Bug#888620: evince: apparmor profile prevents loading git-annex files
Michael Gold
michael at bitplane.org
Sat Jan 27 20:59:32 UTC 2018
Package: evince
Version: 3.26.0-2
A recent kernel upgrade pulled in AppArmor, after which I was no longer
able to view (some) PDF files in git-annex repositories. For example:
$ cd
$ pwd -P
/home/michael
$ cd ~/x
$ mkdir git-annex-test
$ cd git-annex-test/
$ pwd -P
/xr0/michael/x/git-annex-test
$ git init
Initialized empty Git repository in /xr0/michael/x/git-annex-test/.git/
$ git annex init
init ok
(recording state in git...)
$ cp ~/download/meltdown.pdf .
$ git annex add --backend=SHA256 meltdown.pdf
add meltdown.pdf ok
(recording state in git...)
$ ls -l
total 4
lrwxrwxrwx 1 michael michael 186 Jan 27 14:54 meltdown.pdf -> .git/annex/objects/j9/5J/SHA256-s188549--593ea59090a096211b06194fb5985d5c2ea2b5bd85b540d01802d5d7da2d36f8/SHA256-s188549--593ea59090a096211b06194fb5985d5c2ea2b5bd85b540d01802d5d7da2d36f8
$ /usr/bin/evince meltdown.pdf
(This is basically the same setup I use to store most of my PDF files.)
The evince window appears and shows this error:
Unable to open document “file:///home/michael/x/git-annex-test/meltdown.pdf”.
And this message is logged:
apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/xr0/michael/x/git-annex-test/.git/annex/objects/j9/5J/SHA256-s188549--593ea59090a096211b06194fb5985d5c2ea2b5bd85b540d01802d5d7da2d36f8/SHA256-s188549--593ea59090a096211b06194fb5985d5c2ea2b5bd85b540d01802d5d7da2d36f8" pid=21442 comm="EvJobScheduler" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
The problem seems to be that the file isn't treated as being under $HOME
and isn't treated as having a ".pdf" suffix. Both are true for the name
being opened, but not for the target.
Workaround (disables the policy):
# ln -s ../usr.bin.evince /etc/apparmor.d/disable/
# apparmor_parser -R /etc/apparmor.d/usr.bin.evince
I don't understand what the policy is trying to guard against; a comment
says requiring an extension is "more secure", but doesn't explain why.
- Michael
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: arm64, mips, i386
Kernel: Linux 4.14.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled
Versions of packages evince depends on:
ii dconf-gsettings-backend [gsettings-backend] 0.26.1-2
ii evince-common 3.26.0-2
ii gsettings-desktop-schemas 3.24.1-2
ii libatk1.0-0 2.26.1-2
ii libc6 2.26-2
ii libcairo-gobject2 1.15.8-3
ii libcairo2 1.15.8-3
ii libevdocument3-4 3.26.0-2
ii libevview3-3 3.26.0-2
ii libgdk-pixbuf2.0-0 2.36.11-1
ii libglib2.0-0 2.54.2-5
ii libgnome-desktop-3-12 3.26.2-4
ii libgtk-3-0 3.22.26-2
ii libnautilus-extension1a 3.26.2-1
ii libpango-1.0-0 1.40.14-1
ii libpangocairo-1.0-0 1.40.14-1
ii libsecret-1-0 0.18.5-5
ii shared-mime-info 1.9-2
Versions of packages evince recommends:
ii dbus-x11 [dbus-session-bus] 1.12.2-1
Versions of packages evince suggests:
pn gvfs <none>
pn nautilus-sendto <none>
ii poppler-data 0.4.8-2
pn unrar <none>
-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20180127/6c5b92ee/attachment-0001.sig>
More information about the pkg-gnome-maintainers
mailing list