Bug#909849: evince: apparmor profile hardening
Jamie Strandboge
jamie at ubuntu.com
Sat Sep 29 15:11:49 BST 2018
Package: evince
Version: 3.30.0-3
Severity: normal
Tags: patch
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu cosmic ubuntu-patch
Dear Maintainer,
In Ubuntu, the attached patch was applied to achieve the following:
* debian/apparmor-profile.abstraction, apparmor-profile: harden the profile
- add preamble for expectations of the profile
- evince{-previewer}: restrict access to DBus system bus (for compatiblity,
we allow full access to session, translation and accessibility buses):
+ allow Get* to anything polkit allows
+ allow talking to avahi (for printing)
+ allow talking to colord (for printing)
- make the thumbnailer more restrictive (LP: #1794848)
+ remove evince abstraction and use only what is needed from it
+ limit access to DBus session bus
+ generally disallow writes
+ allow reads for non-hidden files
- disallow access to the dirs of private files (LP: #1794848)
* debian/apparmor-profile: allow /bin/env ixr
Thanks for considering the patch.
-- System Information:
Debian Release: buster/sid
APT prefers bionic-updates
APT policy: (500, 'bionic-updates'), (500, 'bionic-security'), (500, 'bionic')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.15.0-34-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-------------- next part --------------
diff -Nru evince-3.30.0/debian/apparmor-profile evince-3.30.0/debian/apparmor-profile
--- evince-3.30.0/debian/apparmor-profile 2018-09-27 06:19:53.000000000 -0500
+++ evince-3.30.0/debian/apparmor-profile 2018-09-28 16:19:49.000000000 -0500
@@ -1,6 +1,15 @@
# vim:syntax=apparmor
-# Author: Kees Cook <kees at canonical.com>
-# Jamie Strandboge <jamie at canonical.com>
+
+# evince is not written with application confinement in mind and is designed to
+# operate within a trusted desktop session where anything running within the
+# user's session is trusted. That said, evince will often process untrusted
+# input (PDFs, images, etc). Ideally evince would be written in such a way that
+# image processing is separate from the main process and that processing
+# happens in a restrictive sandbox, but unfortunately that is not currently the
+# case. Because evince will process untrusted input, this profile aims to
+# provide some hardening, but considering evince's design and other factors such
+# as X, gsettings, accessibility, translations, DBus session and system
+# services, etc, complete confinement is not possible.
#include <tunables/global>
@@ -8,8 +17,6 @@
#include <abstractions/audio>
#include <abstractions/bash>
#include <abstractions/cups-client>
- #include <abstractions/dbus>
- #include <abstractions/dbus-session>
#include <abstractions/dbus-accessibility>
#include <abstractions/evince>
#include <abstractions/ibus>
@@ -21,6 +28,26 @@
#include <abstractions/ubuntu-console-email>
#include <abstractions/ubuntu-media-players>
+ # For now, let evince talk to any session services over dbus. We can
+ # blacklist any problematic ones (but note, evince uses libsecret :\)
+ #include <abstractions/dbus-session>
+
+ #include <abstractions/dbus-strict>
+ dbus (receive) bus=system,
+ # Allow getting information from various system services
+ dbus (send)
+ bus=system
+ member="Get*"
+ peer=(label=unconfined),
+ # Allow talking to avahi with whatever polkit allows
+ dbus (send)
+ bus=system
+ interface="org.freedesktop.Avahi{,.*}",
+ # Allow talking to colord with whatever polkit allows
+ dbus (send)
+ bus=system
+ interface="org.freedesktop.ColorManager{,.*}",
+
# Terminals for using console applications. These abstractions should ideally
# have 'ix' to restrict access to what only evince is allowed to do
#include <abstractions/ubuntu-gnome-terminal>
@@ -55,6 +82,7 @@
# GLib desktop launch helper (used under the hood by g_app_info_launch)
/usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rmix,
