From bdbf2cf07b55409f426028ca501281343ea99107 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20Guzm=C3=A1n?= Date: Fri, 6 Dec 2024 15:40:29 +0000 Subject: [PATCH] atril: add custom apparmor profile for atril --- helpers/DATA/atril/apparmor-profile | 350 ++++++++++++++++++ .../DATA/atril/apparmor-profile.abstraction | 127 +++++++ helpers/DATA/atril/atril.apport | 21 ++ .../patches/add_install_profiles_rules.patch | 29 ++ helpers/make-atril | 34 ++ 5 files changed, 561 insertions(+) create mode 100644 helpers/DATA/atril/apparmor-profile create mode 100644 helpers/DATA/atril/apparmor-profile.abstraction create mode 100644 helpers/DATA/atril/atril.apport create mode 100644 helpers/DATA/atril/patches/add_install_profiles_rules.patch create mode 100644 helpers/make-atril diff --git a/helpers/DATA/atril/apparmor-profile b/helpers/DATA/atril/apparmor-profile new file mode 100644 index 0000000..6cbe53e --- /dev/null +++ b/helpers/DATA/atril/apparmor-profile @@ -0,0 +1,350 @@ +# vim:syntax=apparmor + +# evince is not written with application confinement in mind and is designed to +# operate within a trusted desktop session where anything running within the +# user's session is trusted. That said, evince will often process untrusted +# input (PDFs, images, etc). Ideally evince would be written in such a way that +# image processing is separate from the main process and that processing +# happens in a restrictive sandbox, but unfortunately that is not currently the +# case. Because evince will process untrusted input, this profile aims to +# provide some hardening, but considering evince's design and other factors such +# as X, gsettings, accessibility, translations, DBus session and system +# services, etc, complete confinement is not possible. + +#include + +/usr/bin/atril { + #include + #include + #include + #include + #include + #include + #include + + #include + #include + #include + #include + #include + + # allow atril to spawn browsers distributed as snaps (LP: #1794064) + #include + + # For now, let atril talk to any session services over dbus. We can + # blacklist any problematic ones (but note, evince uses libsecret :\) + #include + + #include + dbus (receive) bus=system, + # Allow getting information from various system services + dbus (send) + bus=system + member="Get*" + peer=(label=unconfined), + # Allow talking to avahi with whatever polkit allows + dbus (send) + bus=system + interface="org.freedesktop.Avahi{,.*}", + # Allow talking to colord with whatever polkit allows + dbus (send) + bus=system + interface="org.freedesktop.ColorManager{,.*}", + + # Terminals for using console applications. These abstractions should ideally + # have 'ix' to restrict access to what only atril is allowed to do + #include + + # By default, we won't support launching a terminal program in Xterm or + # KDE's konsole. It opens up too many unnecessary files for most users. + # People who need this functionality can uncomment the following: + ##include + ##include + + /usr/bin/atril rmPx, + /usr/bin/atril-previewer Px, + /usr/bin/yelp Cx -> sanitized_helper, + /usr/bin/bug-buddy px, + # 'Show Containing Folder' (LP: #1022962) + /usr/bin/nautilus Cx -> sanitized_helper, # Gnome + /usr/bin/pcmanfm Cx -> sanitized_helper, # LXDE + /usr/bin/krusader Cx -> sanitized_helper, # KDE + /usr/bin/thunar Cx -> sanitized_helper, # XFCE + + # Print Dialog + /usr/lib/@{multiarch}/libproxy/*/pxgsettings Cx -> sanitized_helper, + + # For Xubuntu to launch the