Hello community,
here is the log from the commit of package ghostscript for openSUSE:Factory
checked in at 2019-09-30 15:50:54
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/ghostscript (Old)
and /work/SRC/openSUSE:Factory/.ghostscript.new.2352 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ghostscript"
Mon Sep 30 15:50:54 2019 rev:43 rq:732862 version:9.27
Changes:
--------
--- /work/SRC/openSUSE:Factory/ghostscript/ghostscript.changes 2019-09-20
14:48:23.966939903 +0200
+++ /work/SRC/openSUSE:Factory/.ghostscript.new.2352/ghostscript.changes
2019-09-30 15:50:56.934565898 +0200
@@ -1,0 +2,6 @@
+Mon Sep 23 08:24:49 UTC 2019 - Johannes Segitz <jseg...@suse.de>
+
+- Made ghostscript profile enforcing and limit it to the ghostscript
+ binaries (bsc#1150338)
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
ghostscript.spec: same change
++++++ apparmor_ghostscript ++++++
--- /var/tmp/diff_new_pack.TAW5mB/_old 2019-09-30 15:50:58.262562364 +0200
+++ /var/tmp/diff_new_pack.TAW5mB/_new 2019-09-30 15:50:58.266562354 +0200
@@ -3,9 +3,7 @@
# this profile is mainly intended to prevent easy exploitation of
# issues in ghostscript. This is mainly intended as a hardening
# measure and doesn't alleviate the need for regular updates.
-# Currently this profile is in complain mode since it caused regressions
-# for tumbleweed users
-profile ghostscript
/usr/bin/{dvipdf,eps2eps,gs,gsbj,gsdj,gsdj500,gslj,gslp,gsnd,ps2ascii,ps2epsi,ps2pdf,ps2pdf12,ps2pdf13,ps2pdf14,ps2pdfwr,ps2ps,ps2ps2}
flags=(complain) {
+profile ghostscript /usr/bin/{gs,gs.bin} {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
@@ -13,7 +11,8 @@
# needed to read gc/write pdfs/eps/.. everywhere
/** wr,
-
/usr/bin/{dvipdf,eps2eps,gs,gsbj,gsdj,gsdj500,gslj,gslp,gsnd,ps2ascii,ps2epsi,ps2pdf,ps2pdf12,ps2pdf13,ps2pdf14,ps2pdfwr,ps2ps,ps2ps2}
mrix,
+ # have these spelled out in case we can narrow the line above down sometime
+ /usr/bin/{gs,gs.bin} mrix,
/usr/bin/dvips mrix,
/usr/lib64/ghostscript/** m,
/usr/lib64/libgs.so.* m,
@@ -34,28 +33,4 @@
/usr/share/snmp/mibs/*.txt r,
owner /var/spool/cups/tmp/gs_?????? rw,
}
-
- /usr/bin/basename Cx,
- profile /usr/bin/basename {
- #include <abstractions/base>
-
- /usr/bin/basename mr,
- }
-
- /usr/bin/dirname Cx,
- profile /usr/bin/dirname {
- #include <abstractions/base>
- /usr/bin/dirname mr,
- }
-
- # for gsbj
- /usr/bin/date mrix,
- # for ps2epsi
- /usr/bin/{gawk,cat,ls,sed,which} mrix,
- /usr/bin/{mktemp,rm} Cx -> tempdir,
- profile tempdir {
- #include <abstractions/base>
- /usr/bin/{mktemp,rm} mr,
- owner /tmp/ps2epsi.* rw,
- }
}
