[pkg-apparmor] Bug#1128770: /etc/apparmor.d/usr.bin.papers: consider whether cost/benefit ratio justifies using AppArmor here
Simon McVittie
smcv at debian.org
Sun Feb 22 17:19:28 GMT 2026
Source: papers
Severity: normal
X-Debbugs-Cc: apparmor at packages.debian.org, security at debian.org, Jamie Strandboge <jamie at ubuntu.com>
Control: affects -1 + src:apparmor
Similar to the corresponding bug in src:evince, the papers package
(which replaces evince as upstream GNOME's document viewer) has a
downstream-added AppArmor profile, heavily based on the one for evince,
which originated in Ubuntu.
In theory the benefit of this profile (if I'm guessing the history
correctly) is that it mitigates security vulnerabilities that might
exist in poppler and similar libraries, making it harder for an attacker
to exploint those vulnerabilities by supplying a crafted
PDF/Postscript/etc. document. However, as with src:evince, in practice
there are sandbox escapes that would allow an attacker to bypass it, so
at best it makes attacks more difficult.
Meanwhile, the cost of this profile is that any time papers or one of
its dependencies needs to do something for its normal operation that the
author of the profile didn't foresee, that feature will not work, in
particular the recent addition of sandboxed image loaders (using glycin
via gdk-pixbuf).
In papers' short history, we already have a couple of bugs that appear
to be caused by the AppArmor profile: <https://bugs.debian.org/1120163>,
<https://bugs.debian.org/1099688>. I'm sure there are more, they just
haven't been reported yet.
Just like evince, I'm now questioning whether the benefit of the
AppArmor profile is worth its cost. Would we be better off without it?
smcv
More information about the pkg-apparmor-team
mailing list