browser + #include + + # For text attachments + /usr/bin/gedit ixr, + + # For Send to + /usr/bin/nautilus-sendto Cx -> sanitized_helper, + + # GLib desktop launch helper (used under the hood by g_app_info_launch) + /usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rmix, + /usr/bin/env ixr, + + # allow directory listings (ie 'r' on directories) so browsing via the file + # dialog works + / r, + /**/ r, + + # This is need for saving files in your home directory without an extension. + # Changing this to '@{HOME}/** r' makes it require an extension and more + # secure (but with 'rw', we still have abstractions/private-files-strict in + # effect). + owner @{HOME}/** rw, + owner /media/** rw, + owner @{HOME}/.local/share/gvfs-metadata/** l, + owner /{,var/}run/user/*/gvfs-metadata/** l, + + # Maybe add to an abstraction? + /etc/dconf/** r, + owner @{HOME}/.cache/dconf/user rw, + owner @{HOME}/.config/dconf/user r, + owner @{HOME}/.config/enchant/* rk, + owner /{,var/}run/user/*/dconf/ w, + owner /{,var/}run/user/*/dconf/user rw, + owner /{,var/}run/user/*/dconf-service/keyfile/ w, + owner /{,var/}run/user/*/dconf-service/keyfile/user rw, + + owner /{,var/}run/user/*/at-spi2-*/ rw, + owner /{,var/}run/user/*/at-spi2-*/** rw, + + # Allow access to the non-abstract D-Bus socket used by at-spi > 2.42.0 + # https://gitlab.gnome.org/GNOME/at-spi2-core/-/issues/43 + owner /{,var/}run/user/*/at-spi/bus* rw, + + # from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow + # read and write for all supported file formats + /**.[aA][iI] rw, + /**.[bB][mM][pP] rw, + /**.[dD][jJ][vV][uU] rw, + /**.[dD][vV][iI] rw, + /**.[gG][iI][fF] rw, + /**.[jJ][pP][gG] rw, + /**.[jJ][pP][eE][gG] rw, + /**.[oO][dD][pP] rw, + /**.[fFpP][dD][fF] rw, + /**.[pP][nN][mM] rw, + /**.[pP][nN][gG] rw, + /**.[pP][sS] rw, + /**.[eE][pP][sS] rw, + /**.[tT][iI][fF] rw, + /**.[tT][iI][fF][fF] rw, + /**.[xX][pP][mM] rw, + /**.[gG][zZ] rw, + /**.[bB][zZ]2 rw, + /**.[cC][bB][rRzZ7] rw, + /**.[xX][zZ] rw, + + # atril creates a temporary stream file like '.goutputstream-XXXXXX' in the + # directory a file is saved. This allows that behavior. + owner /**/.goutputstream-* w, + + # allow atril to spawn browsers distributed as snaps (LP: #1794064) + /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/bin/snap mrCx -> snap_browsers, +} + +/usr/bin/atril-previewer { + #include + #include + #include + #include + #include + #include + #include + + #include + #include + #include + #include + #include + + # For now, let atril talk to any session services over dbus. We can + # blacklist any problematic ones (but note, evince uses libsecret :\) + #include + + #include + dbus (receive) bus=system, + # Allow getting information from various system services + dbus (send) + bus=system + member="Get*" + peer=(label=unconfined), + # Allow talking to avahi with whatever polkit allows + dbus (send) + bus=system + interface="org.freedesktop.Avahi{,.*}", + # Allow talking to colord with whatever polkit allows + dbus (send) + bus=system + interface="org.freedesktop.ColorManager{,.