Accepting request 673382 from home:jsegitz:branches:Printing

- Added apparmor_usr.bin.gs. This profile prevents execution of executables to serve as hardening for the binaries that process ghostscript. This is of limited use but prevents simple exploits. OBS-URL: https://build.opensuse.org/request/show/673382 OBS-URL: https://build.opensuse.org/package/show/Printing/ghostscript?expand=0&rev=104
2019-02-12 10:26:47 +00:00 · 2019-02-12 10:26:47 +00:00 · cb3aac83a7
commit cb3aac83a7
parent ce1ba2ad82
4 changed files with 36 additions and 3 deletions
--- a/apparmor_usr.bin.gs
+++ b/apparmor_usr.bin.gs
@ -0,0 +1,18 @@
+#include <tunables/global>
+
+# this profile is mainly intended to prevent easy exploitation of
+# issues in ghostscript. This is mainly intended as a hardening
+# measure and doesn't alleviate the need for regular updates
+profile /usr/bin/{dvipdf,eps2eps,gs,gsbj,gsdj,gsdj500,gslj,gslp,gsnd,ps2ascii,ps2epsi,ps2pdf,ps2pdf12,ps2pdf13,ps2pdf14,ps2pdfwr,ps2ps,ps2ps2} {
+  #include <abstractions/base>
+  #include <abstractions/consoles>
+  #include <abstractions/nameservice>
+  #include <abstractions/X>
+
+  # needed to read gc/write pdfs/eps/.. everywhere
+  /** wr,
+
+  /usr/lib64/ghostscript/** m,
+  /usr/lib64/libgs.so.* m,
+  /usr/lib64/libijs-* m,
+}
--- a/ghostscript-mini.spec
+++ b/ghostscript-mini.spec
@ -1,7 +1,7 @@
 #
 # spec file for package ghostscript-mini
 #
-# Copyright (c) 2019 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -71,6 +71,7 @@ Release:        0
 # wget -O gs926.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/MD5SUMS
 # MD5 checksum for Source0: 806bc2dedbc7f69b003f536658e08d4a ghostscript-9.26.tar.gz
 Source0:        ghostscript-%{version}.tar.gz
+Source1:        apparmor_usr.bin.gs
 # Patch0...Patch9 is for patches from upstream:
 Patch0:         ghostscript-2.26-subclassing-devices-fix-put_image-method.patch
 # Source10...Source99 is for sources from SUSE which are intended for upstream:
@ -311,6 +312,7 @@ done
 # Switch back to the usual build log messages:
 set -x
 install -m 644 catalog.devices $DOCDIR
+install -D -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.gs

 %post -p /sbin/ldconfig

@ -390,6 +392,8 @@ install -m 644 catalog.devices $DOCDIR
 %{_libdir}/libgs.so.*
 %{_libdir}/ghostscript/
 %{_libdir}/libijs-0.35.so
+%dir %{_sysconfdir}/apparmor.d
+%{_sysconfdir}/apparmor.d/*

 %files devel
 %defattr(-,root,root)
--- a/ghostscript.changes
+++ b/ghostscript.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Feb  7 09:27:44 UTC 2019 - jsegitz@suse.com
+
+- Added apparmor_usr.bin.gs. This profile prevents execution of 
+  executables to serve as hardening for the binaries that process
+  ghostscript. This is of limited use but prevents simple exploits.
+
 -------------------------------------------------------------------
 Wed Jan 23 16:52:00 CET 2019 - jsmeix@suse.de

--- a/ghostscript.spec
+++ b/ghostscript.spec
@ -1,7 +1,7 @@
 #
 # spec file for package ghostscript
 #
-# Copyright (c) 2019 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -91,6 +91,7 @@ Release:        0
 # wget -O gs926.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/MD5SUMS
 # MD5 checksum for Source0: 806bc2dedbc7f69b003f536658e08d4a ghostscript-9.26.tar.gz
 Source0:        ghostscript-%{version}.tar.gz
+Source1:        apparmor_usr.bin.gs
 # Patch0...Patch9 is for patches from upstream:
 Patch0:         ghostscript-2.26-subclassing-devices-fix-put_image-method.patch
 # Source10...Source99 is for sources from SUSE which are intended for upstream:
@ -216,7 +217,6 @@ For information how to use Ghostscript see

 %package x11
 Summary:        X11 library for Ghostscript
-Group:          Productivity/Publishing/PS
 # Require the exact matching version-release of the ghostscript main-package because
 # a non-matching ghostscript main-package may let it fail or even crash (e.g. segfault)
 # because all Ghostscript software is built from one same Ghostscript source tar ball
@ -224,6 +224,7 @@ Group:          Productivity/Publishing/PS
 # The exact matching version-release of the ghostscript main-package is available
 # on the same package repository where the ghostscript-x11 sub-package is because
 # all are built simulaneously from the same Ghostscript source package:
+Group:          Productivity/Publishing/PS
 Requires:       ghostscript = %{version}-%{release}
 # Unfortunately ghostscript-library.spec and ghostscript-mini.spec have
 # an unversioned "Provides: ghostscript" and for RPM this means that both
@ -447,6 +448,7 @@ done
 # Switch back to the usual build log messages:
 set -x
 install -m 644 catalog.devices $DOCDIR
+install -D -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.gs

 %post -p /sbin/ldconfig

@ -527,6 +529,8 @@ install -m 644 catalog.devices $DOCDIR
 %{_libdir}/ghostscript/
 %{_libdir}/libijs-0.35.so
 %exclude %{_libdir}/ghostscript/%{built_version}/X11.so
+%dir %{_sysconfdir}/apparmor.d
+%{_sysconfdir}/apparmor.d/*

 %files x11
 %defattr(-,root,root)