Am Freitag, 8. November 2013 schrieb Carlos E. R.:
On Thursday, 2013-11-07 at 23:20 +0100, Christian
> Am Donnerstag, 7. November 2013 schrieb Carlos E. R.:
I'll attach my AppArmor profile for acroread. It's not as
tight as it could be (and I'll probably do some changes to it now
that I know acroread won't get security updates anymore), but it's
a good start. Be warned that you will need to change it - for
example I'm quite sure your home directory is not /home/cb/ ;-)
It is a start, thanks.
Now that I think, the yast apparmour wizard has disappeared, so it is
more difficult to adjust profiles.
Hmm, I didn't check the YaST module for a long time (I never use it),
but the changelog says you are right:
* Mo Aug 19 2013 jreidinger(a)suse.com
- fix broken dialog in edit profiles
- drop reporting and profile generation tools (FATE#308684,308683)
Needless to say that both FATE entries are non-public :-( which means I
don't know any details why this was done. The only thing I know is that
the changelog entry is partly wrong - the "reporting" part was already
disabled in 2011 because of upstream changes.
In the remaining part, I even found a crash :-( (-> bug 849571)
That said - you don't need YaST to update the profiles ;-) - the
commandline tools work as good as always.
To update an existing profile, run aa-logprof
It will ask you in the same way YaST did, the only difference is that
you need to use your keyboard instead of your mouse ;-)
New profiles can be created with aa-genprof.
profile only covers the binary, not the wrapper script.
Which is that?
That's easy to find out ;-)
# which acroread
# ls -l `which acroread`
(and then follow the symlink)
Or just run aa-genprof acroread to create a profile ;-)
Note: AFAIK the wrapper script uses LD_PRELOAD when starting the real
binary, which means you should _not_ clean the environment when the
binary is executed ("px" instead of "Px" in the profile)
That all said: The most secure solution is of course to use a maintained
PDF reader like Okular, but if you really _have to_ use acroread for
some reason, it's more secure (or should I say less exploitable with an
If the danger is in the Firefox plugin, for instance,
that can be
removed with less trouble.
Indeed, just zypper rm acroread-browser-plugin
I'd strongly recommend to do that (guess who split off this
subpackage, and why... ;-)
You can blame me for the subpackage ;-)
CPU&-Register: die Person (mit
Ich darf doch schwer bitten. Wenn ich morgens aufwache, brauche
nicht erst Aktenordner durchzulesen. Ich kann mich auch so erinnern.
[> David Haller und Bernd Brodesser in suse-linux]
To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org