Project

General

Profile

Feature #11150

Add eog AppArmor policy

Added by cypherpunks over 3 years ago. Updated about 3 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
02/21/2016
Due date:
% Done:

20%

Feature Branch:
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

Eog really should have an AppArmor policy, as it has to parse complex data formats from untrusted sources. I created one by hand, using other policies as references. The file for /etc/apparmor.d/usr.bin.eog is attached to this issue.

usr.bin.eog (1.39 KB) cypherpunks, 02/21/2016 11:28 AM

usr.bin.eog (1.39 KB) cypherpunks, 02/21/2016 12:47 PM

History

#1 Updated by cypherpunks over 3 years ago

Did the policy fail to upload? Heh, I think the Tor Browser AppArmor policy prevented it because it was a root-owned hardlink. Well, here it is now.

#2 Updated by cypherpunks over 3 years ago

Minor typo in the policy which made eog fail to open in a specific circumstance. Fixed with this attachment.

"/usr/{,local/}/share/**" was suppose to be "/usr/{,local/}share/**".

#3 Updated by intrigeri over 3 years ago

  • Status changed from New to In Progress

Thanks!

I'd rather not maintain AppArmor policy in Tails whenever possible, though: most of the maintenance work can be shared with other distributions, and we're struggling to keep our delta small. So next step is to have it in upstream "apparmor-profiles" repository, and then we can include it in Debian (either in the eog package directly, or via the apparmor-profiles-extra package): https://wiki.debian.org/AppArmor/Contribute/Upstream.

#4 Updated by cypherpunks over 3 years ago

Well I looked at the instructions over at https://wiki.debian.org/AppArmor/Reportbug which lead me to https://udd.debian.org/cgi-bin/bts-usertags.cgi?tag=new-profile&user=pkg-apparmor-team%40lists.alioth.debian.org, all of which contain users being told "report it upstream" and linking them to the first link. Then the other alternative instructions involve forking apparmor-profiles. Is there any simple bug tracker or mailing list I can send the file to?

#5 Updated by cypherpunks over 3 years ago

I asked on IRC and was pointed to an AppArmor mailing list. Let's see how it goes...

#6 Updated by intrigeri over 3 years ago

  • Assignee set to cypherpunks
  • % Done changed from 0 to 20

Redirected discussion to the upstream ML, for inclusion in the upstream apparmor-profiles (currently bzr) repo: https://lists.ubuntu.com/archives/apparmor/2016-February/thread.html

Once the profile has been tested enough, next steps will be:

  1. issue a pull request on Launchpad (I can help if you don't do bzr: thankfully upstream is moving to Git soonish so don't bother learning bzr just for this :)
  2. once merged upstream: import into the apparmor-profiles-extra Debian package
  3. get the relevant version of that package into Tails
  4. bonus: we'll probably want to write a few basic regression tests to make sure that EOG functionality doesn't break in the future (and in particular, doesn't break due to AppArmor), and to make sure that the profile blocks access to some places EOG should not be allowed to read from (example: https://git-tails.immerda.ch/tails/tree/features/evince.feature); but that's not a blocker here.

#7 Updated by BitingBird about 3 years ago

Any news on this one? I saw no answer to intrigeri's email on the list.

#8 Updated by intrigeri about 3 years ago

  • Status changed from In Progress to Rejected

That's upstream material, and there's been no answer from the OP for months, so let's stop tracking this here.

#9 Updated by cypherpunks about 3 years ago

I'm the OP. Didn't know an answer was wanted, I had thought once it was posted to the right mailing list, it'd be on its way to inclusion. Eog is pretty important. What is needed for me to get progress on this?

#10 Updated by intrigeri about 3 years ago

What is needed for me to get progress on this?

See #11150#note-6. Upstream moved to Git, so best is to submit a merge request there: https://code.launchpad.net/apparmor-profiles

#11 Updated by cypherpunks about 3 years ago

Ok, that sounds easy enough. One problem though. Eog has the ability to edit images and other files. In order for the profile to be fully complient with the needs of regular Debian, it would have to be much looser and less secure than what Tails requires. Would we add something to apparmor.d/local/user.bin.eog or something to override its ability to write to arbitrary images?

#12 Updated by intrigeri about 3 years ago

Ok, that sounds easy enough.

:)

One problem though. Eog has the ability to edit images and other files.

Indeed, and I don't think we want to break that functionality in Tails.

In order for the profile to be fully complient with the needs of regular Debian, it would have to be much looser and less secure than what Tails requires.

I see no difference between Debian and Tails here.

Also available in: Atom PDF