Accepting request 687694 from Printing

Fixed AppArmor profile for Ghostscript plus required changes in Ghostscript to still run hpijs (bsc#1127934 bsc#1128697 bsc#1128467 bsc#1128607 bsc#1128608)

OBS-URL: https://build.opensuse.org/request/show/687694
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ghostscript?expand=0&rev=38

apparmor_ghostscript

@@ -0,0 +1,48 @@
+#include <tunables/global>
+
+# this profile is mainly intended to prevent easy exploitation of
+# issues in ghostscript. This is mainly intended as a hardening
+# measure and doesn't alleviate the need for regular updates
+profile ghostscript /usr/bin/{dvipdf,eps2eps,gs,gsbj,gsdj,gsdj500,gslj,gslp,gsnd,ps2ascii,ps2epsi,ps2pdf,ps2pdf12,ps2pdf13,ps2pdf14,ps2pdfwr,ps2ps,ps2ps2} {
+  #include <abstractions/base>
+  #include <abstractions/consoles>
+  #include <abstractions/nameservice>
+  #include <abstractions/X>
+
+  # needed to read gc/write pdfs/eps/.. everywhere
+  /** wr,
+  /usr/bin/{dvipdf,eps2eps,gs,gsbj,gsdj,gsdj500,gslj,gslp,gsnd,ps2ascii,ps2epsi,ps2pdf,ps2pdf12,ps2pdf13,ps2pdf14,ps2pdfwr,ps2ps,ps2ps2} mrix,
+  /usr/bin/dvips mrix,
+  /usr/lib64/ghostscript/** m,
+  /usr/lib64/libgs.so.* m,
+  /usr/lib64/libijs-* m,
+
+  /usr/bin/hpijs Cx,
+  profile /usr/bin/hpijs flags=(complain) {
+    #include <abstractions/base>
+
+    network inet dgram,
+
+    /etc/cups/cupsd.conf r,
+    /etc/hp/hplip.conf r,
+    /usr/bin/hpijs mr,
+    /usr/share/ghostscript/** r,
+    /usr/share/hplip/** r,
+    /usr/share/snmp/mibs/ r,
+    /usr/share/snmp/mibs/*.txt r,
+    owner /var/spool/cups/tmp/gs_?????? rw,
+  }
+
+  /usr/bin/basename Cx,
+  profile /usr/bin/basename {
+    #include <abstractions/base>
+
+    /usr/bin/basename mr,
+  }
+
+  /usr/bin/dirname Cx,
+  profile /usr/bin/dirname {
+    #include <abstractions/base>
+    /usr/bin/dirname mr,
+  }
+}

apparmor_usr.bin.gs

@@ -1,19 +0,0 @@
-#include <tunables/global>
-
-# this profile is mainly intended to prevent easy exploitation of
-# issues in ghostscript. This is mainly intended as a hardening
-# measure and doesn't alleviate the need for regular updates
-profile /usr/bin/{dvipdf,eps2eps,gs,gsbj,gsdj,gsdj500,gslj,gslp,gsnd,ps2ascii,ps2epsi,ps2pdf,ps2pdf12,ps2pdf13,ps2pdf14,ps2pdfwr,ps2ps,ps2ps2} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice>
-  #include <abstractions/X>
-
-  # needed to read gc/write pdfs/eps/.. everywhere
-  /** wr,
-
-  /usr/lib64/ghostscript/** m,
-  /usr/lib64/libgs.so.* m,
-  /usr/lib64/libijs-* m,
-  /usr/bin/hpijs ix,
-}

ghostscript-mini.changes

@@ -1,3 +1,23 @@
+-------------------------------------------------------------------
+Thu Mar 14 08:03:24 UTC 2019 - jsegitz@suse.com
+
+- Added AA rules for dvips (bsc#1127934)
+- Allow execution of dirname (bsc#1128697)
+- Allow execution of hpijs (bsc#1128467). For now this is in 
+  complain mode
+- Sane profile name "ghostscript", moved profile from
+  /etc/apparmor.d/usr.bin.gs to /etc/apparmor.d/ghostscript
+  (bsc#1128607)
+- Improved AA packaging (bsc#1128608)
+  Thanks to Christian Boltz for his help
+
+-------------------------------------------------------------------
+Fri Mar  8 10:49:18 UTC 2019 - Martin Wilck <mwilck@suse.com>
+
+- Fix IJS printing problem (bsc#1128467)
+  * added ijs_exec_server_dont_use_sh.patch
+  * allow exec'ing hpijs in apparmor profile
+
 -------------------------------------------------------------------
 Thu Feb  7 09:27:44 UTC 2019 - jsegitz@suse.com
 

ghostscript-mini.spec

@@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via https://bugs.opensuse.org/
+# Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
 
