Add eog AppArmor policy
Eog really should have an AppArmor policy, as it has to parse complex data formats from untrusted sources. I created one by hand, using other policies as references. The file for /etc/apparmor.d/usr.bin.eog is attached to this issue.
#3 Updated by intrigeri over 3 years ago
- Status changed from New to In Progress
I'd rather not maintain AppArmor policy in Tails whenever possible, though: most of the maintenance work can be shared with other distributions, and we're struggling to keep our delta small. So next step is to have it in upstream "apparmor-profiles" repository, and then we can include it in Debian (either in the eog package directly, or via the apparmor-profiles-extra package): https://wiki.debian.org/AppArmor/Contribute/Upstream.
#4 Updated by cypherpunks over 3 years ago
Well I looked at the instructions over at https://wiki.debian.org/AppArmor/Reportbug which lead me to https://udd.debian.org/cgi-bin/bts-usertags.cgi?tag=new-profile&user=pkg-apparmor-team%40lists.alioth.debian.org, all of which contain users being told "report it upstream" and linking them to the first link. Then the other alternative instructions involve forking apparmor-profiles. Is there any simple bug tracker or mailing list I can send the file to?
#6 Updated by intrigeri over 3 years ago
- Assignee set to cypherpunks
- % Done changed from 0 to 20
Redirected discussion to the upstream ML, for inclusion in the upstream apparmor-profiles (currently bzr) repo: https://lists.ubuntu.com/archives/apparmor/2016-February/thread.html
Once the profile has been tested enough, next steps will be:
- issue a pull request on Launchpad (I can help if you don't do bzr: thankfully upstream is moving to Git soonish so don't bother learning bzr just for this :)
- once merged upstream: import into the apparmor-profiles-extra Debian package
- get the relevant version of that package into Tails
- bonus: we'll probably want to write a few basic regression tests to make sure that EOG functionality doesn't break in the future (and in particular, doesn't break due to AppArmor), and to make sure that the profile blocks access to some places EOG should not be allowed to read from (example: https://git-tails.immerda.ch/tails/tree/features/evince.feature); but that's not a blocker here.
#11 Updated by cypherpunks about 3 years ago
Ok, that sounds easy enough. One problem though. Eog has the ability to edit images and other files. In order for the profile to be fully complient with the needs of regular Debian, it would have to be much looser and less secure than what Tails requires. Would we add something to
apparmor.d/local/user.bin.eog or something to override its ability to write to arbitrary images?
#12 Updated by intrigeri about 3 years ago
Ok, that sounds easy enough.
One problem though. Eog has the ability to edit images and other files.
Indeed, and I don't think we want to break that functionality in Tails.
In order for the profile to be fully complient with the needs of regular Debian, it would have to be much looser and less secure than what Tails requires.
I see no difference between Debian and Tails here.