Adobe Reader

From ArchWiki
Revision as of 20:22, 3 December 2012 by Post-factum (Talk | contribs) (Created page with "==Securing Adobe Reader== ===TOMOYO=== Follow the instructions here to install TOMOYO. Please note that this section describes using TOMOYO 2...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Securing Adobe Reader

TOMOYO

Follow the instructions here to install TOMOYO. Please note that this section describes using TOMOYO 2.5.

  • Open /etc/tomoyo/exception_policy.conf file and add these lines:
path_group PDF_FILES /\{\*\}/\*.pdf
path_group THEMES_FILES /usr/share/themes/\{\*\}/\*
path_group THEMES_FILES /usr/share/themes/\*
path_group FONTS_DIRS /usr/share/fonts/\{\*\}/
path_group FONTS_FILES /usr/share/fonts/\{\*\}/\*
path_group FONTS_FILES /usr/share/fonts/\*
path_group ACROREAD_FILES /opt/Adobe/Reader9/\{\*\}/\*
path_group ACROREAD_FILES /opt/Adobe/Reader9/\*
path_group ACROREAD_FILES /home/\*/.adobe/Acrobat/\{\*\}/\*
path_group ACROREAD_FILES /home/\*/.adobe/Acrobat/\*
path_group ACROREAD_DIRS /home/\*/.adobe/Acrobat/\{\*\}/
path_group ACROREAD_DIRS /home/\*/.adobe/\{\*\}/
initialize_domain /usr/bin/acroread from any
  • Then open /etc/tomoyo/domain_policy.conf and add the following lines:
Template error: are you trying to use the = sign? Visit Help:Template#Escape template-breaking characters for workarounds.
  • After finishing editing reload TOMOYO config files by executing these commands:
# tomoyo-loadpolicy -df </etc/tomoyo/domain_policy.conf
# tomoyo-loadpolicy -ef </etc/tomoyo/exception_policy.conf

Voilà — your Adobe Reader is sandboxed now.

Please note that this config is generated on 64-bit Arch system, and some of your ioctls and library paths may differ from mentioned above. So in order to fine-tune TOMOYO config for your Adobe Reader load tomoyo-auditd daemon:

# systemctl start tomoyo-auditd

Then go to /var/log/tomoyo folder and start watching reject_003.log:

tail -f reject_003.log

The output of this command will show you rejected actions for Adobe Reader, so you'll be able to add them to domain_policy.conf file if needed.

Detailed guide about TOMOYO configuring can be found here.