+ /usr/bin/env ixr,
# allow directory listings (ie 'r' on directories) so browsing via the file
# dialog works
@@ -118,9 +146,7 @@
#include <abstractions/audio>
#include <abstractions/bash>
#include <abstractions/cups-client>
- #include <abstractions/dbus-session>
#include <abstractions/dbus-accessibility>
- #include <abstractions/dbus-strict>
#include <abstractions/evince>
#include <abstractions/ibus>
#include <abstractions/nameservice>
@@ -131,6 +157,27 @@
#include <abstractions/ubuntu-console-email>
#include <abstractions/ubuntu-media-players>
+ # For now, let evince talk to any session services over dbus. We can
+ # blacklist any problematic ones (but note, evince uses libsecret :\)
+ #include <abstractions/dbus-session>
+
+ #include <abstractions/dbus-strict>
+ dbus (receive) bus=system,
+ # Allow getting information from various system services
+ dbus (send)
+ bus=system
+ member="Get*"
+ peer=(label=unconfined),
+ # Allow talking to avahi with whatever polkit allows
+ dbus (send)
+ bus=system
+ interface="org.freedesktop.Avahi{,.*}",
+ # Allow talking to colord with whatever polkit allows
+ dbus (send)
+ bus=system
+ interface="org.freedesktop.ColorManager{,.*}",
+
+
# Terminals for using console applications. These abstractions should ideally
# have 'ix' to restrict access to what only evince is allowed to do
#include <abstractions/ubuntu-gnome-terminal>
@@ -155,8 +202,22 @@
}
/usr/bin/evince-thumbnailer {
- #include <abstractions/dbus-session>
- #include <abstractions/evince>
+ #include <abstractions/base>
+ #include <abstractions/private-files-strict>
+
+ #include <abstractions/fonts>
+ deny @{HOME}/.{,cache/}fontconfig/** wl,
+ deny @{HOME}/missfont.log wl,
+
+ #include <abstractions/dbus-session-strict>
+ dbus (receive) bus=session,
+ dbus (send)
+ bus=session
+ path="/org/gtk/vfs/mounttracker"
+ interface="org.gtk.vfs.MountTracker"
+ member="ListMountableInfo"
+ peer=(label=unconfined),
+
# The thumbnailer doesn't need access to everything in the nameservice
# abstraction. Allow reading of /etc/passwd and /etc/group, but suppress
@@ -171,11 +232,75 @@
network inet dgram,
network inet6 dgram,
+ /etc/papersize r,
+
/usr/bin/evince-thumbnailer mr,
- # Lenient, but remember we still have abstractions/private-files-strict in
- # effect).
+ /etc/texmf/ r,
+ /etc/texmf/** r,
+ /etc/xpdf/* r,
+
+ /usr/bin/gs-esp ixr,
+ /usr/bin/mktexpk Cx -> sanitized_helper,
+ /usr/bin/mktextfm Cx -> sanitized_helper,
+ /usr/bin/dvipdfm Cx -> sanitized_helper,
+ /usr/bin/dvipdfmx Cx -> sanitized_helper,
+
+ # supported archivers
+ /{usr/,}bin/gzip ixr,
+ /{usr/,}bin/bzip2 ixr,
+ /usr/bin/unrar* ixr,
+ /usr/bin/unzip ixr,
+ /usr/bin/7zr ixr,
+ /usr/lib/p7zip/7zr ixr,
+ /usr/bin/7za ixr,
+ /usr/lib/p7zip/7za ixr,
+ /usr/bin/zipnote ixr,
+ /{usr/,}bin/tar ixr,
+ /usr/bin/xz ixr,
+
+ # allow read access to anything in /usr/share, for plugins and input methods
+ /usr/local/share/** r,
+ /usr/share/** r,
+ /usr/lib/ghostscript/** mr,
+ /var/lib/ghostscript/** r,
+ /var/lib/texmf/** r,
+
+ # from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
+ # read for all supported file formats
+ /**.[bB][mM][pP] r,
+ /**.[dD][jJ][vV][uU] r,
+ /**.[dD][vV][iI] r,
+ /**.[gG][iI][fF] r,
+ /**.[jJ][pP][gG] r,
+ /**.[jJ][pP][eE][gG] r,
+ /**.[oO][dD][pP] r,
+ /**.[fFpP][dD][fF] r,
+ /**.[pP][nN][mM] r,
+ /**.[pP][nN][gG] r,
+ /**.[pP][sS] r,
+ /**.[eE][pP][sS] r,
+ /**.[eE][pP][sS][fFiI23] r,
+ /**.[tT][iI][fF] r,
+ /**.[tT][iI][fF][fF] r,
+ /**.[xX][pP][mM] r,
+ /**.[gG][zZ] r,
+ /**.[bB][zZ]2 r,
+ /**.[cC][bB][rRzZ7] r,
+ /**.[xX][zZ] r,
+
+ owner @{HOME}/.texlive*/** r,
+ owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/** r,
+ owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/** r,
+
+ # With the network rules above, this allows data exfiltration for files
+ # not covered by private-files-strict.
