CMXSL.org/package-helpers-cmxsl
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

atril: add custom apparmor profile for atril

Browse source
This commit is contained in:
Luis Guzmán 2024-12-06 15:40:29 +00:00
parent dc5da8840f
commit c3ad925bce
5 changed files with 561 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

350
helpers/DATA/atril/apparmor-profile Normal file
View file

@ -0,0 +1,350 @@
# vim:syntax=apparmor
# evince is not written with application confinement in mind and is designed to
# operate within a trusted desktop session where anything running within the
# user's session is trusted. That said, evince will often process untrusted
# input (PDFs, images, etc). Ideally evince would be written in such a way that
# image processing is separate from the main process and that processing
# happens in a restrictive sandbox, but unfortunately that is not currently the
# case. Because evince will process untrusted input, this profile aims to
# provide some hardening, but considering evince's design and other factors such
# as X, gsettings, accessibility, translations, DBus session and system
# services, etc, complete confinement is not possible.
#include <tunables/global>
/usr/bin/atril {
#include <abstractions/audio>
#include <abstractions/bash>
#include <abstractions/cups-client>
#include <abstractions/dbus-accessibility>
#include <abstractions/atril>
#include <abstractions/ibus>
#include <abstractions/nameservice>
#include <abstractions/ubuntu-browsers>
#include <abstractions/ubuntu-console-browsers>
#include <abstractions/ubuntu-email>
#include <abstractions/ubuntu-console-email>
#include <abstractions/ubuntu-media-players>
# allow atril to spawn browsers distributed as snaps (LP: #1794064)
#include <abstractions/snap_browsers>
# For now, let atril talk to any session services over dbus. We can
# blacklist any problematic ones (but note, evince uses libsecret :\)
#include <abstractions/dbus-session>
#include <abstractions/dbus-strict>
dbus (receive) bus=system,
# Allow getting information from various system services
dbus (send)
bus=system
member="Get*"
peer=(label=unconfined),
# Allow talking to avahi with whatever polkit allows
dbus (send)
bus=system
interface="org.freedesktop.Avahi{,.*}",
# Allow talking to colord with whatever polkit allows
dbus (send)
bus=system
interface="org.freedesktop.ColorManager{,.*}",
# Terminals for using console applications. These abstractions should ideally
# have 'ix' to restrict access to what only atril is allowed to do
#include <abstractions/ubuntu-gnome-terminal>
# By default, we won't support launching a terminal program in Xterm or
# KDE's konsole. It opens up too many unnecessary files for most users.
# People who need this functionality can uncomment the following:
##include <abstractions/ubuntu-xterm>
##include <abstractions/ubuntu-konsole>
/usr/bin/atril rmPx,
/usr/bin/atril-previewer Px,
/usr/bin/yelp Cx -> sanitized_helper,
/usr/bin/bug-buddy px,
# 'Show Containing Folder' (LP: #1022962)
/usr/bin/nautilus Cx -> sanitized_helper, # Gnome
/usr/bin/pcmanfm Cx -> sanitized_helper, # LXDE
/usr/bin/krusader Cx -> sanitized_helper, # KDE
/usr/bin/thunar Cx -> sanitized_helper, # XFCE
# Print Dialog
/usr/lib/@{multiarch}/libproxy/*/pxgsettings Cx -> sanitized_helper,
# For Xubuntu to launch the browser
#include <abstractions/exo-open>
# For text attachments
/usr/bin/gedit ixr,
# For Send to
/usr/bin/nautilus-sendto Cx -> sanitized_helper,
# GLib desktop launch helper (used under the hood by g_app_info_launch)
/usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rmix,
