Bug#908516: Apparmor profile breaks print preview
Simon McVittie
smcv at debian.org
Wed Sep 12 21:40:49 BST 2018
On Mon, 10 Sep 2018 at 13:58:41 -0400, Ryan Kavanagh wrote:
> Adding the
> following line to /etc/apparmor.d/usr.bin.evince seems to fix the issue,
> though you should probably consult apparmor.d(5) and pick something more
> sensible that "uxr" as a permission:
>
> /usr/lib/@{multiarch}/glib-2.0/gio-launch-desktop uxr,
rmix seems more appropriate - that would allow gio-launch-desktop to
execute anything that evince itself would have been allowed to execute
directly, with evince's own privileges.
gio-launch-desktop is an implementation detail of GIO and should be
executed with the same privileges that library code in its caller would
have: it replaces a direct fork-and-exec code path in older GIO, as a
way to allow use of posix_spawn(), which has a smaller virtual memory
footprint. It is definitely not designed to be a security boundary. It
executes whatever is in argv[1, 2...] with GIO_LAUNCHED_DESKTOP_FILE_PID
added to the environment, so if you are allowed to execute it unconfined,
you are allowed to execute anything else unconfined too. That would
be bad.
smcv
More information about the pkg-gnome-maintainers
mailing list