Bug#930707: marked as done (evince: misc apparmor profile updates)

[Debian Bug Tracking System]

Your message dated Sun, 29 Sep 2019 20:41:30 +0000
with message-id <e1ieg0y-000fp3...@fasolo.debian.org>
and subject line Bug#930707: fixed in evince 3.34.0-1
has caused the Debian Bug report #930707,
regarding evince: misc apparmor profile updates
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
930707: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930707
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: evince
Version: 3.32.0-1
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu eoan ubuntu-patch

Dear Maintainer,

In Ubuntu, the attached patch was applied to achieve the following:

  * debian/apparmor-profile:
    - allow 'rk' on @{HOME}/.config/enchant/* in evince
    - add additional org.gtk.vfs rules for metadata and List* DBus APIs
    - silence noisy denial for mktexpk, mktextfm, dvipdfm, dvipdfmx and mkofm
      since with the new gnome-desktop3 invocations of thumbnailers, NNP
      (no new privs) blocks transition to sanitized_helper. In addition,
      thumbnails are generated just fine without these
    - allow access to @{PROC}/@{pid}/fd/, @{PROC}/@{pid}/mountinfo and
      /sys/devices/system/cpu/ in the thumbnailer (needed by some helpers)
    - allow 'r' on @{HOME}/.texmf*/** in the thumbnailer
    - update gnome-desktop and add evince-thumbnailer /tmp file paths
    - allow read on '/' and deny write on /missfont.log which is happening now
      due to new thumbnailer invocation
  * debian/apparmor-profile.abstraction: allow directory read on
    /var/lib/texmf


Thanks for considering the patch.


-- System Information:
Debian Release: buster/sid
  APT prefers xenial-updates
  APT policy: (500, 'xenial-updates'), (500, 'disco-updates'), (500, 
'disco-security'), (500, 'disco')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.0.0-16-generic (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru evince-3.32.0/debian/apparmor-profile 
evince-3.32.0/debian/apparmor-profile
--- evince-3.32.0/debian/apparmor-profile       2019-03-15 05:11:25.000000000 
-0500
+++ evince-3.32.0/debian/apparmor-profile       2019-06-18 16:57:04.000000000 
-0500
@@ -107,6 +107,7 @@
   /etc/dconf/**                                       r,
   owner @{HOME}/.cache/dconf/user                     rw,
   owner @{HOME}/.config/dconf/user                    r,
+  owner @{HOME}/.config/enchant/*                     rk,
   owner /{,var/}run/user/*/dconf/                     w,
   owner /{,var/}run/user/*/dconf/user                 rw,
   owner /{,var/}run/user/*/dconf-service/keyfile/     w,
@@ -219,6 +220,21 @@
     member="ListMountableInfo"
     peer=(label=unconfined),
 
+  # updating gvfs-metadata for thumbnails is unneeded, so explicitly deny it
+  deny dbus (send)
+    bus=session
+    path="/org/gtk/vfs/metadata"
+    interface="org.gtk.vfs.Metadata"
+    member="GetTreeFromDevice"
+    peer=(label=unconfined),
+  deny @{HOME}/.local/share/gvfs-metadata/* r,
+
+  dbus (send)
+    bus=session
+    path="/org/gtk/vfs/Daemon"
+    interface="org.gtk.vfs.Daemon"
+    member="List*"
+    peer=(label=unconfined),
 
   # The thumbnailer doesn't need access to everything in the nameservice
   # abstraction. Allow reading of /etc/passwd and /etc/group, but suppress
@@ -242,10 +258,14 @@
   /etc/xpdf/* r,
 
   /usr/bin/gs-esp ixr,
-  /usr/bin/mktexpk Cx -> sanitized_helper,
-  /usr/bin/mktextfm Cx -> sanitized_helper,
-  /usr/bin/dvipdfm Cx -> sanitized_helper,
-  /usr/bin/dvipdfmx Cx -> sanitized_helper,
+  # Silence these denials since 'no new privs' drops transitions to
+  # sanitized_helper, we don't want all those perms in the thumbnailer
+  # and the thumbnailer generates thumbnails without these just fine.
+  deny /usr/bin/mktexpk x,
+  deny /usr/bin/mktextfm x,
+  deny /usr/bin/dvipdfm x,
+  deny /usr/bin/dvipdfmx x,
+  deny /usr/bin/mkofm x,
 
