Re: [apparmor] [profile] Evince: the lack of "private-files-strict" and a lenient, dangerous rules related to @{HOME} folder.
On Sat, Dec 02, 2017 at 03:40:52PM +, daniel curtis wrote: > Thank You for an answer and sorry for my naive, stupid questions and other > things. Hello Daniel, please don't think your questions are naive or stupid! You just have the luxury of not seeing evince bugs over many years. :) > [1] http://www.morbo.org/2017/11/linux-sandboxing-improvements-in.html This is good news indeed, thanks for sharing the link. signature.asc Description: PGP signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [profile] Evince: the lack of "private-files-strict" and a lenient, dangerous rules related to @{HOME} folder.
Hello Seth Thank You for an answer and sorry for my naive, stupid questions and other things. >> Strictly speaking, even if you remove the ~/** rw, kinds of >> rules from firefox's profile, you'll still be able to download to >> any writable location in the profile. Doing any different would >> require modifications to Firefox. OK, I understand. Fortunately with Firefox v57 there is a number of various technological improvements. For example: "Notably, it is no longer possible to read private information in the home directory or the Firefox user profile, even if Firefox were to be compromised" and so on. I'm especially thinking about the "security.sandox.content.level" knob. Now default value is "3", which means that "adds blocking of (most) reading from the filesystem". (For more informations, please see [1]) Referring to all these Firefox "sandboxing improvements" in Linux, I think, that making additional changes in a Firefox profile is also a good idea etc. ;- ) Thank you, once again. __ [1] http://www.morbo.org/2017/11/linux-sandboxing-improvements-in.html -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [profile] Evince: the lack of "private-files-strict" and a lenient, dangerous rules related to @{HOME} folder.
Hello Daniel,
On Wed, Nov 29, 2017 at 05:02:25PM +, daniel curtis wrote:
> I'm asking, because Evince is a document viewer (PostScript, PDF).
> Of course it allows e.g. printing PS files, EPS etc., text searching,
> hypertext
> navigation and bookmarks with index when it is available in the document
> and so on. So, are these rules above necessary?
Believe me, we get _so many bug reports_ about various pieces of evince
that don't work due to AppArmor profiles that you're going to have a very
hard time selling us on removing rules from the default profile.
Distro-provided profiles will always be too permissive for some users. The
long-term vision for these users involves stacking profiles together
to further restrict operations. You can do this today, sortof, but it
takes some work.
> I would like to remove all unnecessary rules. Just like with Firefox
> profile where, by default, files can be downloaded to every folder in
> @{HOME}. I'd to make some changes: add about 6 rules to the Firefox profile
> and edit "/abstractions/ubuntu browsers.d/user-files"
> (that's a place with rules that allow write access everywhere in $HOME
> etc.)
>
> After mentioned changes, users can download only to the "Download" folder,
> not everywhere. Oh, and I added an abstractions "private-files" rule. (Plus
> two more needed rules, because of a "DENIED" entry.) I think it's a safer
> solution, but maybe I'm wrong.
Strictly speaking, even if you remove the ~/** rw, kinds of rules from
firefox's profile, you'll still be able to download to any writable
location in the profile. Doing any different would require modifications
to Firefox.
Thanks
signature.asc
Description: PGP signature
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [profile] Evince: the lack of "private-files-strict" and a lenient, dangerous rules related to @{HOME} folder.
Hello Jamie
Remember that these evince profiles include abstractions/evince. This
> has:
>
>
>
Geez, I totally forgot about checking another abstractions! Sorry. I was
just amazed. That's all. Thank you for bringing my attention to it.
By the way; are these abstractions rules really needed:
✓
✓
✓
✓
I'm asking, because Evince is a document viewer (PostScript, PDF).
Of course it allows e.g. printing PS files, EPS etc., text searching, hypertext
navigation and bookmarks with index when it is available in the document
and so on. So, are these rules above necessary?
I would like to remove all unnecessary rules. Just like with Firefox
profile where, by default, files can be downloaded to every folder in
@{HOME}. I'd to make some changes: add about 6 rules to the Firefox profile
and edit "/abstractions/ubuntu browsers.d/user-files"
(that's a place with rules that allow write access everywhere in $HOME
etc.)
