[apparmor] [profile] Evince: the lack of "private-files-strict" and a lenient, dangerous rules related to @{HOME} folder.
Jamie Strandboge
jamie at canonical.com
Wed Nov 29 15:33:25 UTC 2017
On Wed, 2017-11-29 at 12:30 +0000, daniel curtis wrote:
> Hello
>
> Yesterday, I noticed a strange lack of an abstraction rule in a
> default
> Evince profile (provided with 16.04 LTS install) and I would like to
> ask if
> it's just an oversight and there should be added one rule:
> "abstractions/private-files-strict"? Generally, this profile contains
> sub-profiles with these rules:
>
> ✗ /usr/bin/evince {
> (...)
> # This is need for saving files in your home directory without
> # an extension. Changing this to '@{HOME}/** r' makes it require
> # an extension and more secure (but with 'rw', we still have
> # abstractions/private-files-strict in effect).
> owner @{HOME}/** rw,
> owner /media/** rw,
>
> ✗ /usr/bin/evince-previewer {
> (...)
> # Lenient, but remember we still have abstractions/private-files-
> # strict in effect). Write is needed for 'print to file' from
> # the previewer.
> @{HOME}/ r,
> @{HOME}/** rw,
>
> ✗ /usr/bin/evince-thumbnailer {
> (...)
> # Lenient, but remember we still have abstractions/private-files-
> # strict in effect).
> @{HOME}/ r,
> owner @{HOME}/** rw,
> owner /media/** rw,
> }
>
> As we can see, there are comments suggesting, that an abstraction
> rule with
> "private-files-strict" is in use, but it's not. (At least in the
> 16.04 LTS
> default profile.) What do you think about this? Should an
> abstraction's
> "private-files-strict" rule be added to the Evince profile and all
> sub-profiles?
>
Remember that these evince profiles include abstractions/evince. This
has:
# Use abstractions/private-files instead of abstractions/private-
files-strict
# and add the sensitive files manually to work around LP: #451422.
The goal
# is to disallow access to the .mozilla folder in general, but to
allow
# access to the Cache directory, which the browser may tell evince to
open
# from directly.
#include <abstractions/private-files>
audit deny @{HOME}/.gnupg/** mrwkl,
audit deny @{HOME}/.ssh/** mrwkl,
...
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20171129/feb12063/attachment.sig>
More information about the AppArmor
mailing list