/usr/bin/env ixr,
# allow directory listings (ie 'r' on directories) so browsing via the file
# dialog works
/ r,
/**/ r,
# This is need for saving files in your home directory without an extension.
# Changing this to '@{HOME}/** r' makes it require an extension and more
# secure (but with 'rw', we still have abstractions/private-files-strict in
# effect).
owner @{HOME}/** rw,
owner /media/** rw,
owner @{HOME}/.local/share/gvfs-metadata/** l,
owner /{,var/}run/user/*/gvfs-metadata/** l,
# Maybe add to an abstraction?
/etc/dconf/** r,
owner @{HOME}/.cache/dconf/user rw,
owner @{HOME}/.config/dconf/user r,
owner @{HOME}/.config/enchant/* rk,
owner /{,var/}run/user/*/dconf/ w,
owner /{,var/}run/user/*/dconf/user rw,
owner /{,var/}run/user/*/dconf-service/keyfile/ w,
owner /{,var/}run/user/*/dconf-service/keyfile/user rw,
owner /{,var/}run/user/*/at-spi2-*/ rw,
owner /{,var/}run/user/*/at-spi2-*/** rw,
# Allow access to the non-abstract D-Bus socket used by at-spi > 2.42.0
# https://gitlab.gnome.org/GNOME/at-spi2-core/-/issues/43
owner /{,var/}run/user/*/at-spi/bus* rw,
# from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
# read and write for all supported file formats
/**.[aA][iI] rw,
/**.[bB][mM][pP] rw,
/**.[dD][jJ][vV][uU] rw,
/**.[dD][vV][iI] rw,
/**.[gG][iI][fF] rw,
/**.[jJ][pP][gG] rw,
/**.[jJ][pP][eE][gG] rw,
/**.[oO][dD][pP] rw,
/**.[fFpP][dD][fF] rw,
/**.[pP][nN][mM] rw,
/**.[pP][nN][gG] rw,
/**.[pP][sS] rw,
/**.[eE][pP][sS] rw,
/**.[tT][iI][fF] rw,
/**.[tT][iI][fF][fF] rw,
/**.[xX][pP][mM] rw,
/**.[gG][zZ] rw,
/**.[bB][zZ]2 rw,
/**.[cC][bB][rRzZ7] rw,
/**.[xX][zZ] rw,
# atril creates a temporary stream file like '.goutputstream-XXXXXX' in the
# directory a file is saved. This allows that behavior.
owner /**/.goutputstream-* w,
# allow atril to spawn browsers distributed as snaps (LP: #1794064)
/{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/bin/snap mrCx -> snap_browsers,
}
/usr/bin/atril-previewer {
#include <abstractions/audio>
#include <abstractions/bash>
#include <abstractions/cups-client>
#include <abstractions/dbus-accessibility>
#include <abstractions/atril>
#include <abstractions/ibus>
#include <abstractions/nameservice>
#include <abstractions/ubuntu-browsers>
#include <abstractions/ubuntu-console-browsers>
#include <abstractions/ubuntu-email>
#include <abstractions/ubuntu-console-email>
#include <abstractions/ubuntu-media-players>
# For now, let atril talk to any session services over dbus. We can
# blacklist any problematic ones (but note, evince uses libsecret :\)
#include <abstractions/dbus-session>
#include <abstractions/dbus-strict>
dbus (receive) bus=system,
# Allow getting information from various system services
dbus (send)
bus=system
member="Get*"
peer=(label=unconfined),
# Allow talking to avahi with whatever polkit allows
dbus (send)
bus=system
interface="org.freedesktop.Avahi{,.*}",
# Allow talking to colord with whatever polkit allows
dbus (send)
bus=system
interface="org.freedesktop.ColorManager{,.*}",
# Terminals for using console applications. These abstractions should ideally
# have 'ix' to restrict access to what only atril is allowed to do
#include <abstractions/ubuntu-gnome-terminal>
# By default, we won't support launching a terminal program in Xterm or
# KDE's konsole. It opens up too many unnecessary files for most users.
# People who need this functionality can uncomment the following:
##include <abstractions/ubuntu-xterm>
/usr/bin/atril-previewer mr,
/usr/bin/yelp Cx -> sanitized_helper,
/usr/bin/bug-buddy px,