*}", + + + # Terminals for using console applications. These abstractions should ideally + # have 'ix' to restrict access to what only atril is allowed to do + #include + + # By default, we won't support launching a terminal program in Xterm or + # KDE's konsole. It opens up too many unnecessary files for most users. + # People who need this functionality can uncomment the following: + ##include + + /usr/bin/atril-previewer mr, + /usr/bin/yelp Cx -> sanitized_helper, + /usr/bin/bug-buddy px, + + # Lenient, but remember we still have abstractions/private-files-strict in + # effect). Write is needed for 'print to file' from the previewer. + @{HOME}/ r, + @{HOME}/** rw, + + # Maybe add to an abstraction? + owner /{,var/}run/user/*/dconf/ w, + owner /{,var/}run/user/*/dconf/user rw, +} + +/usr/bin/atril-thumbnailer { + #include + #include + + #include + deny @{HOME}/.{,cache/}fontconfig/** wl, + deny @{HOME}/missfont.log wl, + + #include + dbus (receive) bus=session, + dbus (send) + bus=session + path="/org/gtk/vfs/mounttracker" + interface="org.gtk.vfs.MountTracker" + member="ListMountableInfo" + peer=(label=unconfined), + + # updating gvfs-metadata for thumbnails is unneeded, so explicitly deny it + deny dbus (send) + bus=session + path="/org/gtk/vfs/metadata" + interface="org.gtk.vfs.Metadata" + member="GetTreeFromDevice" + peer=(label=unconfined), + deny @{HOME}/.local/share/gvfs-metadata/* r, + + dbus (send) + bus=session + path="/org/gtk/vfs/Daemon" + interface="org.gtk.vfs.Daemon" + member="List*" + peer=(label=unconfined), + + # The thumbnailer doesn't need access to everything in the nameservice + # abstraction. Allow reading of /etc/passwd and /etc/group, but suppress + # logging denial of nsswitch.conf. + /etc/passwd r, + /etc/group r, + deny /etc/nsswitch.conf r, + + # TCP/UDP network access for NFS + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + + /etc/papersize r, + + /usr/bin/atril-thumbnailer mr, + + /etc/texmf/ r, + /etc/texmf/** r, + /etc/xpdf/* r, + + /usr/bin/gs-esp ixr, + # Silence these denials since 'no new privs' drops transitions to + # sanitized_helper, we don't want all those perms in the thumbnailer + # and the thumbnailer generates thumbnails without these just fine. + deny /usr/bin/mktexpk x, + deny /usr/bin/mktextfm x, + deny /usr/bin/dvipdfm x, + deny /usr/bin/dvipdfmx x, + deny /usr/bin/mkofm x, + + # supported archivers + /{usr/,}bin/gzip ixr, + /{usr/,}bin/bzip2 ixr, + /usr/bin/unrar* ixr, + /usr/bin/unzip ixr, + /usr/bin/7zr ixr, + /usr/lib/p7zip/7zr ixr, + /usr/bin/7za ixr, + /usr/lib/p7zip/7za ixr, + /usr/bin/zipnote ixr, + /{usr/,}bin/tar ixr, + /usr/bin/xz ixr, + + # miscellaneous access for the above + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + /sys/devices/system/cpu/ r, + + # allow read access to anything in /usr/share, for plugins and input methods + /usr/local/share/** r, + /usr/share/** r, + /usr/lib/ghostscript/** mr, + /var/lib/ghostscript/** r, + /var/lib/texmf/** r, + + # from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow + # read for all supported file formats + /**.[bB][mM][pP] r, + /**.[dD][jJ][vV][uU] r, + /**.[dD][vV][iI] r, + /**.[gG][iI][fF] r, + /**.[jJ][pP][gG] r, + /**.[jJ][pP][eE][gG] r, + /**.[oO][dD][pP] r, + /**.[fFpP][dD][fF] r, + /**.[pP][nN][mM] r, + /**.[pP][nN][gG] r, + /**.[pP][sS] r, + /**.[eE][pP][sS] r, + /**.[eE][pP][sS][fFiI23] r, + /**.[tT][iI][fF] r, + /**.[tT][iI][fF][fF] r, + /**.[xX][pP][mM] r, + /**.[gG][zZ] r, + /**.[bB][zZ]2 r, + /**.[cC][bB][rRzZ7] r, + /**.[xX][zZ] r, + + owner @{HOME}/.texlive*/** r, + owner @{HOME}/.texmf*/** r, + owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/** r, + owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/** r, + + # With the network rules above, this allows data exfiltration for files + # not covered by private-files-strict. + @{HOME}/ r, + owner @{HOME}/[^.]