Gnome implemented sandboxing for thumbnail parsers, but @ubuntu patches that out, because why not? https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1709164 …
-
-
Until the review is done it's hard to make the call - bubblewrap is a new setuid executable and so deserves close review - and we have AppArmor already to sandbox the evince thumbnailer which reduces the need for bubblewrap in this case.
-
When using your PoC from http://seclists.org/oss-sec/2018/q3/157 …: type=AVC msg=audit(1535072811.766:3555): apparmor="DENIED" operation="exec" profile="/usr/bin/evince-thumbnailer" name="/bin/dash" pid=14108 comm="evince-thumbnai" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
- 16 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.