Just something concrete to play with, attached.
If I run:
lyxwrap rm /tmp/whatever
it is executed, but if I run:
lyxwrap rm /home/tommaso/whatever
it says "Permission denied" :-)!
So, the idea is to wrap execution of any external converter/plotter/etc., so
that they can only write into the /tmp/ folder, except for the case of
exporting to .pdf, .tex, etc.
Any distro packager on the list with comments?
Thanks,
T.
On 06/11/2016 21:11, Tommaso Cucinotta wrote:
Hi all,
#10481 is dealing with the problem of making LyX robust to any
possible threat arising from maliciously crafted .lyx files that
launch unwanted code when viewed on screen and/or converted to
PDF/others. The currently provided patch warns the user before
launching any converter marked as "needauth".
In addition to that, a very good way to deal with the issue seems to
give external scripts/converters permissions to write exclusively
within /tmp/lyx_tmpdir* temporary folders, this being possible on
Linux shipping LyX along with an Apparmor profile (Apparmor is a kind
of chroot() on steroids)
http://wiki.apparmor.net/index.php/QuickProfileLanguage
as nowadays this is widely used by many other programs (just type
"find /etc/apparmor.d/"). This would imply to add a usr.bin.lyx file
to be installed in /etc/apparmor.d/ on Linux only.
Before working out a first try, I'd like to hear comments from
others, especially on the side of portability (Mac/Win users). From a
quick search, it seems the Mac OS-X way for the same thing would be
using TrustedBSD:
http://sysdev.me/trusted-bsd-in-osx/
Any comment welcome, thanks!
T.
commit 0eb1417d
Author: Tommaso Cucinotta <tomm...@lyx.org>
Date: Mon Nov 7 00:39:33 2016 +0100
Added lyxwrap wrapper along with apparmor.d script for safe execution of external converters.
diff --git a/configure.ac b/configure.ac
index 05e73285..773fe002 100644
--- a/configure.ac
+++ b/configure.ac
@@ -387,6 +387,7 @@ AC_CONFIG_FILES([Makefile \
development/lyx.spec \
lib/lyx.desktop-temp:lib/lyx.desktop.in
lib/Makefile \
+ lib/usr.bin.lyxwrap \
lib/doc/Makefile \
lib/lyx2lyx/lyx2lyx_version.py \
lib/lyx2lyx/Makefile \
diff --git a/lib/Makefile.am b/lib/Makefile.am
index a19d4f2c..4b2fedf6 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -2485,6 +2485,9 @@ install-data-hook:
chmod 644 "$(DESTDIR)$(pkgdatadir)/$$i"; \
fi; \
done
+if INSTALL_POSIX
+ cp usr.bin.lyxwrap /etc/apparmor.d/
+endif
alltests: check alltests-recursive
diff --git a/lib/usr.bin.lyxwrap.in b/lib/usr.bin.lyxwrap.in
new file mode 100644
index 00000000..dd990d25
--- /dev/null
+++ b/lib/usr.bin.lyxwrap.in
@@ -0,0 +1,15 @@
+# vim:syntax=apparmor
+# Author: Tommaso Cucinotta <tomm...@lyx.org>
+
+#include <tunables/global>
+
+@prefix@/bin/lyxwrap {
+ /tmp/** ixrw,
+ @{HOME}/** ixr,
+ / ixr,
+ /** ixr,
+ deny /etc/security/ xrw,
+ deny /etc/security/** xrw,
+ deny /etc/passwd* xrw,
+ deny /etc/shadow* xrw,
+}
diff --git a/src/Makefile.am b/src/Makefile.am
index 8ac13067..4e51ba5b 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -25,7 +25,7 @@ OTHERLIBS = $(BOOST_LIBS) $(MYTHES_LIBS) $(ENCHANT_LIBS) $(HUNSPELL_LIBS) \
$(LIBSHLWAPI) $(LIBPSAPI)
noinst_LIBRARIES = liblyxcore.a
-bin_PROGRAMS = lyx
+bin_PROGRAMS = lyx lyxwrap
lyx_LDADD = \
liblyxcore.a \
@@ -100,6 +100,9 @@ if LYX_WIN_RESOURCE
lyx_SOURCES += lyxwinres.rc
endif
+lyxwrap_SOURCES = \
+ lyxwrap.cpp
+
SOURCEFILESCORE = \
Author.cpp \
boost.cpp \
