Bug #9533
Tighten Evince AppArmor policy
20%
Description
The AppArmor policy we currently apply to Evince and Totem allows them to read and write any file anywhere in /home/amnesia
, regardless of the extension; except that a blacklist protects a set of important private files, such as GnuPG keyrings. And of course the blacklist is, and will always be, incomplete.
Subtasks
Related issues
Related to Tails - |
Resolved | 2016-07-19 |
History
#1 Updated by intrigeri 2015-06-04 16:02:58
- Status changed from Confirmed to In Progress
- Type of work changed from Code to User interface design
Sent an initial proposal for review to -ux@.
#2 Updated by intrigeri 2015-06-04 16:03:15
- related to
Feature #8007: Self-audit our AppArmor profiles added
#3 Updated by intrigeri 2015-06-04 16:05:52
- related to deleted (
)Feature #8007: Self-audit our AppArmor profiles
#4 Updated by intrigeri 2015-06-04 16:06:12
- Parent task set to
Bug #9534
#5 Updated by intrigeri 2015-06-06 13:40:37
- % Done changed from 0 to 10
#6 Updated by intrigeri 2015-06-10 09:02:47
- % Done changed from 10 to 20
Agreement was reached on -ux@ regarding the general idea and most of the proposed whitelist, added to the blueprint. Some details are left to be fine-tuned though.
#7 Updated by intrigeri 2015-07-18 08:00:57
- Target version changed from Tails_1.5 to Tails_1.7
#8 Updated by intrigeri 2015-08-08 02:46:18
- Feature Branch deleted (
bugfix/8007-AppArmor-hardening)
#9 Updated by intrigeri 2015-10-05 13:23:05
- Target version changed from Tails_1.7 to 246
#10 Updated by sajolida 2015-11-27 04:47:24
- Target version changed from 246 to Tails_2.0
#11 Updated by intrigeri 2015-11-30 02:47:15
- Target version changed from Tails_2.0 to Tails_2.2
#12 Updated by intrigeri 2016-02-05 20:52:04
- Target version changed from Tails_2.2 to Tails_2.4
#13 Updated by intrigeri 2016-04-29 14:26:32
- Target version changed from Tails_2.4 to Tails_2.6
#14 Updated by intrigeri 2016-08-31 06:07:39
- Target version changed from Tails_2.6 to Tails_2.7
#15 Updated by intrigeri 2016-11-05 13:59:41
- Target version changed from Tails_2.7 to 284
#16 Updated by anonym 2016-11-25 10:57:19
- Target version changed from 284 to Tails 2.10
#17 Updated by intrigeri 2016-12-18 12:41:44
- Target version changed from Tails 2.10 to Tails_2.12
(I had to take over a bunch of more urgent sysadmin tasks so I’ll postpone this one.)
#18 Updated by intrigeri 2017-01-09 19:27:30
- related to
Bug #11578: Totem AppArmor profile allows opening OTR private key added
#19 Updated by intrigeri 2017-01-16 10:23:46
As part of this ticket, we should address the bits of Bug #12143#note-4 that are about Totem.
#20 Updated by intrigeri 2017-03-08 15:19:03
- Target version changed from Tails_2.12 to Tails_3.2
#21 Updated by intrigeri 2017-06-05 14:04:28
- Target version deleted (
Tails_3.2)
#22 Updated by intrigeri 2017-09-11 12:39:30
- Type of work changed from User interface design to Code
Since apparmor-profiles-extra 1.12, access to ~/.*
is forbidden for Totem. We should do the same for Evince instead of spending time on the fine-grained list of directories this ticket was originally about: it’ll easier to implement and maintain, can be shared as-is between all distros (while my original plan was Tails-specific), and not much less safe.
Rationale: I want to stop investing too much time into confining GUI apps more strictly with AppArmor, because it only protects against non-sophisticated attackers (as long as access to a11y and input methods can’t be filtered precisely, escaping the sandbox is easy, even assuming X.Org → Wayland). The long-term solution is Flatpak-like confinement (bubblewrap + Portals), that will improve both UX and security. So until these new technologies are mature enough for us to switch, I’ll focus on low-hanging fruits only on the AppArmor side for GUI apps.
#23 Updated by intrigeri 2018-08-18 09:17:51
- Subject changed from Tighten Evince and Totem AppArmor policy to Tighten Evince AppArmor policy
#24 Updated by intrigeri 2019-03-07 15:45:17
- Status changed from In Progress to Rejected
- Assignee deleted (
intrigeri)
One year later: I’ll happily review such work upstream but I don’t think that’s where I should spend my Tails time. As said above I’ll focus on evaluating how we could use other sandboxing solutions instead.