[pkg-apparmor] Bug#1121917: apparmor: Kernel version out of sync / doesn't conform to protocol
Tomáš Szaniszlo
tomaxuser at gmail.com
Sun Dec 14 21:27:36 GMT 2025
Package: apparmor
Version: 4.1.0-1+b1
Followup-For: Bug #1121917
X-Debbugs-Cc: tomaxuser at gmail.com
Hello,
I have also encountered likely the same problem with apparmor profiles on
packages upgrade, so `dpkg-reconfigure apparmor` seems to be a way to trigger
the errors:
# dpkg-reconfigure apparmor
Reloading AppArmor profiles
Skipping profile in /etc/apparmor.d/disable: usr.bin.thunderbird
/sbin/apparmor_parser: Unable to replace "/usr/bin/evince-thumbnailer". Profile doesn't conform to protocol
/sbin/apparmor_parser: Unable to replace "/usr/libexec/geoclue". Profile doesn't conform to protocol
Error: At least one profile failed to load
However, trying to manualy replace the profiles I did not get any error and
also the `dpkg-reconfigure apparmor` does not complain anymore:
# apparmor_parser -r /etc/apparmor.d/usr.bin.evince
# apparmor_parser -r /etc/apparmor.d/usr.libexec.geoclue
# dpkg-reconfigure apparmor
Reloading AppArmor profiles
Skipping profile in /etc/apparmor.d/disable: usr.bin.thunderbird
I am attaching both profiles. usr.libexec.geoclue was updated today as a part
of geoclue-2.0 update (2.8.0-1), but I don't see similar update mentioned for
usr.bin.evince. Also, linux-{image,headers} update was included within the set
of updates (I guess it may be relevant):
Unpacking linux-image-amd64 (6.17.11-1) over (6.17.8-1) ...
Best wishes
Tomaxuser
-- System Information:
Debian Release: forky/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.17.8+deb14-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_CPU_OUT_OF_SPEC, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages apparmor depends on:
ii debconf [debconf-2.0] 1.5.91
ii libc6 2.42-5
apparmor recommends no packages.
Versions of packages apparmor suggests:
pn apparmor-profiles-extra <none>
pn apparmor-utils <none>
-- debconf information:
apparmor/homedirs:
-------------- next part --------------
# vim:syntax=apparmor
abi <abi/3.0>,
include <tunables/global>
/usr/libexec/geoclue flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/gnome>
include <abstractions/nameservice>
/etc/geoclue/geoclue.conf r,
/etc/geoclue/conf.d/ r,
/etc/geoclue/conf.d/*.conf r,
/etc/geolocation r,
/proc/sys/net/ipv6/conf/all/disable_ipv6 r,
/proc/*/cgroup r,
/usr/libexec/geoclue mr,
# own dbus name
dbus bind
bus=system
name=org.freedesktop.GeoClue2,
dbus send
bus=system
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus),
# register objects
dbus (send receive)
bus=system
path=/org/freedesktop/GeoClue2{,/**}
interface={org.freedesktop.GeoClue2{,.*},org.freedesktop.DBus.*},
# auth
dbus send
bus=system
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={GetConnectionUnixUser,GetConnectionUnixProcessID}
peer=(name=org.freedesktop.DBus),
# use Avahi
dbus send
bus=system
path=/
interface=org.freedesktop.DBus.Peer
member=Ping
peer=(name=org.freedesktop.Avahi),
dbus send
bus=system
path=/
interface=org.freedesktop.Avahi.Server
peer=(name=org.freedesktop.Avahi),
dbus (send receive)
bus=system
path=/Client[0-9]*/ServiceBrowser[0-9]*
interface=org.freedesktop.Avahi.ServiceBrowser,
# use wpa_supplicant
dbus (send receive)
bus=system
path=/fi/w1/wpa_supplicant1{,/**}
interface={fi.w1.wpa_supplicant1{,.*},org.freedesktop.DBus.Properties},
dbus receive
bus=system
path=/org/freedesktop
interface=org.freedesktop.DBus.ObjectManager
member=InterfacesRemoved,
# use ModemManager
dbus send
bus=system
path=/org/freedesktop/ModemManager1
interface={org.freedesktop.DBus.ObjectManager,org.freedesktop.DBus.Properties},
# use NetworkManager
dbus send
bus=system
path=/org/freedesktop
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects,
dbus (send receive)
