Bug#1084761: Evince apparmor profile launches child firefox-esr process with harmful(?) confinement

Trent W. Buck trentbuck at gmail.com
Mon Oct 7 23:23:37 BST 2024 

Package: evince
Version: 43.1-2+b1
Severity: minor
File: /etc/apparmor.d/usr.bin.evince

If firefox-esr is started by clicking a link in evince,
then firefox-esr claims its security hardening has been compromised, and
instructs the user to install third-party (non-Debian) packages.

Specifically it says:

    Some of Firefox’s security features may offer less protetion on your current operating system.
    [How to fix this issue]
    [Don’t show this again]

If firefox-esr is *already running* when you click a link in evince, then this issue does not occur.

I *think* this is because evince's apparmor profile is blocking a kernel feature that firefox-esr uses to *drop* privileges.

I have not tested this with a fresh install, but someone else said they could reproduce this behaviour on unstable.
I did at least test setting $BROWSER to /bin/false (in case my normal custom $BROWSER was causing the problem); evince ignored that and ran firefox-esr as usual.

My chief concern here is that the error firefox displays doesn't say
"I inherited the wrong apparmor profile", it says
"bypass your distro packages and screw up your system".

Recipe to reproduce:

    bash5$ pkill -f firefox  # make sure firefox is not running
    bash5$ journalctl -ocat -fn0 --grep=apparmor &
    [1] 359219
    bash5$ dot -Tpdf >tmp.pdf <<< 'digraph { "https://example.com" [URL="\N"]; }' # make a PDF with a clickable link
    bash5$ evince tmp.pdf  # then in the GUI, click the link
    (evince:359343): Handy-WARNING **: 09:03:56.509: Using GtkSettings:gtk-application-prefer-dark-theme together with HdyStyleManager is unsupported. Please use HdyStyleManager:color-scheme instead.
    AVC apparmor="DENIED" operation="capable" class="cap" profile="/usr/bin/evince//sanitized_helper" pid=359368 comm="firefox-esr" capability=21  capname="sys_admin"
    audit: type=1400 audit(1728338637.909:117): apparmor="DENIED" operation="capable" class="cap" profile="/usr/bin/evince//sanitized_helper" pid=359368 comm="firefox-esr" capability=21  capname="sys_admin"
    AVC apparmor="DENIED" operation="create" class="net" profile="/usr/bin/evince//sanitized_helper" pid=359365 comm=4E65746C696E6B204D6F6E69746F72 family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
    audit: type=1400 audit(1728338638.025:118): apparmor="DENIED" operation="create" class="net" profile="/usr/bin/evince//sanitized_helper" pid=359365 comm=4E65746C696E6B204D6F6E69746F72 family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
    AVC apparmor="DENIED" operation="create" class="net" profile="/usr/bin/evince//sanitized_helper" pid=359365 comm=444E53205265736F6C766572202331 family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
    audit: type=1400 audit(1728338639.169:119): apparmor="DENIED" operation="create" class="net" profile="/usr/bin/evince//sanitized_helper" pid=359365 comm=444E53205265736F6C766572202331 family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
    AVC apparmor="DENIED" operation="create" class="net" profile="/usr/bin/evince//sanitized_helper" pid=359365 comm=444E53205265736F6C766572202331 family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
    AVC apparmor="DENIED" operation="create" class="net" profile="/usr/bin/evince//sanitized_helper" pid=359365 comm=444E53205265736F6C766572202331 family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
    audit: type=1400 audit(1728338639.233:120): apparmor="DENIED" operation="create" class="net" profile="/usr/bin/evince//sanitized_helper" pid=359365 comm=444E53205265736F6C766572202331 family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
    audit: type=1400 audit(1728338639.233:121): apparmor="DENIED" operation="create" class="net" profile="/usr/bin/evince//sanitized_helper" pid=359365 comm=444E53205265736F6C766572202331 family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
    AVC apparmor="DENIED" operation="create" class="net" profile="/usr/bin/evince//sanitized_helper" pid=359365 comm=444E53205265736F6C766572202331 family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
    audit: type=1400 audit(1728338639.237:122): apparmor="DENIED" operation="create" class="net" profile="/usr/bin/evince//sanitized_helper" pid=359365 comm=444E53205265736F6C766572202331 family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
    AVC apparmor="DENIED" operation="create" class="net" profile="/usr/bin/evince//sanitized_helper" pid=359365 comm=444E53205265736F6C766572202331 family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
    audit: type=1400 audit(1728338639.305:123): apparmor="DENIED" operation="create" class="net" profile="/usr/bin/evince//sanitized_helper" pid=359365 comm=444E53205265736F6C766572202331 family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
    AVC apparmor="DENIED" operation="create" class="net" profile="/usr/bin/evince//sanitized_helper" pid=359365 comm=444E53205265736F6C766572202331 family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
    audit: type=1400 audit(1728338639.433:124): apparmor="DENIED" operation="create" class="net" profile="/usr/bin/evince//sanitized_helper" pid=359365 comm=444E53205265736F6C766572202331 family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
    AVC apparmor="DENIED" operation="create" class="net" profile="/usr/bin/evince//sanitized_helper" pid=359365 comm=444E53205265736F6C766572202331 family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
    audit: type=1400 audit(1728338639.477:125): apparmor="DENIED" operation="create" class="net" profile="/usr/bin/evince//sanitized_helper" pid=359365 comm=444E53205265736F6C766572202331 family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
    AVC apparmor="DENIED" operation="create" class="net" profile="/usr/bin/evince//sanitized_helper" pid=359365 comm=444E53205265736F6C766572202332 family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
    audit: type=1400 audit(1728338639.493:126): apparmor="DENIED" operation="create" class="net" profile="/usr/bin/evince//sanitized_helper" pid=359365 comm=444E53205265736F6C766572202332 family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
    AVC apparmor="DENIED" operation="create" class="net" profile="/usr/bin/evince//sanitized_helper" pid=359365 comm=444E53205265736F6C766572202331 family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
    AVC apparmor="DENIED" operation="create" class="net" profile="/usr/bin/evince//sanitized_helper" pid=359365 comm=444E53205265736F6C766572202332 family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
    AVC apparmor="DENIED" operation="create" class="net" profile="/usr/bin/evince//sanitized_helper" pid=359365 comm=444E53205265736F6C766572202331 family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
    bash5$ C-c C-c
    Exiting due to channel error.
    Exiting due to channel error.
    Exiting due to channel error.
    Exiting due to channel error.
    Exiting due to channel error.

