2a57413541
- Added AA rules for dvips (bsc#1127934) - Allow execution of dirname (bsc#1128697) - Allow execution of hpijs (bsc#1128467). For now this is in complain mode - Sane profile name "ghostscript", moved profile from /etc/apparmor.d/usr.bin.gs to /etc/apparmor.d/ghostscript (bsc#1128607) - Improved AA packaging (bsc#1128608) Thanks to Christian Boltz for his help - Fix IJS printing problem (bsc#1128467) * added ijs_exec_server_dont_use_sh.patch * allow exec'ing hpijs in apparmor profile - Added AA rules for dvips (bsc#1127934) - Allow execution of dirname (bsc#1128697) - Allow execution of hpijs (bsc#1128467). For now this is in complain mode - Sane profile name "ghostscript", moved profile from /etc/apparmor.d/usr.bin.gs to /etc/apparmor.d/ghostscript (bsc#1128607) - Improved AA packaging (bsc#1128608) Thanks to Christian Boltz for his help OBS-URL: https://build.opensuse.org/request/show/686126 OBS-URL: https://build.opensuse.org/package/show/Printing/ghostscript?expand=0&rev=109
49 lines
1.4 KiB
Plaintext
49 lines
1.4 KiB
Plaintext
#include <tunables/global>
|
|
|
|
# this profile is mainly intended to prevent easy exploitation of
|
|
# issues in ghostscript. This is mainly intended as a hardening
|
|
# measure and doesn't alleviate the need for regular updates
|
|
profile ghostscript /usr/bin/{dvipdf,eps2eps,gs,gsbj,gsdj,gsdj500,gslj,gslp,gsnd,ps2ascii,ps2epsi,ps2pdf,ps2pdf12,ps2pdf13,ps2pdf14,ps2pdfwr,ps2ps,ps2ps2} {
|
|
#include <abstractions/base>
|
|
#include <abstractions/consoles>
|
|
#include <abstractions/nameservice>
|
|
#include <abstractions/X>
|
|
|
|
# needed to read gc/write pdfs/eps/.. everywhere
|
|
/** wr,
|
|
/usr/bin/{dvipdf,eps2eps,gs,gsbj,gsdj,gsdj500,gslj,gslp,gsnd,ps2ascii,ps2epsi,ps2pdf,ps2pdf12,ps2pdf13,ps2pdf14,ps2pdfwr,ps2ps,ps2ps2} mrix,
|
|
/usr/bin/dvips mrix,
|
|
/usr/lib64/ghostscript/** m,
|
|
/usr/lib64/libgs.so.* m,
|
|
/usr/lib64/libijs-* m,
|
|
|
|
/usr/bin/hpijs Cx,
|
|
profile /usr/bin/hpijs flags=(complain) {
|
|
#include <abstractions/base>
|
|
|
|
network inet dgram,
|
|
|
|
/etc/cups/cupsd.conf r,
|
|
/etc/hp/hplip.conf r,
|
|
/usr/bin/hpijs mr,
|
|
/usr/share/ghostscript/** r,
|
|
/usr/share/hplip/** r,
|
|
/usr/share/snmp/mibs/ r,
|
|
/usr/share/snmp/mibs/*.txt r,
|
|
owner /var/spool/cups/tmp/gs_?????? rw,
|
|
}
|
|
|
|
/usr/bin/basename Cx,
|
|
profile /usr/bin/basename {
|
|
#include <abstractions/base>
|
|
|
|
/usr/bin/basename mr,
|
|
}
|
|
|
|
/usr/bin/dirname Cx,
|
|
profile /usr/bin/dirname {
|
|
#include <abstractions/base>
|
|
/usr/bin/dirname mr,
|
|
}
|
|
}
|