bus=system
path=/org/freedesktop/NetworkManager{,/**}
interface={org.freedesktop.NetworkManager{,.*},org.freedesktop.DBus.Properties},
# Site-specific additions and overrides. See local/README for details.
#include if exists <local/usr.libexec.geoclue>
}
-------------- next part --------------
# vim:syntax=apparmor
# evince is not written with application confinement in mind and is designed to
# operate within a trusted desktop session where anything running within the
# user's session is trusted. That said, evince will often process untrusted
# input (PDFs, images, etc). Ideally evince would be written in such a way that
# image processing is separate from the main process and that processing
# happens in a restrictive sandbox, but unfortunately that is not currently the
# case. Because evince will process untrusted input, this profile aims to
# provide some hardening, but considering evince's design and other factors such
# as X, gsettings, accessibility, translations, DBus session and system
# services, etc, complete confinement is not possible.
include <tunables/global>
/usr/bin/evince {
include <abstractions/audio>
include <abstractions/bash>
include <abstractions/cups-client>
include <abstractions/dbus-accessibility>
include <abstractions/evince>
include <abstractions/ibus>
include <abstractions/nameservice>
include <abstractions/ubuntu-browsers>
include <abstractions/ubuntu-console-browsers>
include <abstractions/ubuntu-email>
include <abstractions/ubuntu-console-email>
include <abstractions/ubuntu-media-players>
# allow evince to spawn browsers distributed as snaps (LP: #1794064)
include if exists <abstractions/snap_browsers>
# For now, let evince talk to any session services over dbus. We can
# blacklist any problematic ones (but note, evince uses libsecret :\)
include <abstractions/dbus-session>
include <abstractions/dbus-strict>
dbus (receive) bus=system,
# Allow getting information from various system services
dbus (send)
bus=system
member="Get*"
peer=(label=unconfined),
# Allow talking to avahi with whatever polkit allows
dbus (send)
bus=system
interface="org.freedesktop.Avahi{,.*}",
# Allow talking to colord with whatever polkit allows
dbus (send)
