Public bug reported:
>From the profile itself:
# The purpose of this profile isn't to confine man itself (that might be
# nice in the future, but is tricky since it's quite configurable), but to
# confine the processes it calls that parse untrusted data.
/** mrixwlk,
This is not an acceptable use of apparmor. The replacement below will handle
95% of the cases.
owner /dev/pts/[0-9]* rw,
/dev/tty rw,
/usr/share/terminfo/** r,
/etc/groff/man.local r,
/etc/manpath.config r,
/usr/bin/grotty ixr,
/usr/bin/{,g,n}roff rmCx -> &man_groff,
/usr/local/share/man/{,**} r,
/usr/share/groff/** r,
/usr/share/man/{,**} r,
/var/cache/man/index.db rkw,
/{,usr/}bin/less{,file,pipe} rix,
@{HOME}/.local/share/man/index.db rkw,
@{HOME}/.local/{,share/}man/{,**} r,
Other improvements include usage of
#include <abstractions/groff>
and a couple of:
/{usr/,}bin/dash ixr,
/usr/bin/{,g,n}roff ixr,
here and there.
Unsetting LESSHISTFILE is also advised to avoid less doing (useless) histfile
(re)write attempts.
The above changes means accessing a handful of files, dropping
read/write access to the whole filesystem and still fulfilling the vast
majority of `man` usages. (Users configuring `man` can generally
interpret `journalctl` apparmor warnings and/or configure it). A comment
in the file could even ease the task, like:
# uncomment the line below if man fails edge-cases
# /** mrixwlk,
See also #1788973
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Tags: aa-policy
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2102696
Title:
insecure usr.bin.man profile
Status in apparmor package in Ubuntu:
New
Bug description:
From the profile itself:
# The purpose of this profile isn't to confine man itself (that might be
# nice in the future, but is tricky since it's quite configurable), but to
# confine the processes it calls that parse untrusted data.
/** mrixwlk,
This is not an acceptable use of apparmor. The replacement below will handle
95% of the cases.
owner /dev/pts/[0-9]* rw,
/dev/tty rw,
/usr/share/terminfo/** r,
/etc/groff/man.local r,
/etc/manpath.config r,
/usr/bin/grotty ixr,
/usr/bin/{,g,n}roff rmCx -> &man_groff,
/usr/local/share/man/{,**} r,
/usr/share/groff/** r,
/usr/share/man/{,**} r,
/var/cache/man/index.db rkw,
/{,usr/}bin/less{,file,pipe} rix,
@{HOME}/.local/share/man/index.db rkw,
@{HOME}/.local/{,share/}man/{,**} r,
Other improvements include usage of
#include <abstractions/groff>
and a couple of:
/{usr/,}bin/dash ixr,
/usr/bin/{,g,n}roff ixr,
here and there.
Unsetting LESSHISTFILE is also advised to avoid less doing (useless) histfile
(re)write attempts.
The above changes means accessing a handful of files, dropping
read/write access to the whole filesystem and still fulfilling the
vast majority of `man` usages. (Users configuring `man` can generally
interpret `journalctl` apparmor warnings and/or configure it). A
comment in the file could even ease the task, like:
# uncomment the line below if man fails edge-cases
# /** mrixwlk,
See also #1788973
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2102696/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
