From cb3aac83a7358f158f4c2a3bb0dede058ef4a67109d4eaef09e277cbd20407e5 Mon Sep 17 00:00:00 2001 From: Johannes Meixner Date: Tue, 12 Feb 2019 10:26:47 +0000 Subject: [PATCH] Accepting request 673382 from home:jsegitz:branches:Printing - Added apparmor_usr.bin.gs. This profile prevents execution of executables to serve as hardening for the binaries that process ghostscript. This is of limited use but prevents simple exploits. OBS-URL: https://build.opensuse.org/request/show/673382 OBS-URL: https://build.opensuse.org/package/show/Printing/ghostscript?expand=0&rev=104 --- apparmor_usr.bin.gs | 18 ++++++++++++++++++ ghostscript-mini.spec | 6 +++++- ghostscript.changes | 7 +++++++ ghostscript.spec | 8 ++++++-- 4 files changed, 36 insertions(+), 3 deletions(-) create mode 100644 apparmor_usr.bin.gs diff --git a/apparmor_usr.bin.gs b/apparmor_usr.bin.gs new file mode 100644 index 0000000..2893f05 --- /dev/null +++ b/apparmor_usr.bin.gs @@ -0,0 +1,18 @@ +#include + +# this profile is mainly intended to prevent easy exploitation of +# issues in ghostscript. This is mainly intended as a hardening +# measure and doesn't alleviate the need for regular updates +profile /usr/bin/{dvipdf,eps2eps,gs,gsbj,gsdj,gsdj500,gslj,gslp,gsnd,ps2ascii,ps2epsi,ps2pdf,ps2pdf12,ps2pdf13,ps2pdf14,ps2pdfwr,ps2ps,ps2ps2} { + #include + #include + #include + #include + + # needed to read gc/write pdfs/eps/.. everywhere + /** wr, + + /usr/lib64/ghostscript/** m, + /usr/lib64/libgs.so.* m, + /usr/lib64/libijs-* m, +} diff --git a/ghostscript-mini.spec b/ghostscript-mini.spec index c11dfcc..6455aec 100644 --- a/ghostscript-mini.spec +++ b/ghostscript-mini.spec @@ -1,7 +1,7 @@ # # spec file for package ghostscript-mini # -# Copyright (c) 2019 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -71,6 +71,7 @@ Release: 0 # wget -O gs926.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/MD5SUMS # MD5 checksum for Source0: 806bc2dedbc7f69b003f536658e08d4a ghostscript-9.26.tar.gz Source0: ghostscript-%{version}.tar.gz +Source1: apparmor_usr.bin.gs # Patch0...Patch9 is for patches from upstream: Patch0: ghostscript-2.26-subclassing-devices-fix-put_image-method.patch # Source10...Source99 is for sources from SUSE which are intended for upstream: @@ -311,6 +312,7 @@ done # Switch back to the usual build log messages: set -x install -m 644 catalog.devices $DOCDIR +install -D -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.gs %post -p /sbin/ldconfig @@ -390,6 +392,8 @@ install -m 644 catalog.devices $DOCDIR %{_libdir}/libgs.so.* %{_libdir}/ghostscript/ %{_libdir}/libijs-0.35.so +%dir %{_sysconfdir}/apparmor.d +%{_sysconfdir}/apparmor.d/* %files devel %defattr(-,root,root) diff --git a/ghostscript.changes b/ghostscript.changes index cb4d1c2..2b85e81 100644 --- a/ghostscript.changes +++ b/ghostscript.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Feb 7 09:27:44 UTC 2019 - jsegitz@suse.com + +- Added apparmor_usr.bin.gs. This profile prevents execution of + executables to serve as hardening for the binaries that process + ghostscript. This is of limited use but prevents simple exploits. + ------------------------------------------------------------------- Wed Jan 23 16:52:00 CET 2019 - jsmeix@suse.de diff --git a/ghostscript.spec b/ghostscript.spec index c66b670..a59c2af 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -1,7 +1,7 @@ # # spec file for package ghostscript # -# Copyright (c) 2019 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -91,6 +91,7 @@ Release: 0 # wget -O gs926.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/MD5SUMS # MD5 checksum for Source0: 806bc2dedbc7f69b003f536658e08d4a ghostscript-9.26.tar.gz Source0: ghostscript-%{version}.tar.gz +Source1: apparmor_usr.bin.gs # Patch0...Patch9 is for patches from upstream: Patch0: ghostscript-2.26-subclassing-devices-fix-put_image-method.patch # Source10...Source99 is for sources from SUSE which are intended for upstream: @@ -216,7 +217,6 @@ For information how to use Ghostscript see %package x11 Summary: X11 library for Ghostscript -Group: Productivity/Publishing/PS # Require the exact matching version-release of the ghostscript main-package because # a non-matching ghostscript main-package may let it fail or even crash (e.g. segfault) # because all Ghostscript software is built from one same Ghostscript source tar ball @@ -224,6 +224,7 @@ Group: Productivity/Publishing/PS # The exact matching version-release of the ghostscript main-package is available # on the same package repository where the ghostscript-x11 sub-package is because # all are built simulaneously from the same Ghostscript source package: +Group: Productivity/Publishing/PS Requires: ghostscript = %{version}-%{release} # Unfortunately ghostscript-library.spec and ghostscript-mini.spec have # an unversioned "Provides: ghostscript" and for RPM this means that both @@ -447,6 +448,7 @@ done # Switch back to the usual build log messages: set -x install -m 644 catalog.devices $DOCDIR +install -D -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.gs %post -p /sbin/ldconfig @@ -527,6 +529,8 @@ install -m 644 catalog.devices $DOCDIR %{_libdir}/ghostscript/ %{_libdir}/libijs-0.35.so %exclude %{_libdir}/ghostscript/%{built_version}/X11.so +%dir %{_sysconfdir}/apparmor.d +%{_sysconfdir}/apparmor.d/* %files x11 %defattr(-,root,root)