Ubuntu
evince package

  1. Bug #1788929
  2. Comment #3

Comment 3 for bug 1788929

Revision history for this message
Jamie Strandboge (jdstrand) wrote : Re: Debian/Ubuntu AppArmor policy for evince is useless

Thank you for the report.

For some context, evince was not designed with application isolation in mind and was instead designed under the assumption that the desktop session is trusted. When the profile was designed years ago, it was intended to only provide hardening and predated many things such as mediation of dbus and unix sockets. It was also understood that the profile had to be generally usable in the default install, and therefore had to be rather lenient (as documented in the policy). Later, when dbus mediation came along, we initially added only dbus compatibility rules (ie, dbus-session) that more or less made it work like before there was dbus mediation. It was always intended that we review evince's DBus needs, but that didn't happen. That said, IMO, the most correct solution is to sandbox the process that is doing the thumbnailing instead of the entire application that might call out to a thumbnailer (like what upstream did with bubblewrap, but the sandboxing could be anything-- the point is, the thing that is processing input has severely limited access to files, exec, networking, IPC, etc, etc).

With the context out of the way, it is understood that blacklisting is not the preferred approach and that it is brittle (that is why AppArmor is whitelist by default). I'm not sure when .thumbnailer files were introduced that allow specifying arbitrary commands (yikes, see above comments on trusted desktop session), but as a hardening measure, clearly the profile should be adjusted to address this. Thank you for pointing this out.

As for DBus, yes, it shouldn't need it and we should've adjusted this to use at a minimum dbus-session-strict.

For the general issue, what should happen (in this order), is:

1. fix ghostscript/etc for open CVEs (INPROGRESS)
2. implement a properly designed sandbox mechanism for at least 18.04+ (eg, the bubblewrap MIR): INPROGRESS
3. improve the existing hardening measures in the apparmor profile for at least <18.04. This would at a minimum include severely limiting the thumbnailer access to DBus and .thumbnailer profiles. We should investigate disallowing all dot files

I hope this clarifies things on the intent and evolution of the profile. Thanks again for the report.