Source: totem
Version: 3.0.1-8
Severity: wishlist
Tags: patch
User: appar...@packages.debian.org
Usertags: new-profile
thanks
Please include AppArmor profile for totem.
Since it handles untrusted data, and has been affected by a number of
potential security issues in past years relating to its handling of
those, totem seems like an ideal candidate for confining:
https://wiki.debian.org/AppArmor
I have been testing totem for a few months, on a Debian sid system,
with the attached AppArmor profile (FWIW, this profile is mostly the
one that can be found in
http://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/,
with a few missing rules added). I have not run into any single
problem with it. During that time, I have also been running Totem from
experimental for a while, so I believe newer versions are covered too.
Attached is a patch that adds this AppArmor support to totem.
Please consider applying it.
Note that enforcing AppArmor profiles is currently opt-in: applying
the attached does not change anything for users unless they enable
AppArmor system-wide themselves.
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
diff -Naur totem-3.0.1.orig/debian/apparmor-profile totem-3.0.1/debian/apparmor-profile
--- totem-3.0.1.orig/debian/apparmor-profile 1970-01-01 01:00:00.000000000 +0100
+++ totem-3.0.1/debian/apparmor-profile 2012-06-10 01:56:38.993020802 +0200
@@ -0,0 +1,23 @@
+# vim:syntax=apparmor
+# Author: Jamie Strandboge <ja...@canonical.com>
+
+#include <tunables/global>
+
+/usr/bin/totem {
+ #include <abstractions/audio>
+ #include <abstractions/python>
+ #include <abstractions/totem>
+
+ # Maybe in an abstraction?
+ /usr/include/**/pyconfig.h r,
+
+ /usr/bin/totem r,
+
+ # Allow read and write on anything in @{HOME}. Lenient, but
+ # private-files-strict is in effect.
+ #include <abstractions/private-files-strict>
+ owner @{HOME}/** rw,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.bin.totem>
+}
diff -Naur totem-3.0.1.orig/debian/apparmor-profile.abstraction totem-3.0.1/debian/apparmor-profile.abstraction
--- totem-3.0.1.orig/debian/apparmor-profile.abstraction 1970-01-01 01:00:00.000000000 +0100
+++ totem-3.0.1/debian/apparmor-profile.abstraction 2012-06-10 01:25:29.866303357 +0200
@@ -0,0 +1,45 @@
+# vim:syntax=apparmor
+# Author: Jamie Strandboge <ja...@canonical.com>
+
+# Description: Limit executable access and reasonable read access. A look at
+# the gconf schema files for totem-video-thumbnailer reveals at least the
+# following files:
+# 3gpp, ac3, acm, aiff, amr-wb, ape, asf, asx, au, avi, basic, divx, dv, flac,
+# flc, fli, flic, flv, google-video-pointer, gpp, gsm, m4a, m4v, matroska,
+# midi, mod, mp3, mp4, mp4es, mpeg, mpt2, msvideo, ms-wm, musepack,mxf,
+# netshow, nsv, off, ogm, pict, pn-realaudio, prs.sid, quicktime, ram,
+# realpix, rn, sbc, sdp, shorten, speex, theora, totem-stream, tta, ultravox,
+# vivo, vorbis, wav, wavpack, wax, webm, wma, wmv, wmx, wpl, wvx, x-anim,
+# x-it, xm
+#
+# While ideally we would narrow down our read access to the above, this is
+# a maintenance problem and doesn't work for files without extensions.