# Lenient, but remember we still have abstractions/private-files-strict in
# effect). Write is needed for 'print to file' from the previewer.
@{HOME}/ r,
@{HOME}/** rw,
# Maybe add to an abstraction?
owner /{,var/}run/user/*/dconf/ w,
owner /{,var/}run/user/*/dconf/user rw,
}
/usr/bin/atril-thumbnailer {
#include <abstractions/base>
#include <abstractions/private-files-strict>
#include <abstractions/fonts>
deny @{HOME}/.{,cache/}fontconfig/** wl,
deny @{HOME}/missfont.log wl,
#include <abstractions/dbus-session-strict>
dbus (receive) bus=session,
dbus (send)
bus=session
path="/org/gtk/vfs/mounttracker"
interface="org.gtk.vfs.MountTracker"
member="ListMountableInfo"
peer=(label=unconfined),
# updating gvfs-metadata for thumbnails is unneeded, so explicitly deny it
deny dbus (send)
bus=session
path="/org/gtk/vfs/metadata"
interface="org.gtk.vfs.Metadata"
member="GetTreeFromDevice"
peer=(label=unconfined),
deny @{HOME}/.local/share/gvfs-metadata/* r,
dbus (send)
bus=session
path="/org/gtk/vfs/Daemon"
interface="org.gtk.vfs.Daemon"
member="List*"
peer=(label=unconfined),
# The thumbnailer doesn't need access to everything in the nameservice
# abstraction. Allow reading of /etc/passwd and /etc/group, but suppress
# logging denial of nsswitch.conf.
/etc/passwd r,
/etc/group r,
deny /etc/nsswitch.conf r,
# TCP/UDP network access for NFS
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
/etc/papersize r,
/usr/bin/atril-thumbnailer mr,
/etc/texmf/ r,
/etc/texmf/** r,
/etc/xpdf/* r,
/usr/bin/gs-esp ixr,
# Silence these denials since 'no new privs' drops transitions to
# sanitized_helper, we don't want all those perms in the thumbnailer
# and the thumbnailer generates thumbnails without these just fine.
deny /usr/bin/mktexpk x,
deny /usr/bin/mktextfm x,
deny /usr/bin/dvipdfm x,
deny /usr/bin/dvipdfmx x,
deny /usr/bin/mkofm x,
# supported archivers
/{usr/,}bin/gzip ixr,
/{usr/,}bin/bzip2 ixr,
/usr/bin/unrar* ixr,
/usr/bin/unzip ixr,
/usr/bin/7zr ixr,
/usr/lib/p7zip/7zr ixr,
/usr/bin/7za ixr,
/usr/lib/p7zip/7za ixr,
/usr/bin/zipnote ixr,
/{usr/,}bin/tar ixr,
/usr/bin/xz ixr,
# miscellaneous access for the above
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
/sys/devices/system/cpu/ r,
# allow read access to anything in /usr/share, for plugins and input methods
/usr/local/share/** r,
/usr/share/** r,
/usr/lib/ghostscript/** mr,
/var/lib/ghostscript/** r,
/var/lib/texmf/** r,
# from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
# read for all supported file formats
/**.[bB][mM][pP] r,
/**.[dD][jJ][vV][uU] r,
/**.[dD][vV][iI] r,
/**.[gG][iI][fF] r,
/**.[jJ][pP][gG] r,
/**.[jJ][pP][eE][gG] r,
/**.[oO][dD][pP] r,
/**.[fFpP][dD][fF] r,
/**.[pP][nN][mM] r,
/**.[pP][nN][gG] r,
/**.[pP][sS] r,
/**.[eE][pP][sS] r,
/**.[eE][pP][sS][fFiI23] r,
/**.[tT][iI][fF] r,
/**.[tT][iI][fF][fF] r,
/**.[xX][pP][mM] r,
/**.[gG][zZ] r,
/**.[bB][zZ]2 r,
/**.[cC][bB][rRzZ7] r,
/**.[xX][zZ] r,
owner @{HOME}/.texlive*/** r,
owner @{HOME}/.texmf*/** r,
owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/** r,
owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/** r,
# With the network rules above, this allows data exfiltration for files
# not covered by private-files-strict.
@{HOME}/ r,
owner @{HOME}/[^.]** r,
owner /media/** r,
owner /tmp/.gnome_desktop_thumbnail* w,
owner /tmp/gnome-desktop-* rw,
owner /tmp/atril-thumbnailer*/{,**} rw,
# these happen post pivot_root
/ r,
deny /missfont.log w,
# Add apparmor rule for mate's caja - LP#1798091
owner /tmp/.mate_desktop_thumbnail* w,
owner /tmp/mate-desktop-thumbnailer* w,
# Fix thumbnail issue #915024
owner @{HOME}/.cache/thumbnails/** rw,
owner /tmp/atril-thumbnailer* rw,
}