 
@@ -25,6 +25,11 @@ BuildRequires:  libtiff-devel
 BuildRequires:  libtool
 BuildRequires:  pkg-config
 BuildRequires:  zlib-devel
+%if 0%{?suse_version} >= 1500
+BuildRequires:  apparmor-abstractions
+BuildRequires:  apparmor-rpm-macros
+Requires:       apparmor-abstractions
+%endif
 Summary:        Minimal Ghostscript for minimal build requirements
 License:        AGPL-3.0-only
 Group:          System/Libraries
@@ -71,7 +76,7 @@ Release:        0
 # wget -O gs926.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/MD5SUMS
 # MD5 checksum for Source0: 806bc2dedbc7f69b003f536658e08d4a ghostscript-9.26.tar.gz
 Source0:        ghostscript-%{version}.tar.gz
-Source1:        apparmor_usr.bin.gs
+Source1:        apparmor_ghostscript
 # Patch0...Patch9 is for patches from upstream:
 Patch0:         ghostscript-2.26-subclassing-devices-fix-put_image-method.patch
 # Source10...Source99 is for sources from SUSE which are intended for upstream:
@@ -81,6 +86,7 @@ Patch0:         ghostscript-2.26-subclassing-devices-fix-put_image-method.patch
 # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
 # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball:
 Patch100:       remove-zlib-h-dependency.patch
+Patch101:       ijs_exec_server_dont_use_sh.patch
 # RPM dependencies:
 Conflicts:      ghostscript
 Conflicts:      ghostscript-x11
@@ -146,6 +152,7 @@ This package contains the development files for Minimal Ghostscript.
 # and disable remove-zlib-h-dependency.patch because
 # Ghostscript 9.21 does no longer build this way:
 #patch100 -p1 -b remove-zlib-h-dependency.orig
+%patch101 -p1
 # Remove patch backup files to avoid packaging
 # cf. https://build.opensuse.org/request/show/581052
 rm -f Resource/Init/*.ps.orig
@@ -312,9 +319,13 @@ done
 # Switch back to the usual build log messages:
 set -x
 install -m 644 catalog.devices $DOCDIR
-install -D -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.gs
+install -D -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/apparmor.d/ghostscript
 
-%post -p /sbin/ldconfig
+%post
+/sbin/ldconfig
+%if 0%{?suse_version} >= 1500
+%apparmor_reload /etc/apparmor.d/ghostscript
+%endif
 
 %postun -p /sbin/ldconfig
 
@@ -392,8 +403,10 @@ install -D -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.gs
 %{_libdir}/libgs.so.*
 %{_libdir}/ghostscript/
 %{_libdir}/libijs-0.35.so
+%if 0%{?suse_version} < 1500
 %dir %{_sysconfdir}/apparmor.d
-%{_sysconfdir}/apparmor.d/*
+%endif
+%{_sysconfdir}/apparmor.d/ghostscript
 
 %files devel
 %defattr(-,root,root)

ghostscript.changes

@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Thu Mar 14 08:03:24 UTC 2019 - jsegitz@suse.com
+
+- Added AA rules for dvips (bsc#1127934)
+- Allow execution of dirname (bsc#1128697)
+- Allow execution of hpijs (bsc#1128467). For now this is in 
+  complain mode
+- Sane profile name "ghostscript", moved profile from
+  /etc/apparmor.d/usr.bin.gs to /etc/apparmor.d/ghostscript
+  (bsc#1128607)
+- Improved AA packaging (bsc#1128608)
+  Thanks to Christian Boltz for his help
+
 -------------------------------------------------------------------
 Fri Mar  8 10:49:18 UTC 2019 - Martin Wilck <mwilck@suse.com>
 

ghostscript.spec

@@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via https://bugs.opensuse.org/
+# Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
 
 
@@ -45,6 +45,11 @@ BuildRequires:  pkg-config
 BuildRequires:  xorg-x11-devel
 BuildRequires:  xorg-x11-fonts
 BuildRequires:  zlib-devel
+%if 0%{?suse_version} >= 1500
+BuildRequires:  apparmor-abstractions
+BuildRequires:  apparmor-rpm-macros
+Requires:       apparmor-abstractions
+%endif
 Summary:        The Ghostscript interpreter for PostScript and PDF
 License:        AGPL-3.0-only
 Group:          System/Libraries
@@ -91,7 +96,7 @@ Release:        0
 # wget -O gs926.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/MD5SUMS
 # MD5 checksum for Source0: 806bc2dedbc7f69b003f536658e08d4a ghostscript-9.26.tar.gz
 Source0:        ghostscript-%{version}.tar.gz
-Source1:        apparmor_usr.bin.gs
+Source1:        apparmor_ghostscript
 # Patch0...Patch9 is for patches from upstream:
 Patch0:         ghostscript-2.26-subclassing-devices-fix-put_image-method.patch
 # Source10...Source99 is for sources from SUSE which are intended for upstream:
@@ -450,9 +455,13 @@ done
 # Switch back to the usual build log messages:
 set -x
 install -m 644 catalog.devices $DOCDIR
-install -D -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.gs
+install -D -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/apparmor.d/ghostscript
 
-%post -p /sbin/ldconfig
+%post
+/sbin/ldconfig
+%if 0%{?suse_version} >= 1500
+%apparmor_reload /etc/apparmor.d/ghostscript
+%endif
 
 %postun -p /sbin/ldconfig
 
@@ -531,8 +540,10 @@ install -D -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.gs
 %{_libdir}/ghostscript/
 %{_libdir}/libijs-0.35.so
 %exclude %{_libdir}/ghostscript/%{built_version}/X11.so
+%if 0%{?suse_version} < 1500
 %dir %{_sysconfdir}/apparmor.d
-%{_sysconfdir}/apparmor.d/*
+%endif
+%{_sysconfdir}/apparmor.d/ghostscript
 
 %files x11
 %defattr(-,root,root)