[pkg-apparmor] Bug#1109826: evince: print preview doesn't work if the papers package is installed: apparmor="DENIED" name="/usr/bin/papers-previewer"

Alessandro Astone alessandro.astone at canonical.com
Thu Jul 24 23:45:12 BST 2025 

Yeah a Pix rule sounds good to me.

I was also briefly considering whether it would make sense to hard-code 
a special case for evince to always use evince-previewer, since it's 
bundled in the same project. But you probably wouldn't want to override 
the system default just for one specific app..?

On 24/07/2025 22:33, Christian Boltz wrote:
> Hello,
>
> Am Donnerstag, 24. Juli 2025, 21:54 schrieb Simon McVittie:
>> On Thu, 24 Jul 2025 at 20:45:28 +0200, Christian Boltz wrote:
>>> we need a separate profile for papers-previewer
>> We already have one, in the papers package.
> Even better :-)
>
>>>>      /usr/bin/evince-previewer Px,
>>>>
>>>> +  /usr/bin/papers-previewer Pix,
>>> A Px rule (without the ix fallback) would be better.
>> Would that load successfully, but gracefully decline to run
>> /usr/bin/papers-previewer (which in practice would not exist), if the
>> papers package isn't installed?
> Right, the profile will load successfully.
>
> If evince tries to execute papers-previewer, and that profile isn't
> loaded, the exec will be denied and audit.log will log the denial with
> something like "target profile doesn't exist".
>
>> I thought that falling back to "same access to things that evince
>> would already have had" would be less bad than falling back to "can't
>> run at all". Running arbitrary code with "ix" is no worse for
>> hardening purposes than the same code being in-process, after all...
> I get your theory.
> In practise, it depends - does the target profile grant more or less
> permissions than the current profile?
> (There's also the risk that denials will be reported for the "wrong"
> profile if the ix fallback gets used, so the evince profile might get
> permissions added that are only needed for papers-previewer.)
>
>> evince needs to work normally if papers is not installed, in which
>> case print preview should get ENOENT when attempting to run
>> papers-previewer, and fall back to evince-previewer, the same as it
>> would do in the absence of AppArmor.
> As long as "papers-previewer is installed" also means "the AppArmor
> profile for papers-previewer is loaded", everything should work as you
> expect.
>
>
> Regards,
>
> Christian Boltz

More information about the pkg-apparmor-team mailing list