-data, nautilus
+Suggests: unrar, poppler-data, nautilus, apparmor
Description: Document (PostScript, PDF) viewer
Evince is a simple multi-page document viewer. It can display and print
PostScript (PS), Encapsulated PostScript (EPS), DJVU, DVI and Portable
@@ -94,7 +95,7 @@
Provides: pdf-viewer,
postscript-viewer,
djvu-viewer
-Suggests: gvfs, unrar, poppler-data, nautilus
+Suggests: gvfs, unrar, poppler-data, nautilus, apparmor
Description: Document (PostScript, PDF) viewer (GTK+ version)
Evince is a simple multi-page document viewer. It can display and print
PostScript (PS), Encapsulated PostScript (EPS), DJVU, DVI and Portable
diff -Naur evince-3.2.1-1.orig/debian/evince-common.dirs evince-3.2.1/debian/evince-common.dirs
evince-3.2.1-1.orig/debian/evince-common.dirs 1970-01-01 01:00:00.000000000 +0100
+++ evince-3.2.1/debian/evince-common.dirs 2012-04-08 09:07:05.461868527 +0200
@@ -0,0 +1 @@
+etc/apparmor.d/abstractions
diff -Naur evince-3.2.1-1.orig/debian/rules evince-3.2.1/debian/rules
evince-3.2.1-1.orig/debian/rules 2011-10-12 22:20:39.000000000 +0200
+++ evince-3.2.1/debian/rules 2012-04-08 09:07:54.138419828 +0200
@@ -57,3 +57,6 @@
binary-install/evince-common::
rm -rf debian/evince-common/usr/share/gtk-doc
+ cp debian/apparmor-profile debian/evince-common/etc/apparmor.d/usr.bin.evince
+ cp debian/apparmor-profile.abstraction debian/evince-common/etc/apparmor.d/abstractions/evince
+ dh_apparmor --profile-name=usr.bin.evince -pevince-common
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Version: 3.2.1-1+b1
Severity: wishlist
Tags: patch
User: apparmor@packages.debian.org
Usertags: new-profile
thanks
Please include AppArmor profile for evince.
Since it handles untrusted data, and has been affected by a number of
potential security issues in past years relating to its handling of
those, it seems like an ideal candidate for confining:
https://wiki.debian.org/AppArmor
I have been testing evince for a few months, on a Debian sid system,
with the AppArmor profile shipped by Ubuntu's evince (3.3.5-0ubuntu1
and 3.4.0-0ubuntu1). I have not run into any single problem with it.
Attached is a patch that adds this AppArmor support to evince.
Please consider applying it.
Note that enforcing AppArmor profiles is currently opt-in: applying
the attached does not change anything for users unless they enable
AppArmor system-wide themselves.
diff -Naur evince-3.2.1-1.orig/debian/apparmor-profile evince-3.2.1/debian/apparmor-profile
evince-3.2.1-1.orig/debian/apparmor-profile 1970-01-01 01:00:00.000000000 +0100
+++ evince-3.2.1/debian/apparmor-profile 2012-04-08 09:05:20.240673780 +0200
@@ -0,0 +1,147 @@
+# vim:syntax=apparmor
+# Author: Kees Cook <kees@canonical.com>
+# Jamie Strandboge <jamie@canonical.com>
+
+#include <tunables/global>
+
+/usr/bin/evince {
+ #include <abstractions/audio>
+ #include <abstractions/bash>
+ #include <abstractions/cups-client>
+ #include <abstractions/dbus-session>
+ #include <abstractions/evince>
+ #include <abstractions/ibus>
+ #include <abstractions/nameservice>
+ #include <abstractions/launchpad-integration>
+
+ #include <abstractions/ubuntu-browsers>
+ #include <abstractions/ubuntu-console-browsers>
+ #include <abstractions/ubuntu-email>
+ #include <abstractions/ubuntu-console-email>
+ #include <abstractions/ubuntu-media-players>
+
+ # Terminals for using console applications. These abstractions should ideally
+ # have 'ix' to restrict access to what only evince is allowed to do
+ #include <abstractions/ubuntu-gnome-terminal>
+
+ # By default, we won't support launching a terminal program in Xterm or
+ # KDE's konsole. It opens up too many unnecessary files for most users.
+ # People who need this functionality can uncomment the following:
+ ##include <abstractions/ubuntu-xterm>
+ ##include <abstractions/ubuntu-konsole>
+
+ /usr/bin/evince rmPx,
+ /usr/bin/evince-previewer Px,
+ /usr/bin/yelp Cx -> sanitized_helper,
+ /usr/bin/bug-buddy px,
+ /usr/bin/nautilus Cx -> sanitized_helper,
+
+ # For text attachments
+ /usr/bin/gedit ixr,
+
+ # For Send to
+ /usr/bin/nautilus-sendto Cx -> sanitized_helper,
+
+ # allow directory listings (ie 'r' on directories) so browsing via the file
+ # dialog works
+ / r,
+ /**/ r,
+
+ @{HOME}/ r,
+
+ # This is need for saving files in your home directory without an extension.