bus=system
interface="org.freedesktop.ColorManager{,.*}",
# Terminals for using console applications. These abstractions should ideally
# have 'ix' to restrict access to what only evince is allowed to do
include <abstractions/ubuntu-gnome-terminal>
# By default, we won't support launching a terminal program in Xterm or
# KDE's konsole. It opens up too many unnecessary files for most users.
# People who need this functionality can uncomment the following:
##include <abstractions/ubuntu-xterm>
##include <abstractions/ubuntu-konsole>
/usr/bin/evince rmPx,
/usr/bin/evince-previewer Px,
/usr/bin/papers-previewer Px,
/usr/bin/yelp Cx -> sanitized_helper,
/usr/bin/bug-buddy px,
# 'Show Containing Folder' (LP: #1022962)
/usr/bin/nautilus Cx -> sanitized_helper, # Gnome
/usr/bin/pcmanfm Cx -> sanitized_helper, # LXDE
/usr/bin/krusader Cx -> sanitized_helper, # KDE
/usr/bin/thunar Cx -> sanitized_helper, # XFCE
# Print Dialog
/usr/lib/@{multiarch}/libproxy/*/pxgsettings Cx -> sanitized_helper,
# For Xubuntu to launch the browser
include <abstractions/exo-open>
# For text attachments
/usr/bin/gedit ixr,
# For Send to
/usr/bin/nautilus-sendto Cx -> sanitized_helper,
# GLib desktop launch helper (used under the hood by g_app_info_launch)
/usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rmix,
/usr/bin/env ixr,
# allow directory listings (ie 'r' on directories) so browsing via the file
# dialog works
/ r,
/**/ r,
# This is need for saving files in your home directory without an extension.
# Changing this to '@{HOME}/** r' makes it require an extension and more
# secure (but with 'rw', we still have abstractions/private-files-strict in
# effect).
owner @{HOME}/** rw,
owner /media/** rw,
owner @{HOME}/.local/share/gvfs-metadata/** l,
owner /{,var/}run/user/*/gvfs-metadata/** l,
owner @{HOME}/.gnome2/evince/* rwl,
owner @{HOME}/.gnome2/accels/ rw,
owner @{HOME}/.gnome2/accelsevince rw,
owner @{HOME}/.gnome2/accels/evince rw,
# Maybe add to an abstraction?
/etc/dconf/** r,
owner @{HOME}/.cache/dconf/user rw,
owner @{HOME}/.config/dconf/user r,
owner @{HOME}/.config/enchant/* rk,
owner /{,var/}run/user/*/dconf/ w,
owner /{,var/}run/user/*/dconf/user rw,
owner /{,var/}run/user/*/dconf-service/keyfile/ w,
owner /{,var/}run/user/*/dconf-service/keyfile/user rw,
owner /{,var/}run/user/*/at-spi2-*/ rw,
owner /{,var/}run/user/*/at-spi2-*/** rw,
# Allow access to the non-abstract D-Bus socket used by at-spi > 2.42.0
# https://gitlab.gnome.org/GNOME/at-spi2-core/-/issues/43
owner /{,var/}run/user/*/at-spi/bus* rw,
# from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
# read and write for all supported file formats
/**.[aA][iI] rw,
/**.[bB][mM][pP] rw,
/**.[dD][jJ][vV][uU] rw,
/**.[dD][vV][iI] rw,
/**.[gG][iI][fF] rw,
/**.[jJ][pP][gG] rw,
/**.[jJ][pP][eE][gG] rw,
/**.[oO][dD][pP] rw,
/**.[fFpP][dD][fF] rw,
/**.[pP][nN][mM] rw,
/**.[pP][nN][gG] rw,
/**.[pP][sS] rw,
/**.[eE][pP][sS] rw,
/**.[tT][iI][fF] rw,
/**.[tT][iI][fF][fF] rw,
/**.[xX][pP][mM] rw,
/**.[gG][zZ] rw,
/**.[bB][zZ]2 rw,
/**.[cC][bB][rRzZ7] rw,
/**.[xX][zZ] rw,
# evince creates a temporary stream file like '.goutputstream-XXXXXX' in the
# directory a file is saved. This allows that behavior.
owner /**/.goutputstream-* w,
# allow evince to spawn browsers distributed as snaps (LP: #1794064)
/{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/bin/snap mrCx -> snap_browsers,
}
/usr/bin/evince-previewer {
include <abstractions/audio>
include <abstractions/bash>
include <abstractions/cups-client>
include <abstractions/dbus-accessibility>
include <abstractions/evince>
include <abstractions/ibus>
include <abstractions/nameservice>
include <abstractions/ubuntu-browsers>
include <abstractions/ubuntu-console-browsers>
include <abstractions/ubuntu-email>
include <abstractions/ubuntu-console-email>
include <abstractions/ubuntu-media-players>
# For now, let evince talk to any session services over dbus. We can
# blacklist any problematic ones (but note, evince uses libsecret :\)
include <abstractions/dbus-session>
include <abstractions/dbus-strict>
dbus (receive) bus=system,
# Allow getting information from various system services
dbus (send)
bus=system
member="Get*"
peer=(label=unconfined),
# Allow talking to avahi with whatever polkit allows
dbus (send)
bus=system
interface="org.freedesktop.Avahi{,.*}",
# Allow talking to colord with whatever polkit allows
dbus (send)
