[Pkg-lyx-devel] Hardening LyX with AppArmor

Sven Hoexter sven at timegate.de
Mon Sep 25 08:59:07 UTC 2017


On Thu, Dec 29, 2016 at 09:42:28PM +0100, Sven Hoexter wrote:
> On Sun, Nov 13, 2016 at 03:39:42PM +0100, Tommaso Cucinotta wrote:
> 
> Hi Tommaso et al,
> 
> > I'd be grateful to get some feedback/comment on this issue:
> > 
> >   http://www.lyx.org/trac/ticket/10481
> > 
> > It's about potential misuse of LyX via mal[iciously]formed documents having unintended effects when opened or compiled with LyX.
> > 
> > I worked at a tentative fix using AppArmor, that seems standard on Ubuntu for other desktop apps. AppArmor is applied to a wrapper program shipping with LyX, which is pre-fixed to any external invoked script. This way, we can let external scripts have reduced permissions than LyX itself.
> 
> 
> I'm way behind with my email handling but in general I've no objection to ship
> AppArmor profiles in the Debian package. It's just a matter of someone implementing
> the change.


JFTR there is some initiative to enable apparmor on Debian with the buster stable release.
So in case LyX starts to provide apparmor policy files it's very likely we package them
for Debian and thus ship them for Debian and Ubuntu. It's just that there is only a very
low activity regarding the Debian package maintenance.

Sven



More information about the Pkg-lyx-devel mailing list