Source: evince Version: 3.2.1-1+b1 Severity: wishlist Tags: patch User: [email protected] Usertags: new-profile thanks
Please include AppArmor profile for evince. Since it handles untrusted data, and has been affected by a number of potential security issues in past years relating to its handling of those, it seems like an ideal candidate for confining: https://wiki.debian.org/AppArmor I have been testing evince for a few months, on a Debian sid system, with the AppArmor profile shipped by Ubuntu's evince (3.3.5-0ubuntu1 and 3.4.0-0ubuntu1). I have not run into any single problem with it. Attached is a patch that adds this AppArmor support to evince. Please consider applying it. Note that enforcing AppArmor profiles is currently opt-in: applying the attached does not change anything for users unless they enable AppArmor system-wide themselves.
diff -Naur evince-3.2.1-1.orig/debian/apparmor-profile evince-3.2.1/debian/apparmor-profile --- evince-3.2.1-1.orig/debian/apparmor-profile 1970-01-01 01:00:00.000000000 +0100 +++ evince-3.2.1/debian/apparmor-profile 2012-04-08 09:05:20.240673780 +0200 @@ -0,0 +1,147 @@ +# vim:syntax=apparmor +# Author: Kees Cook <[email protected]> +# Jamie Strandboge <[email protected]> + +#include <tunables/global> + +/usr/bin/evince { + #include <abstractions/audio> + #include <abstractions/bash> + #include <abstractions/cups-client> + #include <abstractions/dbus-session> + #include <abstractions/evince> + #include <abstractions/ibus> + #include <abstractions/nameservice> + #include <abstractions/launchpad-integration> + + #include <abstractions/ubuntu-browsers> + #include <abstractions/ubuntu-console-browsers> + #include <abstractions/ubuntu-email> + #include <abstractions/ubuntu-console-email> + #include <abstractions/ubuntu-media-players> + + # Terminals for using console applications. These abstractions should ideally + # have 'ix' to restrict access to what only evince is allowed to do + #include <abstractions/ubuntu-gnome-terminal> + + # By default, we won't support launching a terminal program in Xterm or + # KDE's konsole. It opens up too many unnecessary files for most users. + # People who need this functionality can uncomment the following: + ##include <abstractions/ubuntu-xterm> + ##include <abstractions/ubuntu-konsole> + + /usr/bin/evince rmPx, + /usr/bin/evince-previewer Px, + /usr/bin/yelp Cx -> sanitized_helper, + /usr/bin/bug-buddy px, + /usr/bin/nautilus Cx -> sanitized_helper, + + # For text attachments + /usr/bin/gedit ixr, + + # For Send to + /usr/bin/nautilus-sendto Cx -> sanitized_helper, + + # allow directory listings (ie 'r' on directories) so browsing via the file + # dialog works + / r, + /**/ r, + + @{HOME}/ r, + + # This is need for saving files in your home directory without an extension. + # Changing this to '@{HOME}/** r' makes it require an extension and more + # secure (but with 'rw', we still have abstractions/private-files-strict in + # effect). + @{HOME}/** rw, + @{HOME}/.local/share/gvfs-metadata/** l, + + @{HOME}/.gnome2/evince/* rwl, + @{HOME}/.gnome2/accels/ rw, + @{HOME}/.gnome2/accelsevince rw, + @{HOME}/.gnome2/accels/evince rw, + + # from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow + # read and write for all supported file formats + /**.[bB][mM][pP] rw, + /**.[dD][jJ][vV][uU] rw, + /**.[dD][vV][iI] rw, + /**.[gG][iI][fF] rw, + /**.[jJ][pP][gG] rw, + /**.[jJ][pP][eE][gG] rw, + /**.[oO][dD][pP] rw, + /**.[fFpP][dD][fF] rw, + /**.[pP][nN][mM] rw, + /**.[pP][nN][gG] rw, + /**.[pP][sS] rw, + /**.[eE][pP][sS] rw, + /**.[tT][iI][fF] rw, + /**.[tT][iI][fF][fF] rw, + /**.[xX][pP][mM] rw, + /**.[gG][zZ] rw, + /**.[bB][zZ]2 rw, + /**.