+ # Changing this to '@{HOME}/** r' makes it require an extension and more
+ # secure (but with 'rw', we still have abstractions/private-files-strict in
+ # effect).
+ @{HOME}/** rw,
+ @{HOME}/.local/share/gvfs-metadata/** l,
+
+ @{HOME}/.gnome2/evince/* rwl,
+ @{HOME}/.gnome2/accels/ rw,
+ @{HOME}/.gnome2/accelsevince rw,
+ @{HOME}/.gnome2/accels/evince rw,
+
+ # from http://live.gnome.org/Evince/Suppor...ntFormats. Allow
+ # read and write for all supported file formats
+ /**.[bB][mM][pP] rw,
+ /**.[dD][jJ][vV][uU] rw,
+ /**.[dD][vV][iI] rw,
+ /**.[gG][iI][fF] rw,
+ /**.[jJ][pP][gG] rw,
+ /**.[jJ][pP][eE][gG] rw,
+ /**.[oO][dD][pP] rw,
+ /**.[fFpP][dD][fF] rw,
+ /**.[pP][nN][mM] rw,
+ /**.[pP][nN][gG] rw,
+ /**.[pP][sS] rw,
+ /**.[eE][pP][sS] rw,
+ /**.[tT][iI][fF] rw,
+ /**.[tT][iI][fF][fF] rw,
+ /**.[xX][pP][mM] rw,
+ /**.[gG][zZ] rw,
+ /**.[bB][zZ]2 rw,
+ /**.[cC][bB][rRzZ7] rw,
+
+ # evince creates a temporary stream file like '.goutputstream-XXXXXX' in the
+ # directory a file is saved. This allows that behavior.
+ owner /**/.goutputstream-* w,
+}
+
+/usr/bin/evince-previewer {
+ #include <abstractions/audio>
+ #include <abstractions/bash>
+ #include <abstractions/cups-client>
+ #include <abstractions/dbus-session>
+ #include <abstractions/evince>
+ #include <abstractions/ibus>
+ #include <abstractions/nameservice>
+ #include <abstractions/launchpad-integration>
+
+ #include <abstractions/ubuntu-browsers>
+ #include <abstractions/ubuntu-console-browsers>
+ #include <abstractions/ubuntu-email>
+ #include <abstractions/ubuntu-console-email>
+ #include <abstractions/ubuntu-media-players>
+
+ # Terminals for using console applications. These abstractions should ideally
+ # have 'ix' to restrict access to what only evince is allowed to do
+ #include <abstractions/ubuntu-gnome-terminal>
+
+ # By default, we won't support launching a terminal program in Xterm or
+ # KDE's konsole. It opens up too many unnecessary files for most users.
+ # People who need this functionality can uncomment the following:
+ ##include <abstractions/ubuntu-xterm>
+
+ /usr/bin/evince-previewer mr,
+ /usr/bin/yelp Cx -> sanitized_helper,
+ /usr/bin/bug-buddy px,
+
+ # Lenient, but remember we still have abstractions/private-files-strict in
+ # effect).
+ @{HOME}/ r,
+ @{HOME}/** r,
+}
+
+/usr/bin/evince-thumbnailer {
+ #include <abstractions/evince>
+
+ # The thumbnailer doesn't need access to everything in the nameservice
+ # abstraction. Allow reading of /etc/passwd and /etc/group, but suppress
+ # logging denial of nsswitch.conf.
+ /etc/passwd r,
+ /etc/group r,
+ deny /etc/nsswitch.conf r,
+
+ # TCP/UDP network access for NFS
+ network inet stream,
+ network inet6 stream,
+ network inet dgram,
+ network inet6 dgram,
+
+ /usr/bin/evince-thumbnailer mr,
+
+ # Lenient, but remember we still have abstractions/private-files-strict in
+ # effect).
+ @{HOME}/ r,
+ @{HOME}/** rw,
+}
diff -Naur evince-3.2.1-1.orig/debian/apparmor-profile.abstraction evince-3.2.1/debian/apparmor-profile.abstraction
evince-3.2.1-1.orig/debian/apparmor-profile.abstraction 1970-01-01 01:00:00.000000000 +0100
+++ evince-3.2.1/debian/apparmor-profile.abstraction 2012-04-08 09:05:42.808930386 +0200
@@ -0,0 +1,112 @@
+# vim:syntax=apparmor
+#
+# abstraction used by evince binaries
+#
+
+ #include <abstractions/gnome>
+ #include <abstractions/p11-kit>
+ #include <abstractions/ubuntu-helpers>
+
+ @{PROC}/[0-9]*/fd/ r,
+ @{PROC}/[0-9]*/mountinfo r,
+ owner @{PROC}/[0-9]*/auxv r,
+ owner @{PROC}/[0-9]*/status r,
+
+ # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
+ # Possibly move to an abstraction if anything else needs it.
