Ubuntu
evince package

please relocate "nameservice" usage in evince AppArmor profile

Bug #720961 reported by Kees Cook
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
evince (Ubuntu)
Fix Released
Medium
Jamie Strandboge
Ubuntu ubuntu-11.04-beta-1
Natty
Fix Released
Medium
Jamie Strandboge
Ubuntu ubuntu-11.04-beta-1

Bug Description

Binary package hint: evince

Right now, the "nameservice" abstraction is listed in the abstractions/evince file, which means that both evince and evince-thumbnailer have full network privileges. I think it would be better to move "nameservice" from the abstraction to the core evince profile so that the thumbnailer is not allowed to communicate with the network (it should be doing strictly local-only operations, AFAICT).

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: evince 2.32.0-0ubuntu9
ProcVersionSignature: Ubuntu 2.6.38-3.30-generic 2.6.38-rc4
Uname: Linux 2.6.38-3-generic x86_64
Architecture: amd64
Date: Thu Feb 17 12:53:32 2011
ProcEnviron:
 LANGUAGE=en_US:en
 PATH=(custom, user)
 LANG=en_US.UTF-8
 LC_MESSAGES=en_US.utf8
 SHELL=/bin/bash
ProcVersionSignature_: Ubuntu 2.6.38-3.30-generic 2.6.38-rc4
SourcePackage: evince

Related branches

lp:ubuntu/natty/evince
Revision history for this message
Kees Cook (kees) wrote :
Changed in evince (Ubuntu Natty):
milestone: none → ubuntu-11.04-beta
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Right, so I remember why this was needed. When profiling, evince-thumbnailer needed /etc/apsswd and /etc/nsswitch.conf, so the nameservice abstraction was added. This seems rather silly, so I strace'd it:
$ strace -c evince-thumbnailer ./test_hyperlink.pdf /tmp/out.png
...
  -nan 0.000000 0 1 getuid
  -nan 0.000000 0 1 geteuid
...

I'm guessing this is do to the following:
$ strace evince-thumbnailer ./test_hyperlink.pdf /tmp/out.png 2>&1 | grep dbus
read(4, "libgvfsdbus.so: gio-vfs,gio-volu"..., 159) = 159
open("/usr/lib/libdbus-glib-1.so.2", O_RDONLY) = 4
open("/lib/libdbus-1.so.3", O_RDONLY) = 4
stat("/usr/lib/gio/modules/libgvfsdbus.so", {st_mode=S_IFREG|0644, st_size=172976, ...}) = 0
stat("/usr/lib/gio/modules/libgvfsdbus.so", {st_mode=S_IFREG|0644, st_size=172976, ...}) = 0
open("/usr/lib/gio/modules/libgvfsdbus.so", O_RDONLY) = 3
open("/lib/libdbus-1.so.3", O_RDONLY) = 3
connect(3, {sa_family=AF_FILE, path=@"/tmp/dbus-Szq019joqT"}, 23) = 0

Jamie Strandboge (jdstrand)
Changed in evince (Ubuntu Natty):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package evince - 2.32.0-0ubuntu10

---------------
evince (2.32.0-0ubuntu10) natty; urgency=low

  * debian/apparmor-profile.abstraction: allow read of @{PROC}/[0-9]*/status
  * debian/apparmor*: more strictly confine the thumbnailer, in particular
    with regard to networking (LP: #720961)
    - move a bunch of abstractions from the evince abstraction into the
      evince and evince-previewer profiles
    - move yelp and bug-buddy execs to evince and evince-previewer profiles
    - deny reads to /etc/passwd and /etc/nsswitch.conf. These are caused by
      calls to getuid() and geteuid() from gnome libraries, but the
      thumbnailer doesn't actually need them
 -- Jamie Strandboge <email address hidden> Thu, 17 Feb 2011 17:34:12 -0600

Changed in evince (Ubuntu Natty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.