Bug#1099688: GNOME Papers "Sign Digitally" blocked by AppArmor
Simon McVittie
smcv at debian.org
Thu Nov 6 09:22:51 GMT 2025
On Thu, 06 Nov 2025 at 02:58:02 -0300, Cristiano Nunes wrote:
>After adding the following lines to the file
>`/etc/apparmor.d/usr.bin.papers` and reloading AppArmor, digital
>signing works correctly:
>
>owner @{HOME}/.pki/** lrk,
>/sys/devices/** r,
>/run/pcscd/pcscd.comm rw,
>
>This indicates that the issue lies in the AppArmor profile rather than
>in the Papers application itself.
The AppArmor profile is part of the papers package, though, so
reassigning to a package that doesn't contain the AppArmor profile
doesn't really make sense.
If you change these lines to
audit owner @{HOME}/.pki/** lrk,
audit /sys/devices/** r,
audit /run/pcscd/pcscd.comm rw,
and reboot (or reload AppArmor), then try to sign something, what
accesses get logged to the audit log?
I agree with commenters on the Ubuntu bug that "/sys/devices/** r,"
seems like overly broad access, but probably it can be narrowed down
somewhat.
Ideally the apparmor package would have an abstraction for "access to
smart cards" or similar, which papers' profile could "include" instead
of having to know all the details of how smart cards are accessed.
smcv
More information about the pkg-gnome-maintainers
mailing list