+
+ #include <abstractions/gnome>
+ #include <abstractions/nameservice>
+
+ /var/lib/dbus/machine-id r,
+
+ # Allow read on all directories
+ /**/ r,
+
+ # Allow read on removable media and files in /usr/share and /usr/local/share
+ /usr/local/share/** r,
+ /usr/share/** r,
+ /{media,mnt,opt,srv}/** r,
+
+ owner /tmp/orcexec.* m,
+
+ /etc/pkcs11/modules/gnome-keyring-module r,
+ /usr/lib/*/pkcs11/gnome-keyring-pkcs11.so mr,
+
+ owner @{HOME}/.grl-bookmarks k,
+ owner @{HOME}/.grl-metadata-store k,
+ owner @{HOME}/.grl-podcasts k,
+ owner @{HOME}/.cache/tracker/meta.db k,
+ owner @{HOME}/.cache/tracker/meta.db-shm k,
+
+ /etc/wildmidi/wildmidi.cfg r,
+
+ /usr/lib/gstreamer0.10/gstreamer-0.10/gst-plugin-scanner ix,
+ /usr/lib/@{multiarch}/gstreamer0.10/gstreamer-0.10/gst-plugin-scanner ix,
diff -Naur totem-3.0.1.orig/debian/apparmor-profile.previewers totem-3.0.1/debian/apparmor-profile.previewers
--- totem-3.0.1.orig/debian/apparmor-profile.previewers 1970-01-01 01:00:00.000000000 +0100
+++ totem-3.0.1/debian/apparmor-profile.previewers 2012-06-10 01:57:09.989396799 +0200
@@ -0,0 +1,33 @@
+# vim:syntax=apparmor
+# Author: Jamie Strandboge <ja...@canonical.com>
+
+#include <tunables/global>
+
+/usr/bin/totem-video-thumbnailer {
+ #include <abstractions/totem>
+
+ # Allow read on anything in @{HOME}. Lenient, but private-files-strict is in
+ # effect.
+ #include <abstractions/private-files-strict>
+ owner @{HOME}/** r,
+
+ # Not needed by nautilus, but maybe other applications
+ owner /**.[pP][nN][gG] w,
+ owner /**.[jJ][pP]{,[eE]}[gG] w,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.bin.totem-previewers>
+}
+
+/usr/bin/totem-audio-preview {
+ #include <abstractions/totem>
+ #include <abstractions/audio>
+
+ # Allow read on anything in @{HOME}. Lenient, but private-files-strict is in
+ # effect.
+ #include <abstractions/private-files-strict>
+ owner @{HOME}/** r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.bin.totem-previewers>
+}
diff -Naur totem-3.0.1.orig/debian/control totem-3.0.1/debian/control
--- totem-3.0.1.orig/debian/control 2012-03-14 19:03:19.000000000 +0100
+++ totem-3.0.1/debian/control 2012-06-10 01:57:48.985869808 +0200
@@ -10,6 +10,7 @@
Uploaders: Josselin Mouette <j...@debian.org>, Michael Biebl <bi...@debian.org>
Build-Depends: debhelper (>= 8),
cdbs (>= 0.4.90),
+ dh-apparmor,
dh-autoreconf,
python (>= 2.6.6-3~),
python-gi-dev (>= 2.90.3),
diff -Naur totem-3.0.1.orig/debian/control.in totem-3.0.1/debian/control.in
--- totem-3.0.1.orig/debian/control.in 2012-03-14 18:33:27.000000000 +0100
+++ totem-3.0.1/debian/control.in 2012-06-10 01:45:20.556784925 +0200
@@ -5,6 +5,7 @@
Uploaders: @GNOME_TEAM@
Build-Depends: debhelper (>= 8),
cdbs (>= 0.4.90),
+ dh-apparmor,
dh-autoreconf,
python (>= 2.6.6-3~),
python-gi-dev (>= 2.90.3),
diff -Naur totem-3.0.1.orig/debian/rules totem-3.0.1/debian/rules
--- totem-3.0.1.orig/debian/rules 2011-12-14 19:14:04.000000000 +0100
+++ totem-3.0.1/debian/rules 2012-06-10 01:29:26.853184434 +0200
@@ -28,6 +28,12 @@
binary-install/totem::
dh_python2 -ptotem /usr/lib/totem/totem
+binary-install/totem-common::
+ cp debian/apparmor-profile.abstraction debian/totem-common/etc/apparmor.d/abstractions/totem
+ cp debian/apparmor-profile debian/totem-common/etc/apparmor.d/usr.bin.totem
+ cp debian/apparmor-profile.previewers debian/totem-common/etc/apparmor.d/usr.bin.totem-previewers
+ dh_apparmor --profile-name=usr.bin.totem -ptotem-common
+ dh_apparmor --profile-name=usr.bin.totem-previewers -ptotem-common
binary-install/totem-plugins::
dh_python2 -ptotem-plugins /usr/lib/totem/plugins
diff -Naur totem-3.0.1.orig/debian/totem-common.dirs totem-3.0.1/debian/totem-common.dirs
--- totem-3.0.1.orig/debian/totem-common.dirs 1970-01-01 01:00:00.000000000 +0100
+++ totem-3.0.1/debian/totem-common.dirs 2012-06-10 01:29:59.533582452 +0200
@@ -0,0 +1 @@
+etc/apparmor.d/abstractions
