Bug#908516: Apparmor profile breaks print preview

Ryan Kavanagh rak at debian.org
Mon Sep 10 18:58:41 BST 2018


Package: evince
Version: 3.30.0-2
Severity: normal

The apparmor profile installed by evince breaks the print preview
functionality by blocking access to gio-launch-desktop. Adding the
following line to /etc/apparmor.d/usr.bin.evince seems to fix the issue,
though you should probably consult apparmor.d(5) and pick something more
sensible that "uxr" as a permission:

      /usr/lib/@{multiarch}/glib-2.0/gio-launch-desktop uxr,

Best wishes,
Ryan

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.17.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_CA.UTF-8), LANGUAGE=en_CA.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_CA.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages evince depends on:
ii  dconf-gsettings-backend [gsettings-backend]  0.30.0-1
ii  evince-common                                3.30.0-2
ii  gsettings-desktop-schemas                    3.28.0-1
ii  libatk1.0-0                                  2.30.0-1
ii  libc6                                        2.27-6
ii  libcairo-gobject2                            1.15.12-1
ii  libcairo2                                    1.15.12-1
ii  libevdocument3-4                             3.30.0-2
ii  libevview3-3                                 3.30.0-2
ii  libgdk-pixbuf2.0-0                           2.38.0+dfsg-4
ii  libglib2.0-0                                 2.58.0-3
ii  libgnome-desktop-3-17                        3.30.0-1
ii  libgtk-3-0                                   3.24.0-2
ii  libnautilus-extension1a                      3.30.0-2
ii  libpango-1.0-0                               1.42.4-3
ii  libpangocairo-1.0-0                          1.42.4-3
ii  libsecret-1-0                                0.18.6-2
ii  shared-mime-info                             1.9-2

Versions of packages evince recommends:
ii  dbus-user-session [default-dbus-session-bus]  1.12.10-1
ii  dbus-x11 [dbus-session-bus]                   1.12.10-1

Versions of packages evince suggests:
ii  gvfs             1.36.2-1
pn  nautilus-sendto  <none>
ii  poppler-data     0.4.9-2
ii  unrar            1:5.5.8-1

