pool/ghostscript
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 732862 from Printing

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/732862
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ghostscript?expand=0&rev=43
This commit is contained in:
Dominique Leuenberger 2019-09-30 13:50:54 +00:00 committed by Git OBS Bridge
commit ba9a26036c
2 changed files with 9 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
apparmor_ghostscript
View File

@ -3,9 +3,7 @@
# this profile is mainly intended to prevent easy exploitation of
# issues in ghostscript. This is mainly intended as a hardening
# measure and doesn't alleviate the need for regular updates.
# Currently this profile is in complain mode since it caused regressions
# for tumbleweed users
profile ghostscript /usr/bin/{dvipdf,eps2eps,gs,gsbj,gsdj,gsdj500,gslj,gslp,gsnd,ps2ascii,ps2epsi,ps2pdf,ps2pdf12,ps2pdf13,ps2pdf14,ps2pdfwr,ps2ps,ps2ps2} flags=(complain) {
profile ghostscript /usr/bin/{gs,gs.bin} {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
@ -13,7 +11,8 @@ profile ghostscript /usr/bin/{dvipdf,eps2eps,gs,gsbj,gsdj,gsdj500,gslj,gslp,gsnd
# needed to read gc/write pdfs/eps/.. everywhere
/** wr,
/usr/bin/{dvipdf,eps2eps,gs,gsbj,gsdj,gsdj500,gslj,gslp,gsnd,ps2ascii,ps2epsi,ps2pdf,ps2pdf12,ps2pdf13,ps2pdf14,ps2pdfwr,ps2ps,ps2ps2} mrix,
# have these spelled out in case we can narrow the line above down sometime
/usr/bin/{gs,gs.bin} mrix,
/usr/bin/dvips mrix,
/usr/lib64/ghostscript/** m,
/usr/lib64/libgs.so.* m,
@ -34,28 +33,4 @@ profile ghostscript /usr/bin/{dvipdf,eps2eps,gs,gsbj,gsdj,gsdj500,gslj,gslp,gsnd
/usr/share/snmp/mibs/*.txt r,
owner /var/spool/cups/tmp/gs_?????? rw,
}
/usr/bin/basename Cx,
profile /usr/bin/basename {
#include <abstractions/base>
/usr/bin/basename mr,
}
/usr/bin/dirname Cx,
profile /usr/bin/dirname {
#include <abstractions/base>
/usr/bin/dirname mr,
}
# for gsbj
/usr/bin/date mrix,
# for ps2epsi
/usr/bin/{gawk,cat,ls,sed,which} mrix,
/usr/bin/{mktemp,rm} Cx -> tempdir,
profile tempdir {
#include <abstractions/base>
/usr/bin/{mktemp,rm} mr,
owner /tmp/ps2epsi.* rw,
}
}

6
ghostscript.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Mon Sep 23 08:24:49 UTC 2019 - Johannes Segitz <jsegitz@suse.de>
- Made ghostscript profile enforcing and limit it to the ghostscript
binaries (bsc#1150338)
-------------------------------------------------------------------
Mon Sep 16 11:58:41 UTC 2019 - Dr. Werner Fink <werner@suse.de>