Mailinglist Archive: opensuse-factory (1029 mails)

< Previous Next >
Re: [opensuse-factory] Let's keep acroread for pure reasons of usability.
Hello,

Am Donnerstag, 7. November 2013 schrieb Carlos E. R.:
So, what exactly are the security risks I get into by opening local
PDF files (generated by reputable sources, such as governments) with
acroread in Linux? Can they be avoided or limited with a good
AppArmor profile?

I don't know about the exact security risks - maybe someone from the
security team knows more details.

With an AppArmor profile, you can make sure that acroread only reads
*.pdf files and doesn't read or modify random files on your disk. You
can also forbid networking - but this doesn't sound too useful when you
need to submit a form online ;-)

Anyway, I'll attach my AppArmor profile for acroread. It's not as tight
as it could be (and I'll probably do some changes to it now that I know
acroread won't get security updates anymore), but it's a good start.
Be warned that you will need to change it - for example I'm quite sure
your home directory is not /home/cb/ ;-)

Note: the profile only covers the binary, not the wrapper script.

If the danger is in the Firefox plugin, for instance, that can be
removed with less trouble.

Indeed, just zypper rm acroread-browser-plugin

I'd strongly recommend to do that (guess who split off this subpackage,
and why... ;-)


Regards,

Christian Boltz
--
<coolo> Ilmehtar: in rails you don't javascript, you jquery
<coolo> or even worse, you coffee
<ancor> Ilmehtar: coolo is right. I always use jquery
<ancor> but I'm not still used to coffee
<vad> tea, then?
[from #opensuse-project]
# Last Modified: 1379854985.78
#include <tunables/global>

/usr/lib/Adobe/Reader9/Reader/intellinux/bin/acroread {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/fonts>
#include <abstractions/gnome>

network inet dgram,
network inet6 dgram,

deny /dev/shm/pulse-shm-* w,
deny /etc/fstab r,
deny /home/cb/.pulse-cookie rwk,
deny /home/cb/.pulse/ rw,
deny /home/cb/.thumbnails/** r,

/bin/bash rix,
/dev/shm/ r,
/dev/shm/sem.* rwl,
/dev/shm/sem.ADBE_REL_* l,
/dev/shm/sem.ADBE_WritePrefs_* l,
/dev/tty rw,
/etc/host.conf r,
/etc/hosts r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/pulse/client.conf r,
/etc/resolv.conf r,
/home/*/.fontconfig/*.LCK w,
/home/*/.fontconfig/*.NEW w,
/home/*/.fontconfig/*.TMP-* w,
/home/*/.kde4/share/config/gtkrc-2.0 r,
/home/*/.local/share/mime/mime.cache r,
/home/cb/ r,
/home/cb/**.pdf r,
/home/cb/**/ r,
/home/cb/**/tmp.ps rw,
/home/cb/.Xauthority r,
/home/cb/.adobe/Acrobat/** rw,
/home/cb/.adobe/Acrobat/9.0/SharedDataEvents rwk,
/home/cb/.adobe/Linguistics/UserDictionaries/ r,
/home/cb/.fontconfig/*.cache-3 rw,
/home/cb/.gtkrc-2.0-kde4 r,
/home/cb/.icons/tuxresize_cb/cursors/* r,
/home/sys-var/run/nscd/passwd r,
/proc/*/status r,
/proc/*/task/ r,
/proc/meminfo r,
/tmp/file* w,
/usr/bin/locale rix,
/usr/lib/Adobe/Reader9/Reader/intellinux/SPPlugins/ADMPlugin.apl mr,
/usr/lib/Adobe/Reader9/Reader/intellinux/lib/suse-do-not-grab-server.so mr,
/usr/lib/Adobe/Reader9/Reader/intellinux/plug_ins/*.api mr,
/usr/lib/Adobe/Reader9/Reader/intellinux/plug_ins/Multimedia/MPP/Real.mpp mr,
/usr/lib/Adobe/Reader9/Reader/intellinux/plug_ins3d/*.x3d mr,
/usr/share/ r,
/usr/share/cantarell-fonts/conf.avail/*.conf r,
/usr/share/fontconfig/conf.avail/*.conf r,
/usr/share/fonts-config/conf.avail/*.conf r,
/usr/share/ghostscript/fonts/ r,
/usr/share/locale-bundle/de/LC_MESSAGES/atk10.mo r,
/usr/share/locale-bundle/de/LC_MESSAGES/gdk-pixbuf.mo r,
/usr/share/locale-bundle/de/LC_MESSAGES/gstreamer-1.0.mo r,

}
< Previous Next >
This Thread