Unfortunately, evince needs access to the X server. Since apparmor doesn't yet support XACE or equivalent this means that evince can still launch keylogging and keyspoofing attacks. I think our first priority should be stopping evince from sending keypresses to a terminal in the background (which is is on the roadmap for apparmor I understand). Once we do that we can think about fixing this bug right, e.g. using the LD_PRELOAD trick Plash uses to replace the GTK file/open save dialog box with one that passes the rights to the file the user selects (and only the file the user selects).
-- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/900324 Title: apparmor profile provides too much access Status in “evince” package in Ubuntu: Won't Fix Bug description: Hi, evince comes with apparmor profiles. 1) The profiles are incomplete/outdated. Kernel keeps complaining because evince tries to read from udev which has been moved to /run/udev by some ubuntu berserks: Dec 5 16:10:19 sodom kernel: [24711.331270] type=1400 audit(1323097819.959:148): apparmor="DENIED" operation="open" parent=22723 profile="/usr/bin/evince" name="/run/udev/data/b253:6" pid=23251 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 2) The profiles are mostly useless because the open almost everything for read/write anyway, e.g. @{HOME}/** rw, What's the point in having a apparmor profile if it opens all doors? The idea of apparmor is to restrict particular access, not to open everything to make it run like without an apparmor profile. BTW, the file design is poor. The master profile should contain only what evince needs to run (like /usr/lib... and such things) and not intermix with the files to read or write for working. These options should be put into a separate file to allow the admin to modify it to local needs without breaking the upgrade process for the main part of the profile. ProblemType: Bug DistroRelease: Ubuntu 11.10 Package: evince-common 3.2.1-0ubuntu2 ProcVersionSignature: Error: [Errno 2] Datei oder Verzeichnis nicht gefunden: '/proc/version_signature' Uname: Linux 3.2.0-030200rc2-generic x86_64 ApportVersion: 1.23-0ubuntu4 Architecture: amd64 Date: Mon Dec 5 16:14:31 2011 EcryptfsInUse: Yes InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release amd64 (20100427.1) PackageArchitecture: all ProcEnviron: PATH=(custom, user) LANG=de_DE.UTF-8 SHELL=/bin/tcsh SourcePackage: evince UpgradeStatus: Upgraded to oneiric on 2011-10-29 (36 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/900324/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
