Hello, Am Freitag, 8. November 2013 schrieb Carlos E. R.:
On Thursday, 2013-11-07 at 23:20 +0100, Christian Boltz wrote:
Am Donnerstag, 7. November 2013 schrieb Carlos E. R.:
Anyway, I'll attach my AppArmor profile for acroread. It's not as tight as it could be (and I'll probably do some changes to it now that I know acroread won't get security updates anymore), but it's a good start. Be warned that you will need to change it - for example I'm quite sure your home directory is not /home/cb/ ;-)
It is a start, thanks.
Now that I think, the yast apparmour wizard has disappeared, so it is more difficult to adjust profiles.
Hmm, I didn't check the YaST module for a long time (I never use it), but the changelog says you are right: * Mo Aug 19 2013 jreidinger@suse.com - fix broken dialog in edit profiles - drop reporting and profile generation tools (FATE#308684,308683) Needless to say that both FATE entries are non-public :-( which means I don't know any details why this was done. The only thing I know is that the changelog entry is partly wrong - the "reporting" part was already disabled in 2011 because of upstream changes. In the remaining part, I even found a crash :-( (-> bug 849571) That said - you don't need YaST to update the profiles ;-) - the commandline tools work as good as always. To update an existing profile, run aa-logprof It will ask you in the same way YaST did, the only difference is that you need to use your keyboard instead of your mouse ;-) New profiles can be created with aa-genprof.
Note: the profile only covers the binary, not the wrapper script.
Which is that?
That's easy to find out ;-) # which acroread # ls -l `which acroread` (and then follow the symlink) Or just run aa-genprof acroread to create a profile ;-) Note: AFAIK the wrapper script uses LD_PRELOAD when starting the real binary, which means you should _not_ clean the environment when the binary is executed ("px" instead of "Px" in the profile) That all said: The most secure solution is of course to use a maintained PDF reader like Okular, but if you really _have to_ use acroread for some reason, it's more secure (or should I say less exploitable with an AppArmor profile.
If the danger is in the Firefox plugin, for instance, that can be removed with less trouble.
Indeed, just zypper rm acroread-browser-plugin
I'd strongly recommend to do that (guess who split off this subpackage, and why... ;-)
No idea...
You can blame me for the subpackage ;-) Regards, Christian Boltz --
CPU&-Register: die Person (mit Kurzzeitgedaechnis) Ich darf doch schwer bitten. Wenn ich morgens aufwache, brauche ich nicht erst Aktenordner durchzulesen. Ich kann mich auch so erinnern. [> David Haller und Bernd Brodesser in suse-linux]
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org