Bug#1099688: GNOME Papers "Sign Digitally" blocked by AppArmor

Cristiano Nunes cfgnunes at gmail.com
Fri Nov 7 04:51:55 GMT 2025 

Dear Simon McVittie,
I performed new tests regarding the AppArmor profile for GNOME Papers.

I further restricted the profile and added only the
following line inside inside the `/usr/bin/papers { }` part
in `/etc/apparmor.d/usr.bin.papers`:


    owner @{HOME}/.pki/nssdb/* rk,


With only this single rule, digital signing continues to work normally.
However, the kernel still reports AppArmor denials in `sudo dmesg`.
Even so, the signing feature works correctly.

This suggests that this single permission is sufficient for
GNOME Papers to perform digital signing, despite the remaining
audit log entries.

I am sharing these results in case they help refine the
AppArmor profile or narrow the required paths.

The kernel audit messages are included as an attachment below.

Best regards,
Cristiano Fraga G. Nunes




---------------------------------------
Attachment: `sudo dmesg`:
---------------------------------------
[ 8329.545597] audit: type=1400 audit(1762490114.460:1903):
apparmor="DENIED" operation="open" class="file"
profile="/usr/bin/papers"
name="/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/0000:02:00.0/0000:03:00.0/uevent"
pid=21129 comm="papers" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
[ 8329.545606] audit: type=1400 audit(1762490114.460:1904):
apparmor="DENIED" operation="open" class="file"
profile="/usr/bin/papers"
name="/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/0000:02:00.0/0000:03:00.0/uevent"
pid=21129 comm="papers" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
[ 8329.545639] audit: type=1400 audit(1762490114.460:1905):
apparmor="DENIED" operation="open" class="file"
profile="/usr/bin/papers"
name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=21129
comm="papers" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 8329.545702] audit: type=1400 audit(1762490114.460:1906):
apparmor="DENIED" operation="open" class="file"
profile="/usr/bin/papers"
name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=21129
comm="papers" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 8329.546053] audit: type=1400 audit(1762490114.460:1907):
apparmor="DENIED" operation="open" class="file"
profile="/usr/bin/papers"
name="/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/0000:02:00.0/0000:03:00.0/uevent"
pid=21129 comm="papers" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
[ 8329.546092] audit: type=1400 audit(1762490114.460:1908):
apparmor="DENIED" operation="open" class="file"
profile="/usr/bin/papers"
name="/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/0000:02:00.0/0000:03:00.0/uevent"
pid=21129 comm="papers" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
[ 8329.546120] audit: type=1400 audit(1762490114.460:1909):
apparmor="DENIED" operation="open" class="file"
profile="/usr/bin/papers"
name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=21129
comm="papers" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 8329.546150] audit: type=1400 audit(1762490114.460:1910):
apparmor="DENIED" operation="open" class="file"
profile="/usr/bin/papers"
name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=21129
comm="papers" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 8329.547937] audit: type=1400