-- Configuration Files:
/etc/apparmor.d/usr.bin.evince changed:
/usr/bin/evince {
  #include <abstractions/audio>
  #include <abstractions/bash>
  #include <abstractions/cups-client>
  #include <abstractions/dbus>
  #include <abstractions/dbus-session>
  #include <abstractions/dbus-accessibility>
  #include <abstractions/evince>
  #include <abstractions/ibus>
  #include <abstractions/nameservice>
  #include <abstractions/ubuntu-browsers>
  #include <abstractions/ubuntu-console-browsers>
  #include <abstractions/ubuntu-email>
  #include <abstractions/ubuntu-console-email>
  #include <abstractions/ubuntu-media-players>
  # Terminals for using console applications. These abstractions should ideally
  # have 'ix' to restrict access to what only evince is allowed to do
  #include <abstractions/ubuntu-gnome-terminal>
  # By default, we won't support launching a terminal program in Xterm or
  # KDE's konsole. It opens up too many unnecessary files for most users.
  # People who need this functionality can uncomment the following:
  ##include <abstractions/ubuntu-xterm>
  ##include <abstractions/ubuntu-konsole>
  /usr/bin/evince rmPx,
  /usr/bin/evince-previewer Px,
  /usr/bin/yelp Cx -> sanitized_helper,
  /usr/bin/bug-buddy px,
  # 'Show Containing Folder' (LP: #1022962)
  /usr/bin/nautilus Cx -> sanitized_helper, # Gnome
  /usr/bin/pcmanfm Cx -> sanitized_helper,  # LXDE
  /usr/bin/krusader Cx -> sanitized_helper, # KDE
  /usr/bin/thunar Cx -> sanitized_helper,   # XFCE
  # For Xubuntu to launch the browser
  /usr/bin/exo-open ixr,
  /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
  /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
  /etc/xdg/xfce4/helpers.rc r,
  # For text attachments
  /usr/bin/gedit ixr,
  /usr/lib/@{multiarch}/glib-2.0/gio-launch-desktop uxr,
  # For Send to
  /usr/bin/nautilus-sendto Cx -> sanitized_helper,
  # allow directory listings (ie 'r' on directories) so browsing via the file
  # dialog works
  / r,
  /**/ r,
  # This is need for saving files in your home directory without an extension.
  # Changing this to '@{HOME}/** r' makes it require an extension and more
  # secure (but with 'rw', we still have abstractions/private-files-strict in
  # effect).
  owner @{HOME}/** rw,
  owner /media/**  rw,
  owner @{HOME}/.local/share/gvfs-metadata/** l,
  owner /{,var/}run/user/*/gvfs-metadata/** l,
  owner @{HOME}/.gnome2/evince/*       rwl,
  owner @{HOME}/.gnome2/accels/        rw,
  owner @{HOME}/.gnome2/accelsevince   rw,
  owner @{HOME}/.gnome2/accels/evince  rw,
  # Maybe add to an abstraction?
  /etc/dconf/**                                       r,
  owner @{HOME}/.cache/dconf/user                     rw,
  owner @{HOME}/.config/dconf/user                    r,
  owner /{,var/}run/user/*/dconf/                     w,
  owner /{,var/}run/user/*/dconf/user                 rw,
  owner /{,var/}run/user/*/dconf-service/keyfile/     w,
  owner /{,var/}run/user/*/dconf-service/keyfile/user rw,
  owner /{,var/}run/user/*/at-spi2-*/   rw,
  owner /{,var/}run/user/*/at-spi2-*/** rw,
  # from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
  # read and write for all supported file formats
  /**.[bB][mM][pP]     rw,
  /**.[dD][jJ][vV][uU] rw,
  /**.[dD][vV][iI]     rw,
  /**.[gG][iI][fF]     rw,
  /**.[jJ][pP][gG]     rw,
  /**.[jJ][pP][eE][gG] rw,
  /**.[oO][dD][pP]     rw,
  /**.[fFpP][dD][fF]   rw,
  /**.[pP][nN][mM]     rw,
  /**.[pP][nN][gG]     rw,
  /**.[pP][sS]         rw,
  /**.[eE][pP][sS]     rw,
  /**.[tT][iI][fF]     rw,
  /**.[tT][iI][fF][fF] rw,
  /**.[xX][pP][mM]     rw,
  /**.[gG][zZ]         rw,
  /**.[bB][zZ]2        rw,
  /**.[cC][bB][rRzZ7]  rw,
  /**.[xX][zZ]         rw,
  # evince creates a temporary stream file like '.goutputstream-XXXXXX' in the
  # directory a file is saved. This allows that behavior.
  owner /**/.goutputstream-* w,
}
/usr/bin/evince-previewer {
  #include <abstractions/audio>
  #include <abstractions/bash>
  #include <abstractions/cups-client>
  #include <abstractions/dbus-session>
  #include <abstractions/dbus-accessibility>
  #include <abstractions/dbus-strict>
  #include <abstractions/evince>
  #include <abstractions/ibus>
  #include <abstractions/nameservice>
  #include <abstractions/ubuntu-browsers>
  #include <abstractions/ubuntu-console-browsers>
  #include <abstractions/ubuntu-email>
  #include <abstractions/ubuntu-console-email>
  #include <abstractions/ubuntu-media-players>
  # Terminals for using console applications. These abstractions should ideally
  # have 'ix' to restrict access to what only evince is allowed to do
  #include <abstractions/ubuntu-gnome-terminal>
  # By default, we won't support launching a terminal program in Xterm or
  # KDE's konsole. It opens up too many unnecessary files for most users.
  # People who need this functionality can uncomment the following:
  ##include <abstractions/ubuntu-xterm>
  /usr/bin/evince-previewer mr,
  /usr/bin/yelp Cx -> sanitized_helper,
  /usr/bin/bug-buddy px,
  # Lenient, but remember we still have abstractions/private-files-strict in
  # effect). Write is needed for 'print to file' from the previewer.
  @{HOME}/ r,
  @{HOME}/** rw,
  # Maybe add to an abstraction?
  owner /{,var/}run/user/*/dconf/          w,
  owner /{,var/}run/user/*/dconf/user      rw,
}
/usr/bin/evince-thumbnailer {
  #include <abstractions/dbus-session>
  #include <abstractions/evince>
  # The thumbnailer doesn't need access to everything in the nameservice
  # abstraction. Allow reading of /etc/passwd and /etc/group, but suppress
  # logging denial of nsswitch.conf.
  /etc/passwd r,
  /etc/group r,
  deny /etc/nsswitch.conf r,
  # TCP/UDP network access for NFS
  network inet  stream,
  network inet6 stream,
  network inet  dgram,
  network inet6 dgram,
  /usr/bin/evince-thumbnailer mr,
  # Lenient, but remember we still have abstractions/private-files-strict in
  # effect).
  @{HOME}/ r,
  owner @{HOME}/** rw,
  owner /media/**  rw,
}


-- no debconf information

-- 
|)|/  Ryan Kavanagh      | GPG: 4E46 9519 ED67 7734 268F
|\|\  https://rak.ac     |      BD95 8F7B F8FC 4A11 C97A
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1873 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20180910/41eab472/attachment-0001.sig>


More information about the pkg-gnome-maintainers mailing list