Bug#1029760: evince: AppArmor prevents opening PDF files stored on Google drive

[intrigeri]

Hi,

Laurent Bigonville (2023-01-27):
> It seems that the AppArmor profile is not allowing evince to read file
> accessed via the GVFS on Google drive (and probably other integrations)

I don't have the infrastructure in place to reproduce this easily,
so I'm going to ask some more info.

> I get the following denials:
>
> type=AVC msg=audit(1674751821.962:528): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/run/user/1000/gvfs/google-drive:host=example.com,user=foo/<path>" pid=11026 comm="EvJobScheduler" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="bigon" OUID="bigon"

I suppose you've redacted this part:

  user=foo/<path>

I'd like to understand why the value for "name" did not match any of
these rules:

  /**.[bB][mM][pP]     r,
  /**.[dD][jJ][vV][uU] r,
  /**.[dD][vV][iI]     r,
  /**.[gG][iI][fF]     r,
  /**.[jJ][pP][gG]     r,
  /**.[jJ][pP][eE][gG] r,
  /**.[oO][dD][pP]     r,
  /**.[fFpP][dD][fF]   r,
  /**.[pP][nN][mM]     r,
  /**.[pP][nN][gG]     r,
  /**.[pP][sS]         r,
  /**.[eE][pP][sS]     r,
  /**.[eE][pP][sS][fFiI23] r,
  /**.[tT][iI][fF]     r,
  /**.[tT][iI][fF][fF] r,
  /**.[xX][pP][mM]     r,
  /**.[gG][zZ]         r,
  /**.[bB][zZ]2        r,
  /**.[cC][bB][rRtTzZ7]  r,
  /**.[xX][zZ]         r,

Could you please share a bit more about the value of "name" in the
error message, possibly privately?

Does it end with ".pdf", like name="/run/..../....pdf", or does it
look different?

Cheers,
-- 
intrigeri