+ deny /run/udev/data/** r,
+
+ # move out to the gnome abstraction if anyone else needs these
+ /dev/.udev/{data,db}/* r,
+ /etc/udev/udev.conf r,
+ /sys/devices/**/block/**/uevent r,
+
+ # apport
+ /etc/default/apport r,
+
+ # evince specific
+ /etc/ r,
+ /etc/fstab r,
+ /etc/texmf/ r,
+ /etc/texmf/** r,
+ /etc/xpdf/* r,
+
+ /usr/bin/gs-esp ixr,
+ /usr/bin/mktexpk Cx -> sanitized_helper,
+ /usr/bin/mktextfm Cx -> sanitized_helper,
+ /usr/bin/dvipdfm Cx -> sanitized_helper,
+ /usr/bin/dvipdfmx Cx -> sanitized_helper,
+
+ # supported archivers
+ /bin/gzip ixr,
+ /bin/bzip2 ixr,
+ /usr/bin/unrar* ixr,
+ /usr/bin/unzip ixr,
+ /usr/bin/7zr ixr,
+ /usr/lib/p7zip/7zr ixr,
+ /usr/bin/7za ixr,
+ /usr/lib/p7zip/7za ixr,
+ /usr/bin/zipnote ixr,
+ /bin/tar ixr,
+
+ # allow read access to anything in /usr/share, for plugins and input methods
+ /usr/local/share/** r,
+ /usr/share/** r,
+ /usr/lib/ghostscript/** mr,
+ /var/lib/ghostscript/** r,
+ /var/lib/texmf/** r,
+
+ # from http://live.gnome.org/Evince/Suppor...ntFormats. Allow
+ # read for all supported file formats
+ /**.[bB][mM][pP] r,
+ /**.[dD][jJ][vV][uU] r,
+ /**.[dD][vV][iI] r,
+ /**.[gG][iI][fF] r,
+ /**.[jJ][pP][gG] r,
+ /**.[jJ][pP][eE][gG] r,
+ /**.[oO][dD][pP] r,
+ /**.[fFpP][dD][fF] r,
+ /**.[pP][nN][mM] r,
+ /**.[pP][nN][gG] r,
+ /**.[pP][sS] r,
+ /**.[eE][pP][sS] r,
+ /**.[tT][iI][fF] r,
+ /**.[tT][iI][fF][fF] r,
+ /**.[xX][pP][mM] r,
+ /**.[gG][zZ] r,
+ /**.[bB][zZ]2 r,
+ /**.[cC][bB][rRzZ7] r,
+
+ # Use abstractions/private-files instead of abstractions/private-files-strict
+ # and add the sensitive files manually to work around LP: #451422. The goal
+ # is to disallow access to the .mozilla folder in general, but to allow
+ # access to the Cache directory, which the browser may tell evince to open
+ # from directly.
