Bug#1029760: evince: AppArmor prevents opening PDF files stored on Google drive
intrigeri
intrigeri at debian.org
Wed Mar 1 09:00:04 GMT 2023
Hi,
>> Does it end with ".pdf", like name="/run/..../....pdf", or does it
>> look different?
Since then, Laurent shared details privately (thanks!) and we now know
that the path passed to name="..." does not end with a known
extension, so we can't match on that :/
This is, unfortunately, a good example of the limitations of AppArmor
for desktop apps.
Short term, we need to choose between:
- Option A: works out of the box for files stored behind gvfs, impact
of exploitation of Evince is higher by default
Add a rule like the one you suggested initially.
- Option B: opening files stored behind gvfs requires tweaking files
in /etc, impact of exploitation of Evince is lower by default
I think the maintainers of the app are generally the best placed to
decide what's best.
My 2 cts: personally, given how wide open the Evince profile already
is, I don't think the marginal security improvement of option B is
worth the UX pain, so I would go for option A.
And in passing, another 2 cts: mid term, as long as we ship desktop
apps as Debian packages weakly-sandboxed with AppArmor, as opposed to
Flatpak, perhaps we should consider making them use Desktop Portals
(e.g. via GTK_USE_PORTAL=1). This would allow us to make the AppArmor
policy much stricter, and would solve the whole class of UX problems
that this bug is part of.
Cheers,
--
intrigeri
More information about the pkg-gnome-maintainers
mailing list