[conspire] Autorun in GNOME/Nautilus

Rick Moen rick at linuxmafia.com
Wed Sep 28 11:13:45 PDT 2011

Quoting Ruben Safir (ruben at mrbrklyn.com):
> are you saying evince can run an executable?

Ruben, it relates to where Evince is permitted to write and read files.

Evince is a leading case of an application designed to handle public
data (in its case, PDFs) that quickly became overfeatured (though not as
horrifically as Acroread) and thus acquired a huge attack surface --
Evince's core code and _any_ of the large number of library dependencies 
it calls.  So, an AppArmor policy for it would contain this threat by
saying exactly what it can read and write, where, such that the security
controls to that effect are externally enforced by the kernel and Evince
itself doesn't need to be trusted to do only intended activity and not
get subverted and run amok under the influence of an aberrant data file
sent to it from the Internet.

More information about the conspire mailing list