[Pkg-giraffe-maintainers] Bug#934460: AppArmor configuration doesn't cover mime.types, pdftotext and proc

[Martin Wolf]

Package: kopano-search
Version: 8.7.0-3

The default AppArmor configuration file
/etc/apparmor.d/usr.sbin.kopano-search doesn't cover /etc/mime.types,
which is needed to do a proper search index.
When that file is allowed in apparmor two more errors pop up.
1. when kopano-search seams to find a pdf file, it wants to trigger
/usr/bin/pdftotext, to index its content (?)
2. in the same second it wants to read /proc/20872/fd/ I am not sure
what to make out of that, since it repeats itself with different pids so
you probably have to allow "r" to /proc/ alltogether.

Adding
"/etc/mime.types r,"
"/usr/bin/pdftotext ix," (I am not sure if that is the right setting)

to /etc/apparmor.d/usr.sbin.kopano-search seems to help.

Error without the modified AppArmor policy:
 
Aug 11 01:35:16 kernel: [ 3322.010759] audit: type=1400
audit(1565480116.637:45): apparmor="DENIED" operation="open"
profile="/usr/sbin/kopano-search" name="/etc/mime.types" pid=1493
comm="kopano-search" requested_mask="r" denied_mask="r" fsuid=110 ouid=0

Aug 11 10:12:13 kernel: [18226.318157] audit: type=1400
audit(1565511133.483:60): apparmor="DENIED" operation="exec"
profile="/usr/sbin/kopano-search" name="/usr/bin/pdftotext" pid=20867
comm="sh" requested_mask="x" denied_mask="x" fsuid=110 ouid=0

Aug 11 10:12:13 kernel: [18226.390412] audit: type=1400
audit(1565511133.555:68): apparmor="DENIED" operation="open"
profile="/usr/sbin/kopano-search" name="/proc/20872/fd/" pid=20872
comm="kopano-search" requested_mask="r" denied_mask="r" fsuid=110 ouid=0


Linux 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u2 (2019-08-08) x86_64
GNU/Linux