Bug#909849: evince: apparmor profile hardening

Jamie Strandboge jamie at ubuntu.com
Sat Sep 29 15:11:49 BST 2018


Package: evince
Version: 3.30.0-3
Severity: normal
Tags: patch
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu cosmic ubuntu-patch

Dear Maintainer,

In Ubuntu, the attached patch was applied to achieve the following:

  * debian/apparmor-profile.abstraction, apparmor-profile: harden the profile
    - add preamble for expectations of the profile
    - evince{-previewer}: restrict access to DBus system bus (for compatiblity,
      we allow full access to session, translation and accessibility buses):
      + allow Get* to anything polkit allows
      + allow talking to avahi (for printing)
      + allow talking to colord (for printing)
    - make the thumbnailer more restrictive (LP: #1794848)
      + remove evince abstraction and use only what is needed from it
      + limit access to DBus session bus
      + generally disallow writes
      + allow reads for non-hidden files
    - disallow access to the dirs of private files (LP: #1794848)
  * debian/apparmor-profile: allow /bin/env ixr

Thanks for considering the patch.


-- System Information:
Debian Release: buster/sid
  APT prefers bionic-updates
  APT policy: (500, 'bionic-updates'), (500, 'bionic-security'), (500, 'bionic')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.15.0-34-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-------------- next part --------------
diff -Nru evince-3.30.0/debian/apparmor-profile evince-3.30.0/debian/apparmor-profile
--- evince-3.30.0/debian/apparmor-profile	2018-09-27 06:19:53.000000000 -0500
+++ evince-3.30.0/debian/apparmor-profile	2018-09-28 16:19:49.000000000 -0500
@@ -1,6 +1,15 @@
 # vim:syntax=apparmor
-# Author: Kees Cook <kees at canonical.com>
-#         Jamie Strandboge <jamie at canonical.com>
+
+# evince is not written with application confinement in mind and is designed to
+# operate within a trusted desktop session where anything running within the
+# user's session is trusted. That said, evince will often process untrusted
+# input (PDFs, images, etc). Ideally evince would be written in such a way that
+# image processing is separate from the main process and that processing
+# happens in a restrictive sandbox, but unfortunately that is not currently the
+# case. Because evince will process untrusted input, this profile aims to
+# provide some hardening, but considering evince's design and other factors such
+# as X, gsettings, accessibility, translations, DBus session and system
+# services, etc, complete confinement is not possible.
 
 #include <tunables/global>
 
@@ -8,8 +17,6 @@
   #include <abstractions/audio>
   #include <abstractions/bash>
   #include <abstractions/cups-client>
-  #include <abstractions/dbus>
-  #include <abstractions/dbus-session>
   #include <abstractions/dbus-accessibility>
   #include <abstractions/evince>
   #include <abstractions/ibus>
@@ -21,6 +28,26 @@
   #include <abstractions/ubuntu-console-email>
   #include <abstractions/ubuntu-media-players>
 
+  # For now, let evince talk to any session services over dbus. We can
+  # blacklist any problematic ones (but note, evince uses libsecret :\)
+  #include <abstractions/dbus-session>
+
+  #include <abstractions/dbus-strict>
+  dbus (receive) bus=system,
+  # Allow getting information from various system services
+  dbus (send)
+      bus=system
+      member="Get*"
+      peer=(label=unconfined),
+  # Allow talking to avahi with whatever polkit allows
+  dbus (send)
+      bus=system
+      interface="org.freedesktop.Avahi{,.*}",
+  # Allow talking to colord with whatever polkit allows
+  dbus (send)
+      bus=system
+      interface="org.freedesktop.ColorManager{,.*}",
+
   # Terminals for using console applications. These abstractions should ideally
   # have 'ix' to restrict access to what only evince is allowed to do
   #include <abstractions/ubuntu-gnome-terminal>
@@ -55,6 +82,7 @@
 
   # GLib desktop launch helper (used under the hood by g_app_info_launch)
   /usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rmix,
+  /usr/bin/env ixr,
 
   # allow directory listings (ie 'r' on directories) so browsing via the file
   # dialog works
@@ -118,9 +146,7 @@
   #include <abstractions/audio>
   #include <abstractions/bash>
   #include <abstractions/cups-client>
-  #include <abstractions/dbus-session>
   #include <abstractions/dbus-accessibility>
-  #include <abstractions/dbus-strict>
   #include <abstractions/evince>
   #include <abstractions/ibus>
   #include <abstractions/nameservice>
@@ -131,6 +157,27 @@
   #include <abstractions/ubuntu-console-email>
   #include <abstractions/ubuntu-media-players>
 
