Hello, Am Donnerstag, 29. August 2019, 07:50:51 CEST schrieb Dr. Werner Fink:
there is now a new package called gswrap which if installed will replace with the LATEST[1] ghostscript package the /usr/bin/gs program with its script. The script uses bwrap from the bubblewrap package to have an own namespace for each ghostscript command.
The aim is to be sure that even if ghostscript is used with an bad PostScript[tm] file there is no way to read files from the user nor from the system.
[1] The update-alternatives utility is used now to have /usr/bin/gs as symbolic pointing to /usr/bin/gs.bin and if package gswrap becomes installed to the /usr/bin/gswrap script.
I like this idea, but I also have to warn you that you'll need to update the ghostscript AppArmor profile. AppArmor uses the filenames _after_ symlink resolution, so you'll need to adjust the profile to attach to /usr/bin/gs.bin instead of [1] /usr/bin/gs, and also to allow executing /usr/bin/gs.bin Regards, Christian Boltz [1] or in addition to, if you want to keep it backwords compatible --
Und wo legst Du das Backup ab, wenn die einzige Partition read-only gemountet ist? *SCNR* Am besten auf /dev/null - das geht am schnellsten :-) [> Christian Boltz und Rainer Kaluscha in suse-linux]
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org