On Mon, 10 Sep 2018 at 13:58:41 -0400, Ryan Kavanagh wrote:
> Adding the
> following line to /etc/apparmor.d/usr.bin.evince seems to fix the issue,
> though you should probably consult apparmor.d(5) and pick something more
> sensible that "uxr" as a permission:
>
> /usr/lib/@{multiarch}/glib-2.0/gio-launch-desktop uxr,
rmix seems more appropriate - that would allow gio-launch-desktop to
execute anything that evince itself would have been allowed to execute
directly, with evince's own privileges.
gio-launch-desktop is an implementation detail of GIO and should be
executed with the same privileges that library code in its caller would
have: it replaces a direct fork-and-exec code path in older GIO, as a
way to allow use of posix_spawn(), which has a smaller virtual memory
footprint. It is definitely not designed to be a security boundary. It
executes whatever is in argv[1, 2...] with GIO_LAUNCHED_DESKTOP_FILE_PID
added to the environment, so if you are allowed to execute it unconfined,
you are allowed to execute anything else unconfined too. That would
be bad.
smcv
