update man profile

This commit updates the man profile with everything needed on openSUSE.

So you are not the only one making man updates. I need to sort out your changes wrt to https://salsa.debian.org/debian/man-db/merge_requests/2/diffs

Also are you looking for a backport? 2.12 I would assume but what of earlier

The man profile is in extras, which also means I don't care too much about backporting ;-) (in other words: we can backport it if it's easy and conflict-free, and otherwise don't need to worry)

The changes from Debian look interesting - we'll see if we can merge in my changes, or if I should simply start to play with the Debian profile ;-)

The changes from Debian look interesting - we'll see if we can merge in my changes, or if I should simply start to play with the Debian profile ;-)

Any update on this?

I finally tested the Debian profile (thanks for the reminder!) and it works without problems in openSUSE.

However, there is exactly one line I don't like: /** mrixwlk, (aka file). I'd really like to have this more restricted (would r permissions be enough?). You'll obviously need to add some other permissions, but that would be worth the effort IMHO.

A quick test results in the following patch (I'll leave sorting it into the right places of the profile as exercise to you):

--- /dev/shm/usr.bin.man        2018-06-17 14:50:16.368980628 +0200
+++ /etc/apparmor.d/usr.bin.man 2018-06-17 15:05:18.903094882 +0200
@@ -13,6 +13,8 @@
   # broader profile.
   /usr/bin/eqn rmCx -> &man_groff,
   /usr/bin/grap rmCx -> &man_groff,
+  /usr/bin/groff mrCx -> &man_groff,
+  /usr/bin/grotty mrCx -> &man_groff,
   /usr/bin/pic rmCx -> &man_groff,
   /usr/bin/preconv rmCx -> &man_groff,
   /usr/bin/refer rmCx -> &man_groff,
@@ -35,7 +37,13 @@
   # The purpose of this profile isn't to confine man itself (that might be
   # nice in the future, but is tricky since it's quite configurable), but to
   # confine the processes it calls that parse untrusted data.
-  /** mrixwlk,
+  /** r,
+  /var/cache/man/** rk,
+  /usr/bin/less ix,
+  /usr/bin/nroff ix,
+  /usr/bin/locale ix,
+  /{usr/,}bin/bash mrix,
+  /dev/tty w,
 
   capability setuid,
   capability setgid,
@@ -58,11 +67,13 @@ profile man_groff {
 
   /usr/bin/eqn rm,
   /usr/bin/grap rm,
+  /usr/bin/groff rm,
+  /usr/bin/grotty mrix,
   /usr/bin/pic rm,
   /usr/bin/preconv rm,
   /usr/bin/refer rm,
   /usr/bin/tbl rm,
-  /usr/bin/troff rm,
+  /usr/bin/troff mrix,
   /usr/bin/vgrind rm,
 
   /etc/groff/** r,

With the above patch applied, I like the Debian profile, and will happily accept it as a replacement for this merge request. Actually I think we could ship it in /etc/apparmor.d/ instead of letting it bitrot in the extra profiles directory ;-)

Oh, a final note - please s/rm/mr/ in all rules ;-) (I didn't do it to keep the patch readable)

@intrigeri - do you like my changes from the above comment? If so, please add them to the Debian profile, and then submit a MR to push the Debian profile to "extra". As soon as you do that, I'll close this MR ;-)

The only risky part is reducing /** mrixwlk, to /** r. The updated profile works for me, but if you still think it's too risky feel free to keep it for Debian for now ;-)

I'm not maintaining myself the profile shipped in Debian, and clearly I lack time to help here, so better talk with Colin Watson directly (be it about the policy itself and where it makes more sense to maintain it: I suspect neither "extra" nor "Debian packaging" are solutions that will work smoothly for everyone involved; I suspect "in upstream man-db" would).

A few more additions are needed for openSUSE Tumbleweed:

/usr/bin/man {
  /usr/bin/neqn mrCx -> &man_groff,

  profile man_groff {
    /etc/groff/** r,
    /usr/lib/groff/site-tmac/** r,
    /usr/share/groff/** r,

assigned to @intrigeri

This "&" interesting, this is delegation in the wild? Could you explain it's effect in this case?

The "&" does stacking to avoid issues with "no new privs" restrictions. Basically /usr/bin/neqn (and several other helpers) get restricted by the /usr/bin/man and the man_groff child profile, and may only do things that are allowed in both profiles.

unassigned @intrigeri

unassigned @intrigeri