[cC][bB][rRzZ7] rw, + + # evince creates a temporary stream file like '.goutputstream-XXXXXX' in the + # directory a file is saved. This allows that behavior. + owner /**/.goutputstream-* w, +} + +/usr/bin/evince-previewer { + #include <abstractions/audio> + #include <abstractions/bash> + #include <abstractions/cups-client> + #include <abstractions/dbus-session> + #include <abstractions/evince> + #include <abstractions/ibus> + #include <abstractions/nameservice> + #include <abstractions/launchpad-integration> + + #include <abstractions/ubuntu-browsers> + #include <abstractions/ubuntu-console-browsers> + #include <abstractions/ubuntu-email> + #include <abstractions/ubuntu-console-email> + #include <abstractions/ubuntu-media-players> + + # Terminals for using console applications. These abstractions should ideally + # have 'ix' to restrict access to what only evince is allowed to do + #include <abstractions/ubuntu-gnome-terminal> + + # By default, we won't support launching a terminal program in Xterm or + # KDE's konsole. It opens up too many unnecessary files for most users. + # People who need this functionality can uncomment the following: + ##include <abstractions/ubuntu-xterm> + + /usr/bin/evince-previewer mr, + /usr/bin/yelp Cx -> sanitized_helper, + /usr/bin/bug-buddy px, + + # Lenient, but remember we still have abstractions/private-files-strict in + # effect). + @{HOME}/ r, + @{HOME}/** r, +} + +/usr/bin/evince-thumbnailer { + #include <abstractions/evince> + + # The thumbnailer doesn't need access to everything in the nameservice + # abstraction. Allow reading of /etc/passwd and /etc/group, but suppress + # logging denial of nsswitch.conf. + /etc/passwd r, + /etc/group r, + deny /etc/nsswitch.conf r, + + # TCP/UDP network access for NFS + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + + /usr/bin/evince-thumbnailer mr, + + # Lenient, but remember we still have abstractions/private-files-strict in + # effect). + @{HOME}/ r, + @{HOME}/** rw, +} diff -Naur evince-3.2.1-1.orig/debian/apparmor-profile.abstraction evince-3.2.1/debian/apparmor-profile.abstraction --- evince-3.2.1-1.orig/debian/apparmor-profile.abstraction 1970-01-01 01:00:00.000000000 +0100 +++ evince-3.2.1/debian/apparmor-profile.abstraction 2012-04-08 09:05:42.808930386 +0200 @@ -0,0 +1,112 @@ +# vim:syntax=apparmor +# +# abstraction used by evince binaries +# + + #include <abstractions/gnome> + #include <abstractions/p11-kit> + #include <abstractions/ubuntu-helpers> + + @{PROC}/[0-9]*/fd/ r, + @{PROC}/[0-9]*/mountinfo r, + owner @{PROC}/[0-9]*/auxv r, + owner @{PROC}/[0-9]*/status r, + + # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed. + # Possibly move to an abstraction if anything else needs it. + deny /run/udev/data/** r, + + # move out to the gnome abstraction if anyone else needs these + /dev/.udev/{data,db}/* r, + /etc/udev/udev.conf r, + /sys/devices/**/block/**/uevent r, + + # apport + /etc/default/apport r, + + # evince specific + /etc/ r, + /etc/fstab r, + /etc/texmf/ r, + /etc/texmf/** r, + /etc/xpdf/* r, + + /usr/bin/gs-esp ixr, + /usr/bin/mktexpk Cx -> sanitized_helper, + /usr/bin/mktextfm Cx -> sanitized_helper, + /usr/bin/dvipdfm Cx -> sanitized_helper, + /usr/bin/dvipdfmx Cx -> sanitized_helper, + + # supported archivers + /bin/gzip ixr, + /bin/bzip2 ixr, + /usr/bin/unrar* ixr, + /usr/bin/unzip ixr, + /usr/bin/7zr ixr, + /usr/lib/p7zip/7zr ixr, + /usr/bin/7za ixr, + /usr/lib/p7zip/7za ixr, + /usr/bin/zipnote ixr, + /bin/tar ixr, + + # allow read access to anything in /usr/share, for plugins and input methods + /usr/local/share/** r, + /usr/share/** r, + /usr/lib/ghostscript/** mr, + /var/lib/ghostscript/** r, + /var/lib/texmf/** r, + + # from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow + # read for all supported file formats + /**.[bB][mM][pP] r, + /**.[dD][jJ][vV][uU] r, + /**.[dD][vV][iI] r, + /**.[gG][iI][fF] r, + /**.[jJ][pP][gG] r, + /**.[jJ][pP][eE][gG] r, + /**.[oO][dD][pP] r, + /**.[fFpP][dD][fF] r, + /**.[pP][nN][mM] r, + /**.[pP][nN][gG] r, + /**.[pP][sS] r, + /**.[eE][pP][sS] r, + /**.[tT][iI][fF] r, + /**.[tT][iI][fF][fF] r, + /**.[xX][pP][mM] r, + /**.[gG][zZ] r, + /**.[bB][zZ]2 r, + /**.