** r, + owner /media/** r, + + owner /tmp/.gnome_desktop_thumbnail* w, + owner /tmp/gnome-desktop-* rw, + owner /tmp/atril-thumbnailer*/{,**} rw, + + # these happen post pivot_root + / r, + deny /missfont.log w, + + # Add apparmor rule for mate's caja - LP#1798091 + owner /tmp/.mate_desktop_thumbnail* w, + owner /tmp/mate-desktop-thumbnailer* w, + + # Fix thumbnail issue #915024 + owner @{HOME}/.cache/thumbnails/** rw, + owner /tmp/atril-thumbnailer* rw, + +} diff --git a/helpers/DATA/atril/apparmor-profile.abstraction b/helpers/DATA/atril/apparmor-profile.abstraction new file mode 100644 index 0000000..d2b8858 --- /dev/null +++ b/helpers/DATA/atril/apparmor-profile.abstraction @@ -0,0 +1,127 @@ +# vim:syntax=apparmor +# +# abstraction used by atril binaries +# + + #include + #include + #include + + @{PROC}/[0-9]*/fd/ r, + @{PROC}/[0-9]*/mountinfo r, + owner @{PROC}/[0-9]*/auxv r, + owner @{PROC}/[0-9]*/status r, + + # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed. + # Possibly move to an abstraction if anything else needs it. + deny /run/udev/data/** r, + + # move out to the gnome abstraction if anyone else needs these + /etc/udev/udev.conf r, + /sys/devices/**/block/**/uevent r, + + # apport + /etc/default/apport r, + + # XFCE + /etc/xfce4/defaults.list r, + + # Lubuntu + /etc/xdg/lubuntu/applications/defaults.list r, + + # atril specific + /etc/ r, + /etc/fstab r, + /etc/texmf/ r, + /etc/texmf/** r, + /etc/xpdf/* r, + owner @{HOME}/.config/atril/ rw, + owner @{HOME}/.config/atril/** rwkl, + + /usr/bin/gs-esp ixr, + /usr/bin/mktexpk Cx -> sanitized_helper, + /usr/bin/mktextfm Cx -> sanitized_helper, + /usr/bin/dvipdfm Cx -> sanitized_helper, + /usr/bin/dvipdfmx Cx -> sanitized_helper, + + # gio-launch-desktop was replaced by a very small shell script + /{usr/,}bin/{dash,bash} ixr, + + # supported archivers + /{usr/,}bin/gzip ixr, + /{usr/,}bin/bzip2 ixr, + /usr/bin/unrar* ixr, + /usr/bin/unzip ixr, + /usr/bin/7zr ixr, + /usr/lib/p7zip/7zr ixr, + /usr/bin/7za ixr, + /usr/lib/p7zip/7za ixr, + /usr/bin/zipnote ixr, + /{usr/,}bin/tar ixr, + /usr/bin/xz ixr, + + # allow read access to anything in /usr/share, for plugins and input methods + /usr/local/share/** r, + /usr/share/** r, + /usr/lib/ghostscript/** mr, + /var/lib/ghostscript/** r, + /var/lib/texmf/{,**} r, + + # from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow + # read for all supported file formats + /**.[aA][iI] r, + /**.[bB][mM][pP] r, + /**.[dD][jJ][vV][uU] r, + /**.[dD][vV][iI] r, + /**.[gG][iI][fF] r, + /**.[jJ][pP][gG] r, + /**.[jJ][pP][eE][gG] r, + /**.[oO][dD][pP] r, + /**.[fFpP][dD][fF] r, + /**.[pP][nN][mM] r, + /**.[pP][nN][gG] r, + /**.[pP][sS] r, + /**.[eE][pP][sS] r, + /**.[eE][pP][sS][fFiI23] r, + /**.[tT][iI][fF] r, + /**.[tT][iI][fF][fF] r, + /**.[xX][pP][mM] r, + /**.[gG][zZ] r, + /**.[bB][zZ]2 r, + /**.[cC][bB][rRzZ7] r, + /**.[xX][zZ] r, + + # Use abstractions/private-files instead of abstractions/private-files-strict + # and add the sensitive files manually to work around LP: #451422. The goal + # is to disallow access to the .mozilla folder in general, but to allow + # access to the Cache directory, which the browser may tell atril to open + # from directly. + + #include + audit deny @{HOME}/.gnupg/{,**} mrwkl, + audit deny @{HOME}/.ssh/{,**} mrwkl, + audit deny @{HOME}/.gnome2_private/{,**} mrwkl, + audit deny @{HOME}/.gnome2/ w, + audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl, + audit deny @{HOME}/.kde/{,share/,share/apps/} w, + audit deny @{HOME}/.kde/share/apps/kwallet/{,**} mrwkl, + audit deny @{HOME}/.pki/{,nssdb/} w, + audit deny @{HOME}/.pki/nssdb/{,**} wl, + + audit deny @{HOME}/.mozilla/{,**/} w, + audit deny @{HOME}/.mozilla/*/*/* mrwkl, + audit deny @{HOME}/.mozilla/**/bookmarkbackups/{,**} mrwkl, + audit deny @{HOME}/.mozilla/**/chrome/{,**} mrwkl, + audit deny @{HOME}/.mozilla/**/extensions/{,**} mrwkl, + audit deny @{HOME}/.mozilla/**/gm_scripts/{,**} mrwkl, + + audit deny @{HOME}/.config/ w, + audit deny @{HOME}/.config/chromium/{,**} mrwkl, + audit deny @{HOME}/.config/evolution/{,**} mrwkl, + audit deny @{HOME}/.evolution/{,**} mrwkl, + audit deny @{HOME}/.kde/{,share/,share/apps/} w, + audit deny @{HOME}/.kde/share/config/{,**} mrwkl, + audit deny @{HOME}/.kde/share/apps/kmail/{,**} mrwkl, + audit deny @{HOME}/.{,mozilla-}thunderbird/{,**/} w, + audit deny @{HOME}/.{,mozilla-}thunderbird/*/* mrwkl, + audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/{,**} mrwkl, diff --git a/helpers/DATA/atril/atril.apport b/helpers/DATA/atril/atril.apport new file mode 100644 index 0000000..2ef92e2 --- /dev/null +++ b/helpers/DATA/atril/atril.apport @@ -0,0 +1,21 @@ +'''apport package hook for atril + +(c) 2024 Luis Guzmán +Author: +Luis Guzmán +based on evince's hook + +''' + +from apport.hookutils import * +from os import path +import re + +def add_info(report): + attach_conffiles(report, 'atril') + attach_related_packages(report, ['apparmor', 'libapparmor1', + 'libapparmor-perl', 'apparmor-utils', 'auditd', 'libaudit1']) + + attach_mac_events(report, ['/usr/bin/atril', + '/usr/bin/atril-previewer', + '/usr/bin/atril-thumbnailer']) diff --git a/helpers/DATA/atril/patches/add_install_profiles_rules.patch b/helpers/DATA/atril/patches/add_install_profiles_rules.patch new file mode 100644 index 0000000..60745dd --- /dev/null +++ b/helpers/DATA/atril/patches/add_install_profiles_rules.patch @@ -0,0 +1,29 @@ +diff --git a/debian/rules b/debian/rules +old mode 100755 +new mode 100644 +index 8a7ff87..655c574 +--- a/debian/rules ++++ b/debian/rules +@@ -52,3 +52,9 @@ override_dh_auto_configure: + + get-orig-source: + uscan --noconf --force-download --rename --download-current-version --destdir=.. ++ ++execute_after_dh_install: ++ install -m 0644 -D debian/apparmor-profile debian/atril/etc/apparmor.d/usr.bin.atril ++ install -m 0644 -D debian/apparmor-profile.abstraction debian/atril/etc/apparmor.d/abstractions/atril ++ install -m 0644 -D debian/atril.apport debian/atril/usr/share/apport/package-hooks/source_atril.py ++ dh_apparmor --profile-name=usr.bin.atril -patril + +diff --git a/debian/control b/debian/control +index f5bda53..6d72cc9 100644 +--- a/debian/control ++++ b/debian/control +@@ -9,6 +9,7 @@ Uploaders: Mike Gabriel , + Vangelis Mouhtsis , + Martin Wimpress , + Build-Depends: debhelper-compat (= 13), ++ dh-apparmor, + dpkg-dev (>= 1.16.1.1), + gobject-introspection, + intltool, diff --git a/helpers/make-atril b/helpers/make-atril new file mode 100644 index 0000000..72dc82f --- /dev/null +++ b/helpers/make-atril @@ -0,0 +1,34 @@ +#!/bin/sh +# +# Copyright (C) 2024 Luis Guzmán +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +# + +VERSION=0 + +. ./config + +# Copy profiles +cp $DATA/apparmor-profile debian/ +cp $DATA/apparmor-profile.abstraction debian/ +cp $DATA/atril.apport debian/ + +# Tweak debian/rules to install apparmor profiles for atril +patch_p1 $DATA/patches/add_install_profiles_rules.patch + +changelog "Test Atril apparmor profile #190" + +package