    bash5$ pkill -f firefox  # make sure firefox is not running
    bash5$ firefox-esr https://example.com/ # observe this does not happen normally
    bash5$


Initial discussion:

    08:54 <twb> Ugh WTF is this?  firefox-esr now has the same kind of "Debian is shipping obsolete code" popup as xscreensaver?
    08:55 <twb> "Some of Firefox’s security features may offer less protetion on your current operating system. [How to fix this issue] [Don’t show this again]"  Less protection than what?
    08:55 <twb> If I click "How to fix this issue", I get instructions on how to install a third-party deb https://support.mozilla.org/en-US/kb/install-firefox-linux
    08:56 <twb> Maybe apparmor broke?
    08:56 <REDACTED1> Seems to be instructions on how to add their repo.
    08:57 <twb> If you look at the last section tho
    08:58 <twb> That seems to be sayign that the popup *might* be popping up because "some distros" only allow user_ns for apparmor-confined things
    08:58 <twb> Oh oh oh I know what caused this
    08:59 <twb> with firefox closed, open a link from inside evince – which IS apparmor confined.  Firefox inherits some of that confinement, which prevents it using user_ns
    09:00 <REDACTED2> twb, is that with firefox-esr or firefox (the nag screen)?
    09:01 <twb> firefox-esr     128.3.0esr-1~deb12u1
    09:02 <REDACTED2> Same here (well, almost the same, 128.3.0esr-2 from unstable), but I never open Web links from other application so that would explain why I never noticed that.



-- System Information:
Debian Release: 12.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.10.6+bpo-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages evince depends on:
ii  dconf-gsettings-backend [gsettings-backend]  0.40.0-4
ii  evince-common                                43.1-2
ii  gsettings-desktop-schemas                    43.0-1
ii  libatk1.0-0                                  2.46.0-5
ii  libc6                                        2.36-9+deb12u8
ii  libcairo-gobject2                            1.16.0-7
ii  libcairo2                                    1.16.0-7
ii  libevdocument3-4                             43.1-2+b1
ii  libevview3-3                                 43.1-2+b1
ii  libgdk-pixbuf-2.0-0                          2.42.10+dfsg-1+deb12u1
ii  libglib2.0-0                                 2.74.6-2+deb12u3
ii  libgnome-desktop-3-20                        43.2-2
ii  libgtk-3-0                                   3.24.38-2~deb12u2
ii  libhandy-1-0                                 1.8.1-1
ii  libpango-1.0-0                               1.50.12+ds-1
ii  libpangocairo-1.0-0                          1.50.12+ds-1
ii  libsecret-1-0                                0.20.5-3
ii  shared-mime-info                             2.2-1

Versions of packages evince recommends:
ii  dbus-user-session [default-dbus-session-bus]  1.14.10-1~deb12u1
ii  dbus-x11 [dbus-session-bus]                   1.14.10-1~deb12u1

Versions of packages evince suggests:
ii  gvfs             1.50.3-1
pn  nautilus-sendto  <none>
ii  poppler-data     0.4.12-1
pn  unrar            <none>

-- no debconf information

More information about the pkg-gnome-maintainers mailing list