@{HOME}/ r,
- owner @{HOME}/** rw,
- owner /media/** rw,
+ owner @{HOME}/[^.]** r,
+ owner /media/** r,
+
+ owner /tmp/.gnome_desktop_thumbnail.* w,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.bin.evince>
}
diff -Nru evince-3.30.0/debian/apparmor-profile.abstraction evince-3.30.0/debian/apparmor-profile.abstraction
--- evince-3.30.0/debian/apparmor-profile.abstraction 2018-09-27 06:19:53.000000000 -0500
+++ evince-3.30.0/debian/apparmor-profile.abstraction 2018-09-28 16:19:49.000000000 -0500
@@ -94,26 +94,33 @@
# from directly.
#include <abstractions/private-files>
- audit deny @{HOME}/.gnupg/** mrwkl,
- audit deny @{HOME}/.ssh/** mrwkl,
- audit deny @{HOME}/.gnome2_private/** mrwkl,
- audit deny @{HOME}/.gnome2/keyrings/** mrwkl,
- audit deny @{HOME}/.kde/share/apps/kwallet/** mrwkl,
- audit deny @{HOME}/.pki/nssdb/** w,
+ audit deny @{HOME}/.gnupg/{,**} mrwkl,
+ audit deny @{HOME}/.ssh/{,**} mrwkl,
+ audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
+ audit deny @{HOME}/.gnome2/ w,
+ audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
+ audit deny @{HOME}/.kde/{,share/,share/apps/} w,
+ audit deny @{HOME}/.kde/share/apps/kwallet/{,**} mrwkl,
+ audit deny @{HOME}/.pki/{,nssdb/} w,
+ audit deny @{HOME}/.pki/nssdb/{,**} wl,
+ audit deny @{HOME}/.mozilla/{,**/} w,
audit deny @{HOME}/.mozilla/*/*/* mrwkl,
- audit deny @{HOME}/.mozilla/**/bookmarkbackups/** mrwkl,
- audit deny @{HOME}/.mozilla/**/chrome/** mrwkl,
- audit deny @{HOME}/.mozilla/**/extensions/** mrwkl,
- audit deny @{HOME}/.mozilla/**/gm_scripts/** mrwkl,
+ audit deny @{HOME}/.mozilla/**/bookmarkbackups/{,**} mrwkl,
+ audit deny @{HOME}/.mozilla/**/chrome/{,**} mrwkl,
+ audit deny @{HOME}/.mozilla/**/extensions/{,**} mrwkl,
+ audit deny @{HOME}/.mozilla/**/gm_scripts/{,**} mrwkl,
- audit deny @{HOME}/.config/chromium/** mrwkl,
- audit deny @{HOME}/.evolution/** mrwkl,
- audit deny @{HOME}/.config/evolution/** mrwkl,
- audit deny @{HOME}/.kde/share/config/** mrwkl,
- audit deny @{HOME}/.kde/share/apps/kmail/** mrwkl,
+ audit deny @{HOME}/.config/ w,
+ audit deny @{HOME}/.config/chromium/{,**} mrwkl,
+ audit deny @{HOME}/.config/evolution/{,**} mrwkl,
+ audit deny @{HOME}/.evolution/{,**} mrwkl,
+ audit deny @{HOME}/.kde/{,share/,share/apps/} w,
+ audit deny @{HOME}/.kde/share/config/{,**} mrwkl,
+ audit deny @{HOME}/.kde/share/apps/kmail/{,**} mrwkl,
+ audit deny @{HOME}/.{,mozilla-}thunderbird/{,**/} w,
audit deny @{HOME}/.{,mozilla-}thunderbird/*/* mrwkl,
- audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/** mrwkl,
+ audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/{,**} mrwkl,
# When LP: #451422 is fixed, change the above to simply be:
##include <abstractions/private-files-strict>
More information about the pkg-gnome-maintainers
mailing list