   # supported archivers
   /{usr/,}bin/gzip ixr,
@@ -260,6 +280,11 @@
   /{usr/,}bin/tar ixr,
   /usr/bin/xz ixr,
 
+  # miscellaneous access for the above
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  /sys/devices/system/cpu/ r,
+
   # allow read access to anything in /usr/share, for plugins and input methods
   /usr/local/share/** r,
   /usr/share/** r,
@@ -291,6 +316,7 @@
   /**.[xX][zZ]         r,
 
   owner @{HOME}/.texlive*/** r,
+  owner @{HOME}/.texmf*/** r,
   owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/** r,
   owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/** r,
 
@@ -301,7 +327,12 @@
   owner /media/**  r,
 
   owner /tmp/.gnome_desktop_thumbnail* w,
-  owner /tmp/gnome-desktop-thumbnailer* w,
+  owner /tmp/gnome-desktop-* rw,
+  owner /tmp/evince-thumbnailer*/{,**} rw,
+  
+  # these happen post pivot_root
+  / r,
+  deny /missfont.log w,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.bin.evince>
diff -Nru evince-3.32.0/debian/apparmor-profile.abstraction 
evince-3.32.0/debian/apparmor-profile.abstraction
--- evince-3.32.0/debian/apparmor-profile.abstraction   2019-03-15 
05:11:25.000000000 -0500
+++ evince-3.32.0/debian/apparmor-profile.abstraction   2019-06-18 
16:55:48.000000000 -0500
@@ -62,7 +62,7 @@
   /usr/share/** r,
   /usr/lib/ghostscript/** mr,
   /var/lib/ghostscript/** r,
-  /var/lib/texmf/** r,
+  /var/lib/texmf/{,**} r,
 
