Hi,
I'm both the Debian and upstream maintainer of man-db. I'm considering
uploading some variation of the attached diff to buster-security LTS.
They're adjustments to hardening arrangements, so they do have some
security relevance, although I'm aware they aren't really security fixes
as such; nevertheless, I'd like to make these changes since it's better
than having people get into the habit of disabling hardening measures
that get in their way.
Would anyone like to review this? FWIW, my assessment is that these
changes are low-risk in terms of regression potential, since they just
add a couple of extra entries to existing rulesets and so shouldn't
disallow anything that's currently allowed.
Thanks,
--
Colin Watson (he/him) [cjwat...@debian.org]
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 0c170530..e95d7f83 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-67eada88c19228c53f0f4fc846c3ae71696a7ea3
-67eada88c19228c53f0f4fc846c3ae71696a7ea3
+b54bd5d3b7b1a60cc69b7df243b906f3e94d4d3c
+b54bd5d3b7b1a60cc69b7df243b906f3e94d4d3c
182141146d0ad9c735949840504bdfc66332da4e
182141146d0ad9c735949840504bdfc66332da4e
man-db_2.8.5.orig.tar.xz
diff --git a/debian/apparmor/usr.bin.man b/debian/apparmor/usr.bin.man
index 569aec91..145ed589 100644
--- a/debian/apparmor/usr.bin.man
+++ b/debian/apparmor/usr.bin.man
@@ -95,6 +95,9 @@ profile man_filter {
# do is feed data to the invoking man process.
/** r,
+ # Allow writing cat pages.
+ /var/cache/man/** w,
+
signal peer=/usr/bin/man,
# @{profile_name} doesn't seem to work here.
signal peer=/usr/bin/man//&man_filter,
diff --git a/debian/changelog b/debian/changelog
index b882ea5d..d7d93d42 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+man-db (2.8.5-2+deb10u1) UNRELEASED; urgency=medium
+
+ * AppArmor: Allow man_filter to write to cat pages (closes: #926450,
+ #948238).
+ * sandbox: Allow getrandom (closes: #1061870).
+
+ -- Colin Watson <cjwat...@debian.org> Sat, 31 Aug 2019 21:27:00 +0100
+
man-db (2.8.5-2) unstable; urgency=medium
* Remove redundant condition in cron.daily script (closes: #918967).
diff --git a/debian/patches/seccomp-getrandom.patch
b/debian/patches/seccomp-getrandom.patch
new file mode 100644
index 00000000..67a0d67b
--- /dev/null
+++ b/debian/patches/seccomp-getrandom.patch
@@ -0,0 +1,31 @@
+From b54bd5d3b7b1a60cc69b7df243b906f3e94d4d3c Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwat...@debian.org>
+Date: Wed, 21 Aug 2019 14:30:42 +0100
+Subject: sandbox: Allow getrandom, used by Hardened Malloc
+
+Fixes Savannah bug #56767.
+
+* lib/sandbox.c (make_seccomp_filter): Allow getrandom.
+
+Origin: upstream,
https://gitlab.com/man-db/man-db/-/commit/0951f82c611c4a3c14271b0fa9c4919c84b7afe7
+Bug: https://savannah.nongnu.org/bugs/?56767
+Bug-Debian: https://bugs.debian.org/1061870
+Last-Update: 2024-01-31
+
+Patch-Name: seccomp-getrandom.patch
+---
+ lib/sandbox.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/sandbox.c b/lib/sandbox.c
+index c097482b..ce91936e 100644
+--- a/lib/sandbox.c
++++ b/lib/sandbox.c
+@@ -488,6 +488,7 @@ static scmp_filter_ctx make_seccomp_filter (int permissive)
+ SC_ALLOW ("brk");
+ SC_ALLOW ("fadvise64");
+ SC_ALLOW ("fadvise64_64");
++ SC_ALLOW ("getrandom");
+ if (permissive)
+ SC_ALLOW ("ioctl");
+ else {
diff --git a/debian/patches/series b/debian/patches/series
index 35a5cd60..fdc19714 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
systemd-mandb-quiet.patch
+seccomp-getrandom.patch
diff --git a/lib/sandbox.c b/lib/sandbox.c
index c097482b..ce91936e 100644
--- a/lib/sandbox.c
+++ b/lib/sandbox.c
@@ -488,6 +488,7 @@ static scmp_filter_ctx make_seccomp_filter (int permissive)
SC_ALLOW ("brk");
SC_ALLOW ("fadvise64");
SC_ALLOW ("fadvise64_64");
+ SC_ALLOW ("getrandom");
if (permissive)
SC_ALLOW ("ioctl");
else {