bus=system
interface="org.freedesktop.ColorManager{,.*}",
# Terminals for using console applications. These abstractions should ideally
# have 'ix' to restrict access to what only evince is allowed to do
include <abstractions/ubuntu-gnome-terminal>
# By default, we won't support launching a terminal program in Xterm or
# KDE's konsole. It opens up too many unnecessary files for most users.
# People who need this functionality can uncomment the following:
##include <abstractions/ubuntu-xterm>
/usr/bin/evince-previewer mr,
/usr/bin/yelp Cx -> sanitized_helper,
/usr/bin/bug-buddy px,
# Lenient, but remember we still have abstractions/private-files-strict in
# effect). Write is needed for 'print to file' from the previewer.
@{HOME}/ r,
@{HOME}/** rw,
# Maybe add to an abstraction?
owner /{,var/}run/user/*/dconf/ w,
owner /{,var/}run/user/*/dconf/user rw,
}
/usr/bin/evince-thumbnailer {
include <abstractions/base>
include <abstractions/private-files-strict>
include <abstractions/fonts>
deny @{HOME}/.{,cache/}fontconfig/** wl,
deny @{HOME}/missfont.log wl,
include <abstractions/dbus-session-strict>
dbus (receive) bus=session,
dbus (send)
bus=session
path="/org/gtk/vfs/mounttracker"
interface="org.gtk.vfs.MountTracker"
member="ListMountableInfo"
peer=(label=unconfined),
# updating gvfs-metadata for thumbnails is unneeded, so explicitly deny it
deny dbus (send)
bus=session
path="/org/gtk/vfs/metadata"
interface="org.gtk.vfs.Metadata"
member="GetTreeFromDevice"
peer=(label=unconfined),
deny @{HOME}/.local/share/gvfs-metadata/* r,
dbus (send)
bus=session
path="/org/gtk/vfs/Daemon"
interface="org.gtk.vfs.Daemon"
member="List*"
peer=(label=unconfined),
# The thumbnailer doesn't need access to everything in the nameservice
# abstraction. Allow reading of /etc/passwd and /etc/group, but suppress
# logging denial of nsswitch.conf.
/etc/passwd r,
/etc/group r,
deny /etc/nsswitch.conf r,
# TCP/UDP network access for NFS
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
/etc/papersize r,
/usr/bin/evince-thumbnailer mr,
/etc/texmf/ r,
/etc/texmf/** r,
/etc/xpdf/* r,
/usr/bin/gs-esp ixr,
# Silence these denials since 'no new privs' drops transitions to
# sanitized_helper, we don't want all those perms in the thumbnailer
# and the thumbnailer generates thumbnails without these just fine.
deny /usr/bin/mktexpk x,
deny /usr/bin/mktextfm x,
deny /usr/bin/dvipdfm x,
deny /usr/bin/dvipdfmx x,
deny /usr/bin/mkofm x,
# supported archivers
/{usr/,}bin/gzip ixr,
/{usr/,}bin/bzip2 ixr,
/usr/bin/unrar* ixr,
/usr/bin/unzip ixr,
/usr/bin/7zr ixr,
/usr/lib/p7zip/7zr ixr,
/usr/bin/7za ixr,
/usr/lib/p7zip/7za ixr,
/usr/bin/zipnote ixr,
/{usr/,}bin/tar ixr,
/usr/bin/xz ixr,
# miscellaneous access for the above
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
/sys/devices/system/cpu/ r,
# allow read access to anything in /usr/share, for plugins and input methods
/usr/local/share/** r,
/usr/share/** r,
/usr/lib/ghostscript/** mr,
/var/lib/ghostscript/** r,
/var/lib/texmf/** r,
# from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
# read for all supported file formats
/**.[bB][mM][pP] r,
/**.[dD][jJ][vV][uU] r,
/**.[dD][vV][iI] r,
/**.[gG][iI][fF] r,
/**.[jJ][pP][gG] r,
/**.[jJ][pP][eE][gG] r,
/**.[oO][dD][pP] r,
/**.[fFpP][dD][fF] r,
/**.[pP][nN][mM] r,
/**.[pP][nN][gG] r,
/**.[pP][sS] r,
/**.[eE][pP][sS] r,
/**.[eE][pP][sS][fFiI23] r,
/**.[tT][iI][fF] r,
/**.[tT][iI][fF][fF] r,
/**.[xX][pP][mM] r,
/**.[gG][zZ] r,
/**.[bB][zZ]2 r,
/**.[cC][bB][rRtTzZ7] r,
/**.[xX][zZ] r,
owner @{HOME}/.texlive*/** r,
owner @{HOME}/.texmf*/** r,
owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/** r,
owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/** r,
# With the network rules above, this allows data exfiltration for files
# not covered by private-files-strict.
@{HOME}/ r,
owner @{HOME}/[^.]** r,
owner /media/** r,
owner /tmp/.gnome_desktop_thumbnail* w,
owner /tmp/gnome-desktop-* rw,
owner /tmp/evince-thumbnailer*/{,**} rw,
# these happen post pivot_root
/ r,
deny /missfont.log w,
# Site-specific additions and overrides. See local/README for details.
include <local/usr.bin.evince>
}
More information about the pkg-apparmor-team
mailing list