127
helpers/DATA/atril/apparmor-profile.abstraction Normal file
View file

@ -0,0 +1,127 @@
# vim:syntax=apparmor
#
# abstraction used by atril binaries
#
#include <abstractions/gnome>
#include <abstractions/p11-kit>
#include <abstractions/ubuntu-helpers>
@{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/mountinfo r,
owner @{PROC}/[0-9]*/auxv r,
owner @{PROC}/[0-9]*/status r,
# Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
# Possibly move to an abstraction if anything else needs it.
deny /run/udev/data/** r,
# move out to the gnome abstraction if anyone else needs these
/etc/udev/udev.conf r,
/sys/devices/**/block/**/uevent r,
# apport
/etc/default/apport r,
# XFCE
/etc/xfce4/defaults.list r,
# Lubuntu
/etc/xdg/lubuntu/applications/defaults.list r,
# atril specific
/etc/ r,
/etc/fstab r,
/etc/texmf/ r,
/etc/texmf/** r,
/etc/xpdf/* r,
owner @{HOME}/.config/atril/ rw,
owner @{HOME}/.config/atril/** rwkl,
/usr/bin/gs-esp ixr,
/usr/bin/mktexpk Cx -> sanitized_helper,
/usr/bin/mktextfm Cx -> sanitized_helper,
/usr/bin/dvipdfm Cx -> sanitized_helper,
/usr/bin/dvipdfmx Cx -> sanitized_helper,
# gio-launch-desktop was replaced by a very small shell script
/{usr/,}bin/{dash,bash} ixr,
# supported archivers
/{usr/,}bin/gzip ixr,
/{usr/,}bin/bzip2 ixr,
/usr/bin/unrar* ixr,
/usr/bin/unzip ixr,
/usr/bin/7zr ixr,
/usr/lib/p7zip/7zr ixr,
/usr/bin/7za ixr,
/usr/lib/p7zip/7za ixr,
/usr/bin/zipnote ixr,
/{usr/,}bin/tar ixr,
/usr/bin/xz ixr,
# allow read access to anything in /usr/share, for plugins and input methods
/usr/local/share/** r,
/usr/share/** r,
/usr/lib/ghostscript/** mr,
/var/lib/ghostscript/** r,
/var/lib/texmf/{,**} r,
# from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
# read for all supported file formats
/**.[aA][iI] r,
/**.[bB][mM][pP] r,
/**.[dD][jJ][vV][uU] r,
/**.[dD][vV][iI] r,
/**.[gG][iI][fF] r,
/**.[jJ][pP][gG] r,
/**.[jJ][pP][eE][gG] r,
/**.[oO][dD][pP] r,
/**.[fFpP][dD][fF] r,
/**.[pP][nN][mM] r,
/**.[pP][nN][gG] r,
/**.[pP][sS] r,
/**.[eE][pP][sS] r,
/**.[eE][pP][sS][fFiI23] r,
/**.[tT][iI][fF] r,
/**.[tT][iI][fF][fF] r,
/**.[xX][pP][mM] r,
/**.[gG][zZ] r,
/**.[bB][zZ]2 r,
/**.[cC][bB][rRzZ7] r,
/**.[xX][zZ] r,
# Use abstractions/private-files instead of abstractions/private-files-strict
# and add the sensitive files manually to work around LP: #451422. The goal
# is to disallow access to the .mozilla folder in general, but to allow
# access to the Cache directory, which the browser may tell atril to open
# from directly.
#include <abstractions/private-files>
audit deny @{HOME}/.gnupg/{,**} mrwkl,
audit deny @{HOME}/.ssh/{,**} mrwkl,
audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
audit deny @{HOME}/.gnome2/ w,
audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
audit deny @{HOME}/.kde/{,share/,share/apps/} w,
audit deny @{HOME}/.kde/share/apps/kwallet/{,**} mrwkl,
audit deny @{HOME}/.pki/{,nssdb/} w,
audit deny @{HOME}/.pki/nssdb/{,**} wl,
audit deny @{HOME}/.mozilla/{,**/} w,
audit deny @{HOME}/.mozilla/*/*/* mrwkl,
audit deny @{HOME}/.mozilla/**/bookmarkbackups/{,**} mrwkl,
audit deny @{HOME}/.mozilla/**/chrome/{,**} mrwkl,
audit deny @{HOME}/.mozilla/**/extensions/{,**} mrwkl,
audit deny @{HOME}/.mozilla/**/gm_scripts/{,**} mrwkl,
audit deny @{HOME}/.config/ w,
audit deny @{HOME}/.config/chromium/{,**} mrwkl,
audit deny @{HOME}/.config/evolution/{,**} mrwkl,
audit deny @{HOME}/.evolution/{,**} mrwkl,
audit deny @{HOME}/.kde/{,share/,share/apps/} w,
audit deny @{HOME}/.kde/share/config/{,**} mrwkl,
audit deny @{HOME}/.kde/share/apps/kmail/{,**} mrwkl,
audit deny @{HOME}/.{,mozilla-}thunderbird/{,**/} w,
audit deny @{HOME}/.{,mozilla-}thunderbird/*/* mrwkl,
audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/{,**} mrwkl,

