Package: evince Version: 3.32.0-1 Severity: normal Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu eoan ubuntu-patch
Dear Maintainer, In Ubuntu, the attached patch was applied to achieve the following: * debian/apparmor-profile: - allow 'rk' on @{HOME}/.config/enchant/* in evince - add additional org.gtk.vfs rules for metadata and List* DBus APIs - silence noisy denial for mktexpk, mktextfm, dvipdfm, dvipdfmx and mkofm since with the new gnome-desktop3 invocations of thumbnailers, NNP (no new privs) blocks transition to sanitized_helper. In addition, thumbnails are generated just fine without these - allow access to @{PROC}/@{pid}/fd/, @{PROC}/@{pid}/mountinfo and /sys/devices/system/cpu/ in the thumbnailer (needed by some helpers) - allow 'r' on @{HOME}/.texmf*/** in the thumbnailer - update gnome-desktop and add evince-thumbnailer /tmp file paths - allow read on '/' and deny write on /missfont.log which is happening now due to new thumbnailer invocation * debian/apparmor-profile.abstraction: allow directory read on /var/lib/texmf Thanks for considering the patch. -- System Information: Debian Release: buster/sid APT prefers xenial-updates APT policy: (500, 'xenial-updates'), (500, 'disco-updates'), (500, 'disco-security'), (500, 'disco') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.0.0-16-generic (SMP w/4 CPU cores) Kernel taint flags: TAINT_WARN Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru evince-3.32.0/debian/apparmor-profile evince-3.32.0/debian/apparmor-profile --- evince-3.32.0/debian/apparmor-profile 2019-03-15 05:11:25.000000000 -0500 +++ evince-3.32.0/debian/apparmor-profile 2019-06-18 16:57:04.000000000 -0500 @@ -107,6 +107,7 @@ /etc/dconf/** r, owner @{HOME}/.cache/dconf/user rw, owner @{HOME}/.config/dconf/user r, + owner @{HOME}/.config/enchant/* rk, owner /{,var/}run/user/*/dconf/ w, owner /{,var/}run/user/*/dconf/user rw, owner /{,var/}run/user/*/dconf-service/keyfile/ w, @@ -219,6 +220,21 @@ member="ListMountableInfo" peer=(label=unconfined), + # updating gvfs-metadata for thumbnails is unneeded, so explicitly deny it + deny dbus (send) + bus=session + path="/org/gtk/vfs/metadata" + interface="org.gtk.vfs.Metadata" + member="GetTreeFromDevice" + peer=(label=unconfined), + deny @{HOME}/.local/share/gvfs-metadata/* r, + + dbus (send) + bus=session + path="/org/gtk/vfs/Daemon" + interface="org.gtk.vfs.Daemon" + member="List*" + peer=(label=unconfined), # The thumbnailer doesn't need access to everything in the nameservice # abstraction. Allow reading of /etc/passwd and /etc/group, but suppress @@ -242,10 +258,14 @@ /etc/xpdf/* r, /usr/bin/gs-esp ixr, - /usr/bin/mktexpk Cx -> sanitized_helper, - /usr/bin/mktextfm Cx -> sanitized_helper, - /usr/bin/dvipdfm Cx -> sanitized_helper, - /usr/bin/dvipdfmx Cx -> sanitized_helper, + # Silence these denials since 'no new privs' drops transitions to + # sanitized_helper, we don't want all those perms in the thumbnailer + # and the thumbnailer generates thumbnails without these just fine. + deny /usr/bin/mktexpk x, + deny /usr/bin/mktextfm x, + deny /usr/bin/dvipdfm x, + deny /usr/bin/dvipdfmx x, + deny /usr/bin/mkofm x, # supported archivers /{usr/,}bin/gzip ixr, @@ -260,6 +280,11 @@ /{usr/,}bin/tar ixr, /usr/bin/xz ixr, + # miscellaneous access for the above + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + /sys/devices/system/cpu/ r, + # allow read access to anything in /usr/share, for plugins and input methods /usr/local/share/** r, /usr/share/** r, @@ -291,6 +316,7 @@ /**.[xX][zZ] r, owner @{HOME}/.texlive*/** r, + owner @{HOME}/.texmf*/** r, owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/** r, owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/** r, @@ -301,7 +327,12 @@ owner /media/** r, owner /tmp/.gnome_desktop_thumbnail* w, - owner /tmp/gnome-desktop-thumbnailer* w, + owner /tmp/gnome-desktop-* rw, + owner /tmp/evince-thumbnailer*/{,**} rw, + + # these happen post pivot_root + / r, + deny /missfont.log w, # Site-specific additions and overrides. See local/README for details. #include <local/usr.bin.evince> diff -Nru evince-3.32.0/debian/apparmor-profile.abstraction evince-3.32.0/debian/apparmor-profile.abstraction --- evince-3.32.0/debian/apparmor-profile.abstraction 2019-03-15 05:11:25.000000000 -0500 +++ evince-3.32.0/debian/apparmor-profile.abstraction 2019-06-18 16:55:48.000000000 -0500 @@ -62,7 +62,7 @@ /usr/share/** r, /usr/lib/ghostscript/** mr, /var/lib/ghostscript/** r, - /var/lib/texmf/** r, + /var/lib/texmf/{,**} r, # from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow # read for all supported file formats