+
+ #include <abstractions/private-files>
+ audit deny @{HOME}/.gnupg/** mrwkl,
+ audit deny @{HOME}/.ssh/** mrwkl,
+ audit deny @{HOME}/.gnome2_private/** mrwkl,
+ audit deny @{HOME}/.kde/share/apps/kwallet/** mrwkl,
+ audit deny @{HOME}/.pki/nssdb/** w,
+
+ audit deny @{HOME}/.mozilla/*/*/* mrwkl,
+ audit deny @{HOME}/.mozilla/**/bookmarkbackups/** mrwkl,
+ audit deny @{HOME}/.mozilla/**/chrome/** mrwkl,
+ audit deny @{HOME}/.mozilla/**/extensions/** mrwkl,
+ audit deny @{HOME}/.mozilla/**/gm_scripts/** mrwkl,
+
+ audit deny @{HOME}/.config/chromium/** mrwkl,
+ audit deny @{HOME}/.evolution/** mrwkl,
+ audit deny @{HOME}/.config/evolution/** mrwkl,
+ audit deny @{HOME}/.kde/share/config/** mrwkl,
+ audit deny @{HOME}/.kde/share/apps/kmail/** mrwkl,
+ audit deny @{HOME}/.{,mozilla-}thunderbird/*/* mrwkl,
+ audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/** mrwkl,
+
+ # When LP: #451422 is fixed, change the above to simply be:
+ ##include <abstractions/private-files-strict>
+ #owner @{HOME}/.mozilla/**/*Cache/* r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.bin.evince>
diff -Naur evince-3.2.1-1.orig/debian/control evince-3.2.1/debian/control
evince-3.2.1-1.orig/debian/control 2011-10-18 00:43:44.000000000 +0200
+++ evince-3.2.1/debian/control 2012-04-08 10:24:32.986983300 +0200
@@ -10,6 +10,7 @@
Uploaders: Emilio Pozuelo Monfort <pochu@debian.org>, Frederic Peters <fpeters@debian.org>, Michael Biebl <biebl@debian.org>
Build-Depends: cdbs (>= 0.4.90),
debhelper (>= 8),
+ dh-apparmor,
dh-autoreconf,
intltool (>= 0.35.0),
gnome-pkg-tools (>= 0.10),
@@ -58,7 +59,7 @@
Provides: pdf-viewer,
postscript-viewer,
djvu-viewer
-Suggests: unrar, poppler-data, nautilus
+Suggests: unrar, poppler-data, nautilus, apparmor
Description: Document (PostScript, PDF) viewer
Evince is a simple multi-page document viewer. It can display and print
PostScript (PS), Encapsulated PostScript (EPS), DJVU, DVI and Portable
@@ -99,7 +100,7 @@
Provides: pdf-viewer,
postscript-viewer,
djvu-viewer
-Suggests: gvfs, unrar, poppler-data, nautilus
+Suggests: gvfs, unrar, poppler-data, nautilus, apparmor
Description: Document (PostScript, PDF) viewer (GTK+ version)
Evince is a simple multi-page document viewer. It can display and print
PostScript (PS), Encapsulated PostScript (EPS), DJVU, DVI and Portable
diff -Naur evince-3.2.1-1.orig/debian/control.in evince-3.2.1/debian/control.in
evince-3.2.1-1.orig/debian/control.in 2011-10-14 23:01:18.000000000 +0200
+++ evince-3.2.1/debian/control.in 2012-04-08 09:26:04.276114918 +0200
@@ -5,6 +5,7 @@
Uploaders: @GNOME_TEAM@
Build-Depends: cdbs (>= 0.4.90),
debhelper (>= 8),
+ dh-apparmor,
dh-autoreconf,
intltool (>= 0.35.0),
gnome-pkg-tools (>= 0.10),
@@ -53,7 +54,7 @@
Provides: pdf-viewer,
postscript-viewer,
djvu-viewer
-Suggests: unrar, poppler-data, nautilus
+Suggests: unrar, poppler-data, nautilus, apparmor
Description: Document (PostScript, PDF) viewer
Evince is a simple multi-page document viewer. It can display and print
PostScript (PS), Encapsulated PostScript (EPS), DJVU, DVI and Portable
@@ -94,7 +95,7 @@
Provides: pdf-viewer,
postscript-viewer,
djvu-viewer
-Suggests: gvfs, unrar, poppler-data, nautilus
+Suggests: gvfs, unrar, poppler-data, nautilus, apparmor
Description: Document (PostScript, PDF) viewer (GTK+ version)
Evince is a simple multi-page document viewer. It can display and print
PostScript (PS), Encapsulated PostScript (EPS), DJVU, DVI and Portable
diff -Naur evince-3.2.1-1.orig/debian/evince-common.dirs evince-3.2.1/debian/evince-common.dirs
evince-3.2.1-1.orig/debian/evince-common.dirs 1970-01-01 01:00:00.000000000 +0100
+++ evince-3.2.1/debian/evince-common.dirs 2012-04-08 09:07:05.461868527 +0200
@@ -0,0 +1 @@
+etc/apparmor.d/abstractions
diff -Naur evince-3.2.1-1.orig/debian/rules evince-3.2.1/debian/rules
evince-3.2.1-1.orig/debian/rules 2011-10-12 22:20:39.000000000 +0200
+++ evince-3.2.1/debian/rules 2012-04-08 09:07:54.138419828 +0200
@@ -57,3 +57,6 @@
binary-install/evince-common::
rm -rf debian/evince-common/usr/share/gtk-doc
+ cp debian/apparmor-profile debian/evince-common/etc/apparmor.d/usr.bin.evince
+ cp debian/apparmor-profile.abstraction debian/evince-common/etc/apparmor.d/abstractions/evince
+ dh_apparmor --profile-name=usr.bin.evince -pevince-common
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Follow the discussion
1 reply
Make a replySimilar topics
- Bug#676853: totem: please include AppArmor profile
- Bug#676849: pidgin: please include AppArmor profile
Make your own search :
May 22nd, 2013 - 3:05 AM ET
Join now
Replies