Hello, On Jun 25 22:11 Rodney Baker wrote (excerpt):
On Monday, 24 June 2019 22:26:53 ACST Michal Suchánek wrote: [...]
I agree this is probably a much better way to achieve pretty much the same result
It isn't. Ghostscript needs apparmor to be reasonably secure. A security flaw pointed out in ghostscript was fixed by writing this apparmor profile. For it to be effective you need apparmor even if you did not have it to start with. That's are requirement in my book.
In general it is insufficient to prevent execution of arbitrary executables via AppArmor only for /usr/bin/gs because actually it is /usr/lib64/libgs.so.9.* that contains the actual Ghostscript functionality, see http://bugzilla.opensuse.org/show_bug.cgi?id=1134327#c16 For plain printing it might be enough to prevent execution of arbitrary executables only for /usr/bin/gs because usually the print filtering programs call /usr/bin/gs but there are printing related programs that link directly or indirectly with /usr/lib64/libgs.so.9.*, see https://bugzilla.opensuse.org/show_bug.cgi?id=1134327#c17
Sounds more like a workaround than a fix. A proper fix would have been to fix the vulnerability in ghostscript, rather than using a sledgehammer to crack a walnut (unless there was absolutely no other way to mitigate the risk).
Of course Ghostscript upstream works a lot to get things solved properly - please help them if you know "a proper fix". The AppArmor attempt is meant as some kind of "firewall" or "jailhouse" (perhaps even "madhouse" ;-) around Ghostscript. See in particular the section "It is crucial to limit access to CUPS to trusted users" in https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings Kind Regards Johannes Meixner -- SUSE LINUX GmbH - HRB 21284 (AG Nuernberg) GF: Felix Imendoerffer, Mary Higgins, Sri Rasiah