On Tue, 2019-06-25 at 22:11 +0930, Rodney Baker wrote:
On Monday, 24 June 2019 22:26:53 ACST Michal Suchánek wrote: [...]
I agree this is probably a much better way to achieve pretty much the same result
It isn't. Ghostscript needs apparmor to be reasonably secure. A security flaw pointed out in ghostscript was fixed by writing this apparmor profile. For it to be effective you need apparmor even if you did not have it to start with. That's are requirement in my book.
Sounds more like a workaround than a fix. A proper fix would have been to fix the vulnerability in ghostscript, rather than using a sledgehammer to crack a walnut (unless there was absolutely no other way to mitigate the risk).
That's the point - ghostscript is considered more or less unfixable.
Quoting from the non-public bug where the apparmor profile was
introduced: "With the current set of ghostscript security issues and
likely more coming, we should audit the current users of ghostscript
and remove it where it is not strictly necessary, or at least confine
it using apparmor. [...] Basically processing untrusted input with
ghostscript is a hopeless case and should be disabled."
Yet ghostscript is at the heart of Linux printing, so it couldn't
simply be ditched. Thus using apparmor is only logical - it confines
ghostscript from an external, security-focused point of view.
Anyone is welcome to try and fix the issues in ghostscript for good,
but I fear it will be a tough ride, and likely not as efficient as the
apparmor approach.
Martin
--
Dr. Martin Wilck