[pkg-apparmor] Bug#807880: apparmor-profiles-extra: AppArmor profile prevents evince from starting under wayland
Kjö Hansi Glaz
kjo at a4nancy.net.eu.org
Mon Dec 14 02:05:55 UTC 2015
Package: apparmor-profiles-extra
Version: 1.6
Severity: normal
Dear Maintainer,
* What led up to the situation?
1) Install and enable evince Apparmor profile shipped in
apparmor-profile-extra
2) Use GNOME wayland
* What exactly did you do (or not do) that was effective (or
ineffective)?
Launch evince.
* What was the outcome of this action?
The following line in system journal:
kernel: audit: type=1400 audit(1450058045.992:347): apparmor="DENIED" operation="mknod" profile="/usr/bin/evince" name="/run/user/1000/weston-shared-BEqtJs" pid=32238 comm="evince" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
* What outcome did you expect instead?
evince to show up!
The following patch solves the issue for me:
diff --git a/apparmor.d/usr.bin.evince b/apparmor.d/usr.bin.evince
index d77fb3b..8e93137 100644
--- a/apparmor.d/usr.bin.evince
+++ b/apparmor.d/usr.bin.evince
@@ -109,6 +109,8 @@
# evince creates a temporary stream file like '.goutputstream-XXXXXX' in the
# directory a file is saved. This allows that behavior.
owner /**/.goutputstream-* w,
+
+ owner /{,var/}run/user/*/weston-shared-* rw,
}
/usr/bin/evince-previewer {
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (900, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages apparmor-profiles-extra depends on:
ii apparmor 2.10-2+b1
apparmor-profiles-extra recommends no packages.
apparmor-profiles-extra suggests no packages.
-- Configuration Files:
/etc/apparmor.d/usr.bin.evince changed:
/usr/bin/evince {
#include <abstractions/audio>
#include <abstractions/bash>
#include <abstractions/cups-client>
#include <abstractions/dbus>
#include <abstractions/dbus-session>
#include <abstractions/dbus-accessibility>
#include <abstractions/evince>
#include <abstractions/ibus>
#include <abstractions/nameservice>
#include <abstractions/ubuntu-browsers>
#include <abstractions/ubuntu-console-browsers>
#include <abstractions/ubuntu-email>
#include <abstractions/ubuntu-console-email>
#include <abstractions/ubuntu-media-players>
# Terminals for using console applications. These abstractions should ideally
# have 'ix' to restrict access to what only evince is allowed to do
#include <abstractions/ubuntu-gnome-terminal>
# By default, we won't support launching a terminal program in Xterm or
# KDE's konsole. It opens up too many unnecessary files for most users.
# People who need this functionality can uncomment the following:
##include <abstractions/ubuntu-xterm>
##include <abstractions/ubuntu-konsole>
/usr/bin/evince rmPx,
/usr/bin/evince-previewer Px,
/usr/bin/yelp Cx -> sanitized_helper,
/usr/bin/bug-buddy px,
# 'Show Containing Folder' (LP: #1022962)
/usr/bin/nautilus Cx -> sanitized_helper, # Gnome
/usr/bin/pcmanfm Cx -> sanitized_helper, # LXDE
/usr/bin/krusader Cx -> sanitized_helper, # KDE
/usr/bin/thunar Cx -> sanitized_helper, # XFCE
# For Xubuntu to launch the browser
/usr/bin/exo-open ixr,
/usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
/etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
/etc/xdg/xfce4/helpers.rc r,
# For text attachments
/usr/bin/gedit ixr,
# For Send to
/usr/bin/nautilus-sendto Cx -> sanitized_helper,
# allow directory listings (ie 'r' on directories) so browsing via the file
# dialog works
/ r,
/**/ r,
# This is need for saving files in your home directory without an extension.
# Changing this to '@{HOME}/** r' makes it require an extension and more
# secure (but with 'rw', we still have abstractions/private-files-strict in
# effect).
owner @{HOME}/** rw,
owner /media/** rw,
owner @{HOME}/.local/share/gvfs-metadata/** l,
owner /{,var/}run/user/*/gvfs-metadata/** l,
owner @{HOME}/.gnome2/evince/* rwl,
owner @{HOME}/.gnome2/accels/ rw,
owner @{HOME}/.gnome2/accelsevince rw,
owner @{HOME}/.gnome2/accels/evince rw,
# Maybe add to an abstraction?
/etc/dconf/** r,
owner @{HOME}/.cache/dconf/user rw,
owner @{HOME}/.config/dconf/user r,
owner /{,var/}run/user/*/dconf/ w,
owner /{,var/}run/user/*/dconf/user rw,
owner /{,var/}run/user/*/dconf-service/keyfile/ w,
owner /{,var/}run/user/*/dconf-service/keyfile/user rw,
owner /{,var/}run/user/*/at-spi2-*/ rw,
owner /{,var/}run/user/*/at-spi2-*/** rw,
# from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
# read and write for all supported file formats
/**.[bB][mM][pP] rw,
/**.[dD][jJ][vV][uU] rw,
/**.[dD][vV][iI] rw,
/**.[gG][iI][fF] rw,
/**.[jJ][pP][gG] rw,
/**.[jJ][pP][eE][gG] rw,
/**.[oO][dD][pP] rw,
/**.[fFpP][dD][fF] rw,
/**.[pP][nN][mM] rw,
/**.[pP][nN][gG] rw,
/**.[pP][sS] rw,
/**.[eE][pP][sS] rw,
/**.[tT][iI][fF] rw,
/**.[tT][iI][fF][fF] rw,
/**.[xX][pP][mM] rw,
/**.[gG][zZ] rw,
/**.[bB][zZ]2 rw,
/**.[cC][bB][rRzZ7] rw,
/**.[xX][zZ] rw,
# evince creates a temporary stream file like '.goutputstream-XXXXXX' in the
# directory a file is saved. This allows that behavior.
owner /**/.goutputstream-* w,
# LOCALLY ADDED this is required under wayland
owner /{,var/}run/user/*/weston-shared-* rw,
}
/usr/bin/evince-previewer {
#include <abstractions/audio>
#include <abstractions/bash>
#include <abstractions/cups-client>
#include <abstractions/dbus-session>
#include <abstractions/dbus-accessibility>
#include <abstractions/evince>
#include <abstractions/ibus>
#include <abstractions/nameservice>
#include <abstractions/ubuntu-browsers>
#include <abstractions/ubuntu-console-browsers>
#include <abstractions/ubuntu-email>
#include <abstractions/ubuntu-console-email>
#include <abstractions/ubuntu-media-players>
# Terminals for using console applications. These abstractions should ideally
# have 'ix' to restrict access to what only evince is allowed to do
#include <abstractions/ubuntu-gnome-terminal>
# By default, we won't support launching a terminal program in Xterm or
# KDE's konsole. It opens up too many unnecessary files for most users.
# People who need this functionality can uncomment the following:
##include <abstractions/ubuntu-xterm>
/usr/bin/evince-previewer mr,
/usr/bin/yelp Cx -> sanitized_helper,
/usr/bin/bug-buddy px,
# Lenient, but remember we still have abstractions/private-files-strict in
# effect). Write is needed for 'print to file' from the previewer.
@{HOME}/ r,
@{HOME}/** rw,
# Maybe add to an abstraction?
owner /{,var/}run/user/*/dconf/ w,
owner /{,var/}run/user/*/dconf/user rw,
}
/usr/bin/evince-thumbnailer {
#include <abstractions/dbus-session>
#include <abstractions/evince>
# The thumbnailer doesn't need access to everything in the nameservice
# abstraction. Allow reading of /etc/passwd and /etc/group, but suppress
# logging denial of nsswitch.conf.
/etc/passwd r,
/etc/group r,
deny /etc/nsswitch.conf r,
# TCP/UDP network access for NFS
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
/usr/bin/evince-thumbnailer mr,
# Lenient, but remember we still have abstractions/private-files-strict in
# effect).
@{HOME}/ r,
owner @{HOME}/** rw,
owner /media/** rw,
}
-- no debconf information
More information about the pkg-apparmor-team
mailing list