diff -Nru evince-3.18.2/debian/apparmor-profile evince-3.18.2/debian/apparmor-profile --- evince-3.18.2/debian/apparmor-profile 2016-03-08 21:38:47.000000000 +0000 +++ evince-3.18.2/debian/apparmor-profile 2019-06-18 20:54:44.000000000 +0000 @@ -1,6 +1,15 @@ # vim:syntax=apparmor -# Author: Kees Cook -# Jamie Strandboge + +# evince is not written with application confinement in mind and is designed to +# operate within a trusted desktop session where anything running within the +# user's session is trusted. That said, evince will often process untrusted +# input (PDFs, images, etc). Ideally evince would be written in such a way that +# image processing is separate from the main process and that processing +# happens in a restrictive sandbox, but unfortunately that is not currently the +# case. Because evince will process untrusted input, this profile aims to +# provide some hardening, but considering evince's design and other factors such +# as X, gsettings, accessibility, translations, DBus session and system +# services, etc, complete confinement is not possible. #include @@ -8,8 +17,6 @@ #include #include #include - #include - #include #include #include #include @@ -21,6 +28,26 @@ #include #include + # For now, let evince talk to any session services over dbus. We can + # blacklist any problematic ones (but note, evince uses libsecret :\) + #include + + #include + dbus (receive) bus=system, + # Allow getting information from various system services + dbus (send) + bus=system + member="Get*" + peer=(label=unconfined), + # Allow talking to avahi with whatever polkit allows + dbus (send) + bus=system + interface="org.freedesktop.Avahi{,.*}", + # Allow talking to colord with whatever polkit allows + dbus (send) + bus=system + interface="org.freedesktop.ColorManager{,.*}", + # Terminals for using console applications. These abstractions should ideally # have 'ix' to restrict access to what only evince is allowed to do #include @@ -53,6 +80,10 @@ # For Send to /usr/bin/nautilus-sendto Cx -> sanitized_helper, + # GLib desktop launch helper (used under the hood by g_app_info_launch) + /usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rmix, + /usr/bin/env ixr, + # allow directory listings (ie 'r' on directories) so browsing via the file # dialog works / r, @@ -115,9 +146,7 @@ #include #include #include - #include #include - #include #include #include #include @@ -128,6 +157,27 @@ #include #include + # For now, let evince talk to any session services over dbus. We can + # blacklist any problematic ones (but note, evince uses libsecret :\) + #include + + #include + dbus (receive) bus=system, + # Allow getting information from various system services + dbus (send) + bus=system + member="Get*" + peer=(label=unconfined), + # Allow talking to avahi with whatever polkit allows + dbus (send) + bus=system + interface="org.freedesktop.Avahi{,.*}", + # Allow talking to colord with whatever polkit allows + dbus (send) + bus=system + interface="org.freedesktop.ColorManager{,.*}", + + # Terminals for using console applications. These abstractions should ideally # have 'ix' to restrict access to what only evince is allowed to do #include @@ -152,8 +202,30 @@ } /usr/bin/evince-thumbnailer { - #include - #include + #include + #include + + #include + deny @{HOME}/.