Bug#930707: evince: misc apparmor profile updates

Tue Jun 18 23:32:50 BST 2019

Package: evince
Version: 3.32.0-1
Severity: normal
Tags: patch
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu eoan ubuntu-patch

Dear Maintainer,

In Ubuntu, the attached patch was applied to achieve the following:

  * debian/apparmor-profile:
    - allow 'rk' on @{HOME}/.config/enchant/* in evince
    - add additional org.gtk.vfs rules for metadata and List* DBus APIs
    - silence noisy denial for mktexpk, mktextfm, dvipdfm, dvipdfmx and mkofm
      since with the new gnome-desktop3 invocations of thumbnailers, NNP
      (no new privs) blocks transition to sanitized_helper. In addition,
      thumbnails are generated just fine without these
    - allow access to @{PROC}/@{pid}/fd/, @{PROC}/@{pid}/mountinfo and
      /sys/devices/system/cpu/ in the thumbnailer (needed by some helpers)
    - allow 'r' on @{HOME}/.texmf*/** in the thumbnailer
    - update gnome-desktop and add evince-thumbnailer /tmp file paths
    - allow read on '/' and deny write on /missfont.log which is happening now
      due to new thumbnailer invocation
  * debian/apparmor-profile.abstraction: allow directory read on
    /var/lib/texmf


Thanks for considering the patch.


-- System Information:
Debian Release: buster/sid
  APT prefers xenial-updates
  APT policy: (500, 'xenial-updates'), (500, 'disco-updates'), (500, 'disco-security'), (500, 'disco')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.0.0-16-generic (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-------------- next part --------------
diff -Nru evince-3.32.0/debian/apparmor-profile evince-3.32.0/debian/apparmor-profile

--- evince-3.32.0/debian/apparmor-profile	2019-03-15 05:11:25.000000000 -0500
+++ evince-3.32.0/debian/apparmor-profile	2019-06-18 16:57:04.000000000 -0500
@@ -107,6 +107,7 @@
   /etc/dconf/**                                       r,
   owner @{HOME}/.cache/dconf/user                     rw,
   owner @{HOME}/.config/dconf/user                    r,
+  owner @{HOME}/.config/enchant/*                     rk,
   owner /{,var/}run/user/*/dconf/                     w,
   owner /{,var/}run/user/*/dconf/user                 rw,
   owner /{,var/}run/user/*/dconf-service/keyfile/     w,
@@ -219,6 +220,21 @@
     member="ListMountableInfo"
     peer=(label=unconfined),
 
+  # updating gvfs-metadata for thumbnails is unneeded, so explicitly deny it
+  deny dbus (send)
+    bus=session
+    path="/org/gtk/vfs/metadata"
+    interface="org.gtk.vfs.Metadata"
+    member="GetTreeFromDevice"
+    peer=(label=unconfined),
+  deny @{HOME}/.local/share/gvfs-metadata/* r,
+
+  dbus (send)
+    bus=session
+    path="/org/gtk/vfs/Daemon"
+    interface="org.gtk.vfs.Daemon"
+    member="List*"
+    peer=(label=unconfined),
 
   # The thumbnailer doesn't need access to everything in the nameservice
   # abstraction. Allow reading of /etc/passwd and /etc/group, but suppress
@@ -242,10 +258,14 @@
   /etc/xpdf/* r,
 
   /usr/bin/gs-esp ixr,
-  /usr/bin/mktexpk Cx -> sanitized_helper,
-  /usr/bin/mktextfm Cx -> sanitized_helper,
-  /usr/bin/dvipdfm Cx -> sanitized_helper,
-  /usr/bin/dvipdfmx Cx -> sanitized_helper,
+  # Silence these denials since 'no new privs' drops transitions to
+  # sanitized_helper, we don't want all those perms in the thumbnailer
+  # and the thumbnailer generates thumbnails without these just fine.
+  deny /usr/bin/mktexpk x,
+  deny /usr/bin/mktextfm x,
+  deny /usr/bin/dvipdfm x,
+  deny /usr/bin/dvipdfmx x,
+  deny /usr/bin/mkofm x,
 
   # supported archivers
   /{usr/,}bin/gzip ixr,
@@ -260,6 +280,11 @@
   /{usr/,}bin/tar ixr,
   /usr/bin/xz ixr,
 
+  # miscellaneous access for the above
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  /sys/devices/system/cpu/ r,
+
   # allow read access to anything in /usr/share, for plugins and input methods
   /usr/local/share/** r,
   /usr/share/** r,
@@ -291,6 +316,7 @@
   /**.[xX][zZ]         r,
 
   owner @{HOME}/.texlive*/** r,
+  owner @{HOME}/.texmf*/** r,
   owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/** r,
   owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/** r,
 
@@ -301,7 +327,12 @@
   owner /media/**  r,
 
   owner /tmp/.gnome_desktop_thumbnail* w,
-  owner /tmp/gnome-desktop-thumbnailer* w,
+  owner /tmp/gnome-desktop-* rw,
+  owner /tmp/evince-thumbnailer*/{,**} rw,
+  
+  # these happen post pivot_root
+  / r,
+  deny /missfont.log w,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.bin.evince>
diff -Nru evince-3.32.0/debian/apparmor-profile.abstraction evince-3.32.0/debian/apparmor-profile.abstraction
--- evince-3.32.0/debian/apparmor-profile.abstraction	2019-03-15 05:11:25.000000000 -0500
+++ evince-3.32.0/debian/apparmor-profile.abstraction	2019-06-18 16:55:48.000000000 -0500
@@ -62,7 +62,7 @@
   /usr/share/** r,
   /usr/lib/ghostscript/** mr,
   /var/lib/ghostscript/** r,
-  /var/lib/texmf/** r,
+  /var/lib/texmf/{,**} r,
 
   # from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
   # read for all supported file formats