[cC][bB][rRzZ7] r, + + # Use abstractions/private-files instead of abstractions/private-files-strict + # and add the sensitive files manually to work around LP: #451422. The goal + # is to disallow access to the .mozilla folder in general, but to allow + # access to the Cache directory, which the browser may tell evince to open + # from directly. + + #include <abstractions/private-files> + audit deny @{HOME}/.gnupg/** mrwkl, + audit deny @{HOME}/.ssh/** mrwkl, + audit deny @{HOME}/.gnome2_private/** mrwkl, + audit deny @{HOME}/.kde/share/apps/kwallet/** mrwkl, + audit deny @{HOME}/.pki/nssdb/** w, + + audit deny @{HOME}/.mozilla/*/*/* mrwkl, + audit deny @{HOME}/.mozilla/**/bookmarkbackups/** mrwkl, + audit deny @{HOME}/.mozilla/**/chrome/** mrwkl, + audit deny @{HOME}/.mozilla/**/extensions/** mrwkl, + audit deny @{HOME}/.mozilla/**/gm_scripts/** mrwkl, + + audit deny @{HOME}/.config/chromium/** mrwkl, + audit deny @{HOME}/.evolution/** mrwkl, + audit deny @{HOME}/.config/evolution/** mrwkl, + audit deny @{HOME}/.kde/share/config/** mrwkl, + audit deny @{HOME}/.kde/share/apps/kmail/** mrwkl, + audit deny @{HOME}/.{,mozilla-}thunderbird/*/* mrwkl, + audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/** mrwkl, + + # When LP: #451422 is fixed, change the above to simply be: + ##include <abstractions/private-files-strict> + #owner @{HOME}/.mozilla/**/*Cache/* r, + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.bin.evince> diff -Naur evince-3.2.1-1.orig/debian/control evince-3.2.1/debian/control --- evince-3.2.1-1.orig/debian/control 2011-10-18 00:43:44.000000000 +0200 +++ evince-3.2.1/debian/control 2012-04-08 10:24:32.986983300 +0200 @@ -10,6 +10,7 @@ Uploaders: Emilio Pozuelo Monfort <[email protected]>, Frederic Peters <[email protected]>, Michael Biebl <[email protected]> Build-Depends: cdbs (>= 0.4.90), debhelper (>= 8), + dh-apparmor, dh-autoreconf, intltool (>= 0.35.0), gnome-pkg-tools (>= 0.10), @@ -58,7 +59,7 @@ Provides: pdf-viewer, postscript-viewer, djvu-viewer -Suggests: unrar, poppler-data, nautilus +Suggests: unrar, poppler-data, nautilus, apparmor Description: Document (PostScript, PDF) viewer Evince is a simple multi-page document viewer. It can display and print PostScript (PS), Encapsulated PostScript (EPS), DJVU, DVI and Portable @@ -99,7 +100,7 @@ Provides: pdf-viewer, postscript-viewer, djvu-viewer -Suggests: gvfs, unrar, poppler-data, nautilus +Suggests: gvfs, unrar, poppler-data, nautilus, apparmor Description: Document (PostScript, PDF) viewer (GTK+ version) Evince is a simple multi-page document viewer. It can display and print PostScript (PS), Encapsulated PostScript (EPS), DJVU, DVI and Portable diff -Naur evince-3.2.1-1.orig/debian/control.in evince-3.2.1/debian/control.in --- evince-3.2.1-1.orig/debian/control.in 2011-10-14 23:01:18.000000000 +0200 +++ evince-3.2.1/debian/control.in 2012-04-08 09:26:04.276114918 +0200 @@ -5,6 +5,7 @@ Uploaders: @GNOME_TEAM@ Build-Depends: cdbs (>= 0.4.90), debhelper (>= 8), + dh-apparmor, dh-autoreconf, intltool (>= 0.35.0), gnome-pkg-tools (>= 0.10), @@ -53,7 +54,7 @@ Provides: pdf-viewer, postscript-viewer, djvu-viewer -Suggests: unrar, poppler-data, nautilus +Suggests: unrar, poppler-data, nautilus, apparmor Description: Document (PostScript, PDF) viewer Evince is a simple multi-page document viewer. It can display and print PostScript (PS), Encapsulated PostScript (EPS), DJVU, DVI and Portable @@ -94,7 +95,7 @@ Provides: pdf-viewer, postscript-viewer, djvu-viewer -Suggests: gvfs, unrar, poppler-data, nautilus +Suggests: gvfs, unrar, poppler-data, nautilus, apparmor Description: Document (PostScript, PDF) viewer (GTK+ version) Evince is a simple multi-page document viewer. It can display and print PostScript (PS), Encapsulated PostScript (EPS), DJVU, DVI and Portable diff -Naur evince-3.2.1-1.orig/debian/evince-common.dirs evince-3.2.1/debian/evince-common.dirs --- evince-3.2.1-1.orig/debian/evince-common.dirs 1970-01-01 01:00:00.000000000 +0100 +++ evince-3.2.1/debian/evince-common.dirs 2012-04-08 09:07:05.461868527 +0200 @@ -0,0 +1 @@ +etc/apparmor.d/abstractions diff -Naur evince-3.2.1-1.orig/debian/rules evince-3.2.1/debian/rules --- evince-3.2.1-1.orig/debian/rules 2011-10-12 22:20:39.000000000 +0200 +++ evince-3.2.1/debian/rules 2012-04-08 09:07:54.138419828 +0200 @@ -57,3 +57,6 @@ binary-install/evince-common:: rm -rf debian/evince-common/usr/share/gtk-doc + cp debian/apparmor-profile debian/evince-common/etc/apparmor.d/usr.bin.evince + cp debian/apparmor-profile.abstraction debian/evince-common/etc/apparmor.d/abstractions/evince + dh_apparmor --profile-name=usr.bin.evince -pevince-common