After mentioned changes, users can download only to the "Download" folder,
not everywhere. Oh, and I added an abstractions "private-files" rule. (Plus
two more needed rules, because of a "DENIED" entry.) I think it's a safer
solution, but maybe I'm wrong.
I'm sorry for writing about Firefox profile - it's just an example and some
type of reason, why I asked about removing rules from Evince profile.
Thanks, best regards.
.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [profile] Evince: the lack of "private-files-strict" and a lenient, dangerous rules related to @{HOME} folder.
On Wed, 2017-11-29 at 12:30 +, daniel curtis wrote:
> Hello
>
> Yesterday, I noticed a strange lack of an abstraction rule in a
> default
> Evince profile (provided with 16.04 LTS install) and I would like to
> ask if
> it's just an oversight and there should be added one rule:
> "abstractions/private-files-strict"? Generally, this profile contains
> sub-profiles with these rules:
>
> ✗ /usr/bin/evince {
> (...)
> # This is need for saving files in your home directory without
> # an extension. Changing this to '@{HOME}/** r' makes it require
> # an extension and more secure (but with 'rw', we still have
> # abstractions/private-files-strict in effect).
> owner @{HOME}/** rw,
> owner /media/** rw,
>
> ✗ /usr/bin/evince-previewer {
> (...)
> # Lenient, but remember we still have abstractions/private-files-
> # strict in effect). Write is needed for 'print to file' from
> # the previewer.
> @{HOME}/ r,
> @{HOME}/** rw,
>
> ✗ /usr/bin/evince-thumbnailer {
> (...)
> # Lenient, but remember we still have abstractions/private-files-
> # strict in effect).
> @{HOME}/ r,
> owner @{HOME}/** rw,
> owner /media/** rw,
> }
>
> As we can see, there are comments suggesting, that an abstraction
> rule with
> "private-files-strict" is in use, but it's not. (At least in the
> 16.04 LTS
> default profile.) What do you think about this? Should an
> abstraction's
> "private-files-strict" rule be added to the Evince profile and all
> sub-profiles?
>
Remember that these evince profiles include abstractions/evince. This
has:
# Use abstractions/private-files instead of abstractions/private-
files-strict
# and add the sensitive files manually to work around LP: #451422.
The goal
# is to disallow access to the .mozilla folder in general, but to
allow
# access to the Cache directory, which the browser may tell evince to
open
# from directly.
#include
audit deny @{HOME}/.gnupg/** mrwkl,
audit deny @{HOME}/.ssh/** mrwkl,
...
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [profile] Evince: the lack of "private-files-strict" and a lenient, dangerous rules related to @{HOME} folder.
Hello
Yesterday, I noticed a strange lack of an abstraction rule in a default
Evince profile (provided with 16.04 LTS install) and I would like to ask if
it's just an oversight and there should be added one rule:
"abstractions/private-files-strict"? Generally, this profile contains
sub-profiles with these rules:
✗ /usr/bin/evince {
(...)
# This is need for saving files in your home directory without
# an extension. Changing this to '@{HOME}/** r' makes it require
# an extension and more secure (but with 'rw', we still have
# abstractions/private-files-strict in effect).
owner @{HOME}/** rw,
owner /media/** rw,
✗ /usr/bin/evince-previewer {
(...)
# Lenient, but remember we still have abstractions/private-files-
# strict in effect). Write is needed for 'print to file' from
# the previewer.
@{HOME}/ r,
@{HOME}/** rw,
✗ /usr/bin/evince-thumbnailer {
(...)
# Lenient, but remember we still have abstractions/private-files-
# strict in effect).
@{HOME}/ r,
owner @{HOME}/** rw,
owner /media/** rw,
}
As we can see, there are comments suggesting, that an abstraction rule with
"private-files-strict" is in use, but it's not. (At least in the 16.04 LTS
default profile.) What do you think about this? Should an abstraction's
"private-files-strict" rule be added to the Evince profile and all
sub-profiles?
Thanks, best regards.
.
.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