   # from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
   # read for all supported file formats

--- End Message ---

--- Begin Message ---

Source: evince
Source-Version: 3.34.0-1

We believe that the bug you reported is fixed in the latest version of
evince, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 930...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jeremy Bicha <jbi...@debian.org> (supplier of updated evince package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 29 Sep 2019 15:59:58 -0400
Source: evince
Architecture: source
Version: 3.34.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers 
<pkg-gnome-maintain...@lists.alioth.debian.org>
Changed-By: Jeremy Bicha <jbi...@debian.org>
Closes: 927820 930707
Changes:
 evince (3.34.0-1) unstable; urgency=medium
 .
   * New upstream release
   * Bump minimum libglib2.0-dev to 2.38.0
   * Drop tiff-Handle-failure patch: Applied in new release
 .
 evince (3.32.0-3) unstable; urgency=medium
 .
   * Team upload
   * d/tests/libevince-dev: Add a superficial build test
   * Use debhelper-compat 12
   * Enable gir and gnome debhelper addons via dh-sequence-*
     build-dependencies
   * d/*.symbols: Add Build-Depends-Package field
   * Standards-Version: 4.4.0 (no changes required)
   * Set Rules-Requires-Root to no
   * Update AppArmor profiles from Ubuntu (thanks to Jamie Strandboge):
     + debian/apparmor-profile:
       - allow 'rk' on @{HOME}/.config/enchant/* in evince
       - add additional org.gtk.vfs rules for metadata and List* DBus APIs
       - silence noisy denial for mktexpk, mktextfm, dvipdfm, dvipdfmx and
         mkofm since with the new gnome-desktop3 sandboxed invocation of
         NO_NEW_PRIVS blocks transition to sanitized_helper. In addition,
         thumbnails are generated just fine without these
       - allow access to @{PROC}/@{pid}/fd/, @{PROC}/@{pid}/mountinfo and
         /sys/devices/system/cpu/ in the thumbnailer (needed by some helpers)
       - allow 'r' on @{HOME}/.texmf*/** in the thumbnailer
       - update gnome-desktop and add evince-thumbnailer /tmp file paths
       - allow read on '/' and deny write on /missfont.log which is happening
         now due to new sandboxed thumbnailer invocation
     + debian/apparmor-profile.abstraction: allow directory read on
       /var/lib/texmf
     (Closes: #930707)
   * d/p/tiff-Handle-failure-from-TIFFReadRGBAImageOriented.patch:
     Add patch from upstream to avoid displaying uninitialized memory if
     TIFFREADGBAImageOriented fails. Thanks to Leonidas S. Barbosa / Ubuntu.
     (Closes: #927820, CVE-2019-11459)
   * Remove migration path from legacy -dbg package older than Debian 9
Checksums-Sha1:
 90ec55bb3eb7d5ce40f6254f85b84ac92c588186 3156 evince_3.34.0-1.dsc
 0023e0caa9f3126c3610a0829fb2e217de200c01 2553912 evince_3.34.0.orig.tar.xz
 c6670313cd1bdb573f60d122e6d2d48b556f55ee 31264 evince_3.34.0-1.debian.tar.xz
 9eb14f6d18271668749b8c8db14036e9fd425f60 20951 evince_3.34.0-1_source.buildinfo
Checksums-Sha256:
 4b981b10c576125b80b1d2214500a55b770690900f5a2798cf69343158edf6e8 3156 
evince_3.34.0-1.dsc
 3297d16d2d1426f72ea090749ba72424d08eb133fbe4101e52a0b84999ad2a51 2553912 
evince_3.34.0.orig.tar.xz
 beedb5e6a4e7f2a5984084aa546e1be80495c51295b04577130818604d3146b1 31264 
evince_3.34.0-1.debian.tar.xz
 36e5473645275611abc8756a838690a2f60e8a64834c763bcba3c690f86cfea6 20951 
evince_3.34.0-1_source.buildinfo
Files:
 3184a304608c5133e5f019f52ad5f5e1 3156 gnome optional evince_3.34.0-1.dsc
 2661be79fce1f64eb917f3304085a2e4 2553912 gnome optional 
evince_3.34.0.orig.tar.xz
 459d81277cb1c5e5ee539c8f625f2427 31264 gnome optional 
evince_3.34.0-1.debian.tar.xz
 8a3f33eb44dcccf8a71f66360d4a4529 20951 gnome optional 
evince_3.34.0-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAl2RDh0ACgkQ5mx3Wuv+
bH2i9hAAkAYPYuB5zMx4a0Uu/7SMvZNaHcPv8Z7g5KcwLQ2FkPlxc14Ma3xojo90
GdD7WbELXG461rkC8zHuwH28dtA6lXHz4jB68KS8ubwbodSDu06F3bll+yNjY6GL
8RDEkkQC05cB9IoUtgNM7ZByTL1cBr2Bqsicp6sMD8vmqMVhEwO/YDWl1Hi5OIS+
apUSoj3mE0cyUytI16lG2lKaXQsiRKRGM/xx9CoxXUeJd2m7MWQTyTPZAQeAqXl8
IoiIDJf0XJM5nHYmtucr1reJ1mHPaA18j57SwdZ3RpgMfUHdWMk4SzF+OPKjaM7S
HZ631/832MVXX5XolE8VDO57ZZuuk3n5bhuXtQoW1Hd+4/DhG/URIng1rK/UyI5Y
5J1j8VJE4jiNwSSMyO0GFj4yqSYSdkvk3K/ePkcD0Aoj4PnfD5pcQO+8TVenePgf
ONeamBbBJfuLInMmo0iFHmr0jhYa/arm3KMG7o0QGl3J5QYNAVHG202FK952N+tr
YKpcPtu6FryDjp7ZQ1Mozpxv+eWzT5xoSOZODCTzErLmQA6lqG0rms0OX1bpWzvG
g9cJ99m/De2Ek33SqbT8yzC4sClfTCOZPkB18btZjz/QmQV2A1NW7BCAKyH2ESD2
7WkKKmshawNRjSt9f7ljl0AKkDnjxOYLCf1rUY+aWKU5woPHelo=
=9Ft+
-----END PGP SIGNATURE-----

--- End Message ---