{,cache/}fontconfig/** wl, + deny @{HOME}/missfont.log wl, + + #include + dbus (receive) bus=session, + dbus (send) + bus=session + path="/org/gtk/vfs/mounttracker" + interface="org.gtk.vfs.MountTracker" + member="ListMountableInfo" + peer=(label=unconfined), + + # updating gvfs-metadata for thumbnails is unneeded, so explicitly deny it + deny dbus (send) + bus=session + path="/org/gtk/vfs/metadata" + interface="org.gtk.vfs.Metadata" + member="GetTreeFromDevice" + peer=(label=unconfined), + deny @{HOME}/.local/share/gvfs-metadata/* r, # The thumbnailer doesn't need access to everything in the nameservice # abstraction. Allow reading of /etc/passwd and /etc/group, but suppress @@ -168,11 +240,83 @@ network inet dgram, network inet6 dgram, + /etc/papersize r, + /usr/bin/evince-thumbnailer mr, - # Lenient, but remember we still have abstractions/private-files-strict in - # effect). + /etc/texmf/ r, + /etc/texmf/** r, + /etc/xpdf/* r, + + /usr/bin/gs-esp ixr, + /usr/bin/mktexpk Cx -> sanitized_helper, + /usr/bin/mktextfm Cx -> sanitized_helper, + /usr/bin/dvipdfm Cx -> sanitized_helper, + /usr/bin/dvipdfmx Cx -> sanitized_helper, + + # supported archivers + /{usr/,}bin/gzip ixr, + /{usr/,}bin/bzip2 ixr, + /usr/bin/unrar* ixr, + /usr/bin/unzip ixr, + /usr/bin/7zr ixr, + /usr/lib/p7zip/7zr ixr, + /usr/bin/7za ixr, + /usr/lib/p7zip/7za ixr, + /usr/bin/zipnote ixr, + /{usr/,}bin/tar ixr, + /usr/bin/xz ixr, + + # miscellaneous access for the above + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + /sys/devices/system/cpu/ r, + + # allow read access to anything in /usr/share, for plugins and input methods + /usr/local/share/** r, + /usr/share/** r, + /usr/lib/ghostscript/** mr, + /var/lib/ghostscript/** r, + /var/lib/texmf/** r, + + # from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow + # read for all supported file formats + /**.[bB][mM][pP] r, + /**.[dD][jJ][vV][uU] r, + /**.[dD][vV][iI] r, + /**.[gG][iI][fF] r, + /**.[jJ][pP][gG] r, + /**.[jJ][pP][eE][gG] r, + /**.[oO][dD][pP] r, + /**.[fFpP][dD][fF] r, + /**.[pP][nN][mM] r, + /**.[pP][nN][gG] r, + /**.[pP][sS] r, + /**.[eE][pP][sS] r, + /**.[eE][pP][sS][fFiI23] r, + /**.[tT][iI][fF] r, + /**.[tT][iI][fF][fF] r, + /**.[xX][pP][mM] r, + /**.[gG][zZ] r, + /**.[bB][zZ]2 r, + /**.[cC][bB][rRzZ7] r, + /**.[xX][zZ] r, + + owner @{HOME}/.texlive*/** r, + owner @{HOME}/.texmf*/** r, + owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/** r, + owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/** r, + + # With the network rules above, this allows data exfiltration for files + # not covered by private-files-strict. @{HOME}/ r, - owner @{HOME}/** rw, - owner /media/** rw, + owner @{HOME}/[^.]** r, + owner /media/** r, + + owner /tmp/.gnome_desktop_thumbnail* w, + owner /tmp/gnome-desktop-thumbnailer* w, + owner /tmp/evince-thumbnailer*/{,**} rw, + + # Site-specific additions and overrides. See local/README for details. + #include } diff -Nru evince-3.18.2/debian/apparmor-profile.abstraction evince-3.18.2/debian/apparmor-profile.abstraction --- evince-3.18.2/debian/apparmor-profile.abstraction 2016-03-08 21:38:47.000000000 +0000 +++ evince-3.18.2/debian/apparmor-profile.abstraction 2019-06-18 19:27:51.000000000 +0000 @@ -46,8 +46,8 @@ /usr/bin/dvipdfmx Cx -> sanitized_helper, # supported archivers - /bin/gzip ixr, - /bin/bzip2 ixr, + /{usr/,}bin/gzip ixr, + /{usr/,}bin/bzip2 ixr, /usr/bin/unrar* ixr, /usr/bin/unzip ixr, /usr/bin/7zr ixr, @@ -55,7 +55,7 @@ /usr/bin/7za ixr, /usr/lib/p7zip/7za ixr, /usr/bin/zipnote ixr, - /bin/tar ixr, + /{usr/,}bin/tar ixr, /usr/bin/xz ixr, # allow read access to anything