Accepting request 679465 from Printing

Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/679465
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ghostscript?expand=0&rev=36

apparmor_usr.bin.gs

@@ -0,0 +1,18 @@
+#include <tunables/global>
+
+# this profile is mainly intended to prevent easy exploitation of
+# issues in ghostscript. This is mainly intended as a hardening
+# measure and doesn't alleviate the need for regular updates
+profile /usr/bin/{dvipdf,eps2eps,gs,gsbj,gsdj,gsdj500,gslj,gslp,gsnd,ps2ascii,ps2epsi,ps2pdf,ps2pdf12,ps2pdf13,ps2pdf14,ps2pdfwr,ps2ps,ps2ps2} {
+  #include <abstractions/base>
+  #include <abstractions/consoles>
+  #include <abstractions/nameservice>
+  #include <abstractions/X>
+
+  # needed to read gc/write pdfs/eps/.. everywhere
+  /** wr,
+
+  /usr/lib64/ghostscript/** m,
+  /usr/lib64/libgs.so.* m,
+  /usr/lib64/libijs-* m,
+}

ghostscript-mini.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Feb  7 09:27:44 UTC 2019 - jsegitz@suse.com
+
+- Added apparmor_usr.bin.gs. This profile prevents execution of
+  executables to serve as hardening for the binaries that process
+  ghostscript. This is of limited use but prevents simple exploits.
+
 -------------------------------------------------------------------
 Wed Jan 23 16:52:00 CET 2019 - jsmeix@suse.de
 

ghostscript-mini.spec

@@ -71,6 +71,7 @@ Release:        0
 # wget -O gs926.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/MD5SUMS
 # MD5 checksum for Source0: 806bc2dedbc7f69b003f536658e08d4a ghostscript-9.26.tar.gz
 Source0:        ghostscript-%{version}.tar.gz
+Source1:        apparmor_usr.bin.gs
 # Patch0...Patch9 is for patches from upstream:
 Patch0:         ghostscript-2.26-subclassing-devices-fix-put_image-method.patch
 # Source10...Source99 is for sources from SUSE which are intended for upstream:
@@ -311,6 +312,7 @@ done
 # Switch back to the usual build log messages:
 set -x
 install -m 644 catalog.devices $DOCDIR
+install -D -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.gs
 
 %post -p /sbin/ldconfig
 
@@ -390,6 +392,8 @@ install -m 644 catalog.devices $DOCDIR
 %{_libdir}/libgs.so.*
 %{_libdir}/ghostscript/
 %{_libdir}/libijs-0.35.so
+%dir %{_sysconfdir}/apparmor.d
+%{_sysconfdir}/apparmor.d/*
 
 %files devel
 %defattr(-,root,root)

ghostscript.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Feb  7 09:27:44 UTC 2019 - jsegitz@suse.com
+
+- Added apparmor_usr.bin.gs. This profile prevents execution of
+  executables to serve as hardening for the binaries that process
+  ghostscript. This is of limited use but prevents simple exploits.
+
 -------------------------------------------------------------------
 Wed Jan 23 16:52:00 CET 2019 - jsmeix@suse.de
 

ghostscript.spec

@@ -91,6 +91,7 @@ Release:        0
 # wget -O gs926.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/MD5SUMS
 # MD5 checksum for Source0: 806bc2dedbc7f69b003f536658e08d4a ghostscript-9.26.tar.gz
 Source0:        ghostscript-%{version}.tar.gz
+Source1:        apparmor_usr.bin.gs
 # Patch0...Patch9 is for patches from upstream:
 Patch0:         ghostscript-2.26-subclassing-devices-fix-put_image-method.patch
 # Source10...Source99 is for sources from SUSE which are intended for upstream:
@@ -447,6 +448,7 @@ done
 # Switch back to the usual build log messages:
 set -x
 install -m 644 catalog.devices $DOCDIR
+install -D -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.gs
 
 %post -p /sbin/ldconfig
 
@@ -527,6 +529,8 @@ install -m 644 catalog.devices $DOCDIR
 %{_libdir}/ghostscript/
 %{_libdir}/libijs-0.35.so
 %exclude %{_libdir}/ghostscript/%{built_version}/X11.so
+%dir %{_sysconfdir}/apparmor.d
+%{_sysconfdir}/apparmor.d/*
 
 %files x11
 %defattr(-,root,root)