21
helpers/DATA/atril/atril.apport Normal file
View file

@ -0,0 +1,21 @@
'''apport package hook for atril
(c) 2024 Luis Guzmán
Author:
Luis Guzmán <ark@switnet.org>
based on evince's hook
'''
from apport.hookutils import *
from os import path
import re
def add_info(report):
attach_conffiles(report, 'atril')
attach_related_packages(report, ['apparmor', 'libapparmor1',
'libapparmor-perl', 'apparmor-utils', 'auditd', 'libaudit1'])
attach_mac_events(report, ['/usr/bin/atril',
'/usr/bin/atril-previewer',
'/usr/bin/atril-thumbnailer'])

29
helpers/DATA/atril/patches/add_install_profiles_rules.patch Normal file
View file

@ -0,0 +1,29 @@
diff --git a/debian/rules b/debian/rules
old mode 100755
new mode 100644
index 8a7ff87..655c574
--- a/debian/rules
+++ b/debian/rules
@@ -52,3 +52,9 @@ override_dh_auto_configure:
get-orig-source:
uscan --noconf --force-download --rename --download-current-version --destdir=..
+
+execute_after_dh_install:
+ install -m 0644 -D debian/apparmor-profile debian/atril/etc/apparmor.d/usr.bin.atril
+ install -m 0644 -D debian/apparmor-profile.abstraction debian/atril/etc/apparmor.d/abstractions/atril
+ install -m 0644 -D debian/atril.apport debian/atril/usr/share/apport/package-hooks/source_atril.py
+ dh_apparmor --profile-name=usr.bin.atril -patril
diff --git a/debian/control b/debian/control
index f5bda53..6d72cc9 100644
--- a/debian/control
+++ b/debian/control
@@ -9,6 +9,7 @@ Uploaders: Mike Gabriel <sunweaver@debian.org>,
Vangelis Mouhtsis <vangelis@gnugr.org>,
Martin Wimpress <code@flexion.org>,
Build-Depends: debhelper-compat (= 13),
+ dh-apparmor,
dpkg-dev (>= 1.16.1.1),
gobject-introspection,
intltool,

34
helpers/make-atril Normal file
View file

@ -0,0 +1,34 @@
#!/bin/sh
#
# Copyright (C) 2024 Luis Guzmán <ark@switnet.org>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
VERSION=0
. ./config
# Copy profiles
cp $DATA/apparmor-profile debian/
cp $DATA/apparmor-profile.abstraction debian/
cp $DATA/atril.apport debian/
# Tweak debian/rules to install apparmor profiles for atril
patch_p1 $DATA/patches/add_install_profiles_rules.patch
changelog "Test Atril apparmor profile #190"
package