Bug #9533

Tighten Evince AppArmor policy

Added by intrigeri 2015-06-04 16:01:07 . Updated 2019-03-07 15:45:17 .

Status:
Rejected
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2015-06-04
Due date:
% Done:

20%

Feature Branch:
Type of work:
Code
Starter:
Affected tool:
Deliverable for:

Description

The AppArmor policy we currently apply to Evince and Totem allows them to read and write any file anywhere in /home/amnesia, regardless of the extension; except that a blacklist protects a set of important private files, such as GnuPG keyrings. And of course the blacklist is, and will always be, incomplete.


Subtasks


Related issues

Related to Tails - Bug #11578: Totem AppArmor profile allows opening OTR private key Resolved 2016-07-19

History

#1 Updated by intrigeri 2015-06-04 16:02:58

  • Status changed from Confirmed to In Progress
  • Type of work changed from Code to User interface design

Sent an initial proposal for review to -ux@.

#2 Updated by intrigeri 2015-06-04 16:03:15

  • related to Feature #8007: Self-audit our AppArmor profiles added

#3 Updated by intrigeri 2015-06-04 16:05:52

  • related to deleted (Feature #8007: Self-audit our AppArmor profiles)

#4 Updated by intrigeri 2015-06-04 16:06:12

#5 Updated by intrigeri 2015-06-06 13:40:37

  • % Done changed from 0 to 10

#6 Updated by intrigeri 2015-06-10 09:02:47

  • % Done changed from 10 to 20

Agreement was reached on -ux@ regarding the general idea and most of the proposed whitelist, added to the blueprint. Some details are left to be fine-tuned though.

#7 Updated by intrigeri 2015-07-18 08:00:57

  • Target version changed from Tails_1.5 to Tails_1.7

#8 Updated by intrigeri 2015-08-08 02:46:18

  • Feature Branch deleted (bugfix/8007-AppArmor-hardening)

#9 Updated by intrigeri 2015-10-05 13:23:05

  • Target version changed from Tails_1.7 to 246

#10 Updated by sajolida 2015-11-27 04:47:24

  • Target version changed from 246 to Tails_2.0

#11 Updated by intrigeri 2015-11-30 02:47:15

  • Target version changed from Tails_2.0 to Tails_2.2

#12 Updated by intrigeri 2016-02-05 20:52:04

  • Target version changed from Tails_2.2 to Tails_2.4

#13 Updated by intrigeri 2016-04-29 14:26:32

  • Target version changed from Tails_2.4 to Tails_2.6

#14 Updated by intrigeri 2016-08-31 06:07:39

  • Target version changed from Tails_2.6 to Tails_2.7

#15 Updated by intrigeri 2016-11-05 13:59:41

  • Target version changed from Tails_2.7 to 284

#16 Updated by anonym 2016-11-25 10:57:19

  • Target version changed from 284 to Tails 2.10

#17 Updated by intrigeri 2016-12-18 12:41:44

  • Target version changed from Tails 2.10 to Tails_2.12

(I had to take over a bunch of more urgent sysadmin tasks so I’ll postpone this one.)

#18 Updated by intrigeri 2017-01-09 19:27:30

  • related to Bug #11578: Totem AppArmor profile allows opening OTR private key added

#19 Updated by intrigeri 2017-01-16 10:23:46

As part of this ticket, we should address the bits of Bug #12143#note-4 that are about Totem.

#20 Updated by intrigeri 2017-03-08 15:19:03

  • Target version changed from Tails_2.12 to Tails_3.2

#21 Updated by intrigeri 2017-06-05 14:04:28

  • Target version deleted (Tails_3.2)

#22 Updated by intrigeri 2017-09-11 12:39:30

  • Type of work changed from User interface design to Code

Since apparmor-profiles-extra 1.12, access to ~/.* is forbidden for Totem. We should do the same for Evince instead of spending time on the fine-grained list of directories this ticket was originally about: it’ll easier to implement and maintain, can be shared as-is between all distros (while my original plan was Tails-specific), and not much less safe.

Rationale: I want to stop investing too much time into confining GUI apps more strictly with AppArmor, because it only protects against non-sophisticated attackers (as long as access to a11y and input methods can’t be filtered precisely, escaping the sandbox is easy, even assuming X.Org → Wayland). The long-term solution is Flatpak-like confinement (bubblewrap + Portals), that will improve both UX and security. So until these new technologies are mature enough for us to switch, I’ll focus on low-hanging fruits only on the AppArmor side for GUI apps.

#23 Updated by intrigeri 2018-08-18 09:17:51

  • Subject changed from Tighten Evince and Totem AppArmor policy to Tighten Evince AppArmor policy

#24 Updated by intrigeri 2019-03-07 15:45:17

  • Status changed from In Progress to Rejected
  • Assignee deleted (intrigeri)

One year later: I’ll happily review such work upstream but I don’t think that’s where I should spend my Tails time. As said above I’ll focus on evaluating how we could use other sandboxing solutions instead.