+  # For now, let evince talk to any session services over dbus. We can
+  # blacklist any problematic ones (but note, evince uses libsecret :\)
+  #include <abstractions/dbus-session>
+
+  #include <abstractions/dbus-strict>
+  dbus (receive) bus=system,
+  # Allow getting information from various system services
+  dbus (send)
+      bus=system
+      member="Get*"
+      peer=(label=unconfined),
+  # Allow talking to avahi with whatever polkit allows
+  dbus (send)
+      bus=system
+      interface="org.freedesktop.Avahi{,.*}",
+  # Allow talking to colord with whatever polkit allows
+  dbus (send)
+      bus=system
+      interface="org.freedesktop.ColorManager{,.*}",
+
+
   # Terminals for using console applications. These abstractions should ideally
   # have 'ix' to restrict access to what only evince is allowed to do
   #include <abstractions/ubuntu-gnome-terminal>
@@ -155,8 +202,22 @@
 }
 
 /usr/bin/evince-thumbnailer {
-  #include <abstractions/dbus-session>
-  #include <abstractions/evince>
+  #include <abstractions/base>
+  #include <abstractions/private-files-strict>
+
+  #include <abstractions/fonts>
+  deny @{HOME}/.{,cache/}fontconfig/** wl,
+  deny @{HOME}/missfont.log wl,
+
+  #include <abstractions/dbus-session-strict>
+  dbus (receive) bus=session,
+  dbus (send)
+    bus=session
+    path="/org/gtk/vfs/mounttracker"
+    interface="org.gtk.vfs.MountTracker"
+    member="ListMountableInfo"
+    peer=(label=unconfined),
+
 
   # The thumbnailer doesn't need access to everything in the nameservice
   # abstraction. Allow reading of /etc/passwd and /etc/group, but suppress
@@ -171,11 +232,75 @@
   network inet  dgram,
   network inet6 dgram,
 
+  /etc/papersize r,
+
   /usr/bin/evince-thumbnailer mr,
 
-  # Lenient, but remember we still have abstractions/private-files-strict in
-  # effect).
+  /etc/texmf/ r,
+  /etc/texmf/** r,
+  /etc/xpdf/* r,
+
+  /usr/bin/gs-esp ixr,
+  /usr/bin/mktexpk Cx -> sanitized_helper,
+  /usr/bin/mktextfm Cx -> sanitized_helper,
+  /usr/bin/dvipdfm Cx -> sanitized_helper,
+  /usr/bin/dvipdfmx Cx -> sanitized_helper,
+
+  # supported archivers
+  /{usr/,}bin/gzip ixr,
+  /{usr/,}bin/bzip2 ixr,
+  /usr/bin/unrar* ixr,
+  /usr/bin/unzip ixr,
+  /usr/bin/7zr ixr,
+  /usr/lib/p7zip/7zr ixr,
+  /usr/bin/7za ixr,
+  /usr/lib/p7zip/7za ixr,
+  /usr/bin/zipnote ixr,
+  /{usr/,}bin/tar ixr,
+  /usr/bin/xz ixr,
+
+  # allow read access to anything in /usr/share, for plugins and input methods
+  /usr/local/share/** r,
+  /usr/share/** r,
+  /usr/lib/ghostscript/** mr,
+  /var/lib/ghostscript/** r,
+  /var/lib/texmf/** r,
+
+  # from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
+  # read for all supported file formats
+  /**.[bB][mM][pP]     r,
+  /**.[dD][jJ][vV][uU] r,
+  /**.[dD][vV][iI]     r,
+  /**.[gG][iI][fF]     r,
+  /**.[jJ][pP][gG]     r,
+  /**.[jJ][pP][eE][gG] r,
+  /**.[oO][dD][pP]     r,
+  /**.[fFpP][dD][fF]   r,
+  /**.[pP][nN][mM]     r,
+  /**.[pP][nN][gG]     r,
+  /**.[pP][sS]         r,
+  /**.[eE][pP][sS]     r,
+  /**.[eE][pP][sS][fFiI23] r,
+  /**.[tT][iI][fF]     r,
+  /**.[tT][iI][fF][fF] r,
+  /**.[xX][pP][mM]     r,
+  /**.[gG][zZ]         r,
+  /**.[bB][zZ]2        r,
+  /**.[cC][bB][rRzZ7]  r,
+  /**.[xX][zZ]         r,
+
+  owner @{HOME}/.texlive*/** r,
+  owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/** r,
+  owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/** r,
+
+  # With the network rules above, this allows data exfiltration for files
+  # not covered by private-files-strict.
   @{HOME}/ r,
-  owner @{HOME}/** rw,
-  owner /media/**  rw,
+  owner @{HOME}/[^.]** r,
+  owner /media/**  r,
+
+  owner /tmp/.gnome_desktop_thumbnail.* w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.bin.evince>
 }
diff -Nru evince-3.30.0/debian/apparmor-profile.abstraction evince-3.30.0/debian/apparmor-profile.abstraction
--- evince-3.30.0/debian/apparmor-profile.abstraction	2018-09-27 06:19:53.000000000 -0500
+++ evince-3.30.0/debian/apparmor-profile.abstraction	2018-09-28 16:19:49.000000000 -0500
@@ -94,26 +94,33 @@
   # from directly.
 
   #include <abstractions/private-files>
-  audit deny @{HOME}/.gnupg/** mrwkl,
-  audit deny @{HOME}/.ssh/** mrwkl,
-  audit deny @{HOME}/.gnome2_private/** mrwkl,
-  audit deny @{HOME}/.gnome2/keyrings/** mrwkl,
-  audit deny @{HOME}/.kde/share/apps/kwallet/** mrwkl,
-  audit deny @{HOME}/.pki/nssdb/** w,
+  audit deny @{HOME}/.gnupg/{,**} mrwkl,
+  audit deny @{HOME}/.ssh/{,**} mrwkl,
+  audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
+  audit deny @{HOME}/.gnome2/ w,
+  audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
+  audit deny @{HOME}/.kde/{,share/,share/apps/} w,
+  audit deny @{HOME}/.kde/share/apps/kwallet/{,**} mrwkl,
+  audit deny @{HOME}/.pki/{,nssdb/} w,
+  audit deny @{HOME}/.pki/nssdb/{,**} wl,
 
+  audit deny @{HOME}/.mozilla/{,**/} w,
   audit deny @{HOME}/.mozilla/*/*/* mrwkl,
-  audit deny @{HOME}/.mozilla/**/bookmarkbackups/** mrwkl,
-  audit deny @{HOME}/.mozilla/**/chrome/** mrwkl,
-  audit deny @{HOME}/.mozilla/**/extensions/** mrwkl,
-  audit deny @{HOME}/.mozilla/**/gm_scripts/** mrwkl,
+  audit deny @{HOME}/.mozilla/**/bookmarkbackups/{,**} mrwkl,
+  audit deny @{HOME}/.mozilla/**/chrome/{,**} mrwkl,
+  audit deny @{HOME}/.mozilla/**/extensions/{,**} mrwkl,
+  audit deny @{HOME}/.mozilla/**/gm_scripts/{,**} mrwkl,
 
-  audit deny @{HOME}/.config/chromium/** mrwkl,
-  audit deny @{HOME}/.evolution/** mrwkl,
-  audit deny @{HOME}/.config/evolution/** mrwkl,
-  audit deny @{HOME}/.kde/share/config/** mrwkl,
-  audit deny @{HOME}/.kde/share/apps/kmail/** mrwkl,
+  audit deny @{HOME}/.config/ w,
+  audit deny @{HOME}/.config/chromium/{,**} mrwkl,
+  audit deny @{HOME}/.config/evolution/{,**} mrwkl,
+  audit deny @{HOME}/.evolution/{,**} mrwkl,
+  audit deny @{HOME}/.kde/{,share/,share/apps/} w,
+  audit deny @{HOME}/.kde/share/config/{,**} mrwkl,
+  audit deny @{HOME}/.kde/share/apps/kmail/{,**} mrwkl,
+  audit deny @{HOME}/.{,mozilla-}thunderbird/{,**/} w,
   audit deny @{HOME}/.{,mozilla-}thunderbird/*/* mrwkl,
-  audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/** mrwkl,
+  audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/{,**} mrwkl,
 
   # When LP: #451422 is fixed, change the above to simply be:
   ##include <abstractions/private-files-strict>


More information about the pkg-gnome-maintainers mailing list