in /usr/share, for plugins and input methods @@ -95,26 +95,33 @@ # from directly. #include - audit deny @{HOME}/.gnupg/** mrwkl, - audit deny @{HOME}/.ssh/** mrwkl, - audit deny @{HOME}/.gnome2_private/** mrwkl, - audit deny @{HOME}/.gnome2/keyrings/** mrwkl, - audit deny @{HOME}/.kde/share/apps/kwallet/** mrwkl, - audit deny @{HOME}/.pki/nssdb/** w, + audit deny @{HOME}/.gnupg/{,**} mrwkl, + audit deny @{HOME}/.ssh/{,**} mrwkl, + audit deny @{HOME}/.gnome2_private/{,**} mrwkl, + audit deny @{HOME}/.gnome2/ w, + audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl, + audit deny @{HOME}/.kde/{,share/,share/apps/} w, + audit deny @{HOME}/.kde/share/apps/kwallet/{,**} mrwkl, + audit deny @{HOME}/.pki/{,nssdb/} w, + audit deny @{HOME}/.pki/nssdb/{,**} wl, + audit deny @{HOME}/.mozilla/{,**/} w, audit deny @{HOME}/.mozilla/*/*/* mrwkl, - audit deny @{HOME}/.mozilla/**/bookmarkbackups/** mrwkl, - audit deny @{HOME}/.mozilla/**/chrome/** mrwkl, - audit deny @{HOME}/.mozilla/**/extensions/** mrwkl, - audit deny @{HOME}/.mozilla/**/gm_scripts/** mrwkl, - - audit deny @{HOME}/.config/chromium/** mrwkl, - audit deny @{HOME}/.evolution/** mrwkl, - audit deny @{HOME}/.config/evolution/** mrwkl, - audit deny @{HOME}/.kde/share/config/** mrwkl, - audit deny @{HOME}/.kde/share/apps/kmail/** mrwkl, + audit deny @{HOME}/.mozilla/**/bookmarkbackups/{,**} mrwkl, + audit deny @{HOME}/.mozilla/**/chrome/{,**} mrwkl, + audit deny @{HOME}/.mozilla/**/extensions/{,**} mrwkl, + audit deny @{HOME}/.mozilla/**/gm_scripts/{,**} mrwkl, + + audit deny @{HOME}/.config/ w, + audit deny @{HOME}/.config/chromium/{,**} mrwkl, + audit deny @{HOME}/.config/evolution/{,**} mrwkl, + audit deny @{HOME}/.evolution/{,**} mrwkl, + audit deny @{HOME}/.kde/{,share/,share/apps/} w, + audit deny @{HOME}/.kde/share/config/{,**} mrwkl, + audit deny @{HOME}/.kde/share/apps/kmail/{,**} mrwkl, + audit deny @{HOME}/.{,mozilla-}thunderbird/{,**/} w, audit deny @{HOME}/.{,mozilla-}thunderbird/*/* mrwkl, - audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/** mrwkl, + audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/{,**} mrwkl, # When LP: #451422 is fixed, change the above to simply be: ##include diff -Nru evince-3.18.2/debian/changelog evince-3.18.2/debian/changelog --- evince-3.18.2/debian/changelog 2019-04-25 15:32:10.000000000 +0000 +++ evince-3.18.2/debian/changelog 2019-06-18 21:03:52.000000000 +0000 @@ -1,3 +1,23 @@ +evince (3.18.2-1ubuntu4.5) xenial-security; urgency=medium + + * apparmor-profile: apply hardening from Ubuntu 18.10 + - add preamble for expectations of the profile + - evince{-previewer}: restrict access to DBus system bus (we allow full + access to session, translation and accessibility buses for compatibility) + + allow Get* to anything polkit allows + + allow talking to avahi (for printing) + + allow talking to colord (for printing) + - make the thumbnailer more restrictive (LP: #1794848) (Closes: #909849) + + remove evince abstraction and use only what is needed from it + + limit access to DBus session bus + + generally disallow writes + + allow reads for non-hidden files + * debian/apparmor-profile.abstraction: apply hardening from Ubuntu 18.10 + - disallow access to the dirs of private files (LP: #1788929) + * debian/apparmor-profile: allow /bin/env ixr + + -- Jamie Strandboge Tue, 18 Jun 2019 19:28:02 +0000 + evince (3.18.2-1ubuntu4.4) xenial-security; urgency=medium * SECURITY UPDATE: Uninitialized memory use