Bug#1029760: evince: AppArmor prevents opening PDF files stored on Google drive

Laurent Bigonville bigon at debian.org
Fri Jan 27 09:21:04 GMT 2023 

Package: evince
Version: 43.1-2+b1
Severity: important

Hello,

It seems that the AppArmor profile is not allowing evince to read file
accessed via the GVFS on Google drive (and probably other integrations)

I get the following denials:

type=AVC msg=audit(1674751821.962:528): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/run/user/1000/gvfs/google-drive:host=example.com,user=foo/<path>" pid=11026 comm="EvJobScheduler" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="bigon" OUID="bigon"

Adding the following rule is allowing me to read my files, but I'm not
sure that enough or consistant with the other rules (shouldn't write
access be allowed too?):

/{,var/}run/user/*/gvfs/** r,

Kind regards,
Laurent Bigonville

-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-2-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), LANGUAGE=fr_BE:fr
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages evince depends on:
ii  dconf-gsettings-backend [gsettings-backend]  0.40.0-4
ii  evince-common                                43.1-2
ii  gsettings-desktop-schemas                    43.0-1
ii  libatk1.0-0                                  2.46.0-4
ii  libc6                                        2.36-8
ii  libcairo-gobject2                            1.16.0-7
ii  libcairo2                                    1.16.0-7
ii  libevdocument3-4                             43.1-2+b1
ii  libevview3-3                                 43.1-2+b1
ii  libgdk-pixbuf-2.0-0                          2.42.10+dfsg-1+b1
ii  libglib2.0-0                                 2.74.5-1
ii  libgnome-desktop-3-20                        43.1-1
ii  libgtk-3-0                                   3.24.36-2
ii  libhandy-1-0                                 1.8.0-1
ii  libpango-1.0-0                               1.50.12+ds-1
ii  libpangocairo-1.0-0                          1.50.12+ds-1
ii  libsecret-1-0                                0.20.5-3
ii  shared-mime-info                             2.2-1

Versions of packages evince recommends:
ii  dbus-user-session [default-dbus-session-bus]  1.14.4-1

Versions of packages evince suggests:
ii  gvfs             1.50.3-1
pn  nautilus-sendto  <none>
ii  poppler-data     0.4.11-1
pn  unrar            <none>

-- no debconf information

More information about the pkg-gnome-maintainers mailing list