Leo Famulari <l...@famulari.name> skribis: > On Fri, Aug 24, 2018 at 03:04:53PM +0200, Ludovic Courtès wrote: >> In this week’s discussions, it’s unclear to me why people are focusing >> so much on ImageMagick and Evince when the real issue is in >> Ghostscript’s ability to run arbitrary commands from PostScript code. I >> rarely run ‘convert’ on PS files, but I do run ‘gs’ from different >> sources: gv, Emacs Docview, Evince, ps2pdf, etc. > > I think they take for granted that Ghostscript should not handle > untrusted input, so they are looking for ways that it may be invoked by > other applications without the user's explicit consent. And, they are > still picking the "low-hanging fruit" in this search, for example the > thumbnailing thing. > > Apparently GNOME containerizes the thumbnailer in some cases with > 'bubblewrap', but it requires the system to be set up properly (by us, > for example).
That should work for us too, because AIUI bubblewrap falls back to using user namespaces when they’re available. Well, we probably need to at least add bubblewrap as a dependency to Evince, to being with. >> So I was wondering if we could arrange to provide a wrapper around ‘gs’ >> that would run it in a container that can only access its input and >> output files, plus font files from the store. Now I wonder if I’m too >> naive and if this would in practice require more work. >> >> Thoughts? > > Yeah, that would be interesting. Are there any packages that have > something similar right now? No, but we need to start somewhere. :-) >> I agree that it would be good to provide a policy.xml somehow. On >> GuixSD, we could provide it by default for new accounts (as a Shadow >> “skeleton”.) > > Agreed, or at least alter the default copy that comes in the built > package. Indeed, we can also do that. Thanks, Ludo’.
