Accepting request 673382 from home:jsegitz:branches:Printing
- Added apparmor_usr.bin.gs. This profile prevents execution of executables to serve as hardening for the binaries that process ghostscript. This is of limited use but prevents simple exploits. OBS-URL: https://build.opensuse.org/request/show/673382 OBS-URL: https://build.opensuse.org/package/show/Printing/ghostscript?expand=0&rev=104
This commit is contained in:
parent
ce1ba2ad82
commit
cb3aac83a7
18
apparmor_usr.bin.gs
Normal file
18
apparmor_usr.bin.gs
Normal file
@ -0,0 +1,18 @@
|
||||
#include <tunables/global>
|
||||
|
||||
# this profile is mainly intended to prevent easy exploitation of
|
||||
# issues in ghostscript. This is mainly intended as a hardening
|
||||
# measure and doesn't alleviate the need for regular updates
|
||||
profile /usr/bin/{dvipdf,eps2eps,gs,gsbj,gsdj,gsdj500,gslj,gslp,gsnd,ps2ascii,ps2epsi,ps2pdf,ps2pdf12,ps2pdf13,ps2pdf14,ps2pdfwr,ps2ps,ps2ps2} {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/X>
|
||||
|
||||
# needed to read gc/write pdfs/eps/.. everywhere
|
||||
/** wr,
|
||||
|
||||
/usr/lib64/ghostscript/** m,
|
||||
/usr/lib64/libgs.so.* m,
|
||||
/usr/lib64/libijs-* m,
|
||||
}
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package ghostscript-mini
|
||||
#
|
||||
# Copyright (c) 2019 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -71,6 +71,7 @@ Release: 0
|
||||
# wget -O gs926.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/MD5SUMS
|
||||
# MD5 checksum for Source0: 806bc2dedbc7f69b003f536658e08d4a ghostscript-9.26.tar.gz
|
||||
Source0: ghostscript-%{version}.tar.gz
|
||||
Source1: apparmor_usr.bin.gs
|
||||
# Patch0...Patch9 is for patches from upstream:
|
||||
Patch0: ghostscript-2.26-subclassing-devices-fix-put_image-method.patch
|
||||
# Source10...Source99 is for sources from SUSE which are intended for upstream:
|
||||
@ -311,6 +312,7 @@ done
|
||||
# Switch back to the usual build log messages:
|
||||
set -x
|
||||
install -m 644 catalog.devices $DOCDIR
|
||||
install -D -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.gs
|
||||
|
||||
%post -p /sbin/ldconfig
|
||||
|
||||
@ -390,6 +392,8 @@ install -m 644 catalog.devices $DOCDIR
|
||||
%{_libdir}/libgs.so.*
|
||||
%{_libdir}/ghostscript/
|
||||
%{_libdir}/libijs-0.35.so
|
||||
%dir %{_sysconfdir}/apparmor.d
|
||||
%{_sysconfdir}/apparmor.d/*
|
||||
|
||||
%files devel
|
||||
%defattr(-,root,root)
|
||||
|
@ -1,3 +1,10 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Feb 7 09:27:44 UTC 2019 - jsegitz@suse.com
|
||||
|
||||
- Added apparmor_usr.bin.gs. This profile prevents execution of
|
||||
executables to serve as hardening for the binaries that process
|
||||
ghostscript. This is of limited use but prevents simple exploits.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jan 23 16:52:00 CET 2019 - jsmeix@suse.de
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package ghostscript
|
||||
#
|
||||
# Copyright (c) 2019 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -91,6 +91,7 @@ Release: 0
|
||||
# wget -O gs926.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/MD5SUMS
|
||||
# MD5 checksum for Source0: 806bc2dedbc7f69b003f536658e08d4a ghostscript-9.26.tar.gz
|
||||
Source0: ghostscript-%{version}.tar.gz
|
||||
Source1: apparmor_usr.bin.gs
|
||||
# Patch0...Patch9 is for patches from upstream:
|
||||
Patch0: ghostscript-2.26-subclassing-devices-fix-put_image-method.patch
|
||||
# Source10...Source99 is for sources from SUSE which are intended for upstream:
|
||||
@ -216,7 +217,6 @@ For information how to use Ghostscript see
|
||||
|
||||
%package x11
|
||||
Summary: X11 library for Ghostscript
|
||||
Group: Productivity/Publishing/PS
|
||||
# Require the exact matching version-release of the ghostscript main-package because
|
||||
# a non-matching ghostscript main-package may let it fail or even crash (e.g. segfault)
|
||||
# because all Ghostscript software is built from one same Ghostscript source tar ball
|
||||
@ -224,6 +224,7 @@ Group: Productivity/Publishing/PS
|
||||
# The exact matching version-release of the ghostscript main-package is available
|
||||
# on the same package repository where the ghostscript-x11 sub-package is because
|
||||
# all are built simulaneously from the same Ghostscript source package:
|
||||
Group: Productivity/Publishing/PS
|
||||
Requires: ghostscript = %{version}-%{release}
|
||||
# Unfortunately ghostscript-library.spec and ghostscript-mini.spec have
|
||||
# an unversioned "Provides: ghostscript" and for RPM this means that both
|
||||
@ -447,6 +448,7 @@ done
|
||||
# Switch back to the usual build log messages:
|
||||
set -x
|
||||
install -m 644 catalog.devices $DOCDIR
|
||||
install -D -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.gs
|
||||
|
||||
%post -p /sbin/ldconfig
|
||||
|
||||
@ -527,6 +529,8 @@ install -m 644 catalog.devices $DOCDIR
|
||||
%{_libdir}/ghostscript/
|
||||
%{_libdir}/libijs-0.35.so
|
||||
%exclude %{_libdir}/ghostscript/%{built_version}/X11.so
|
||||
%dir %{_sysconfdir}/apparmor.d
|
||||
%{_sysconfdir}/apparmor.d/*
|
||||
|
||||
%files x11
|
||||
%defattr(-,root,root)
|
||||
|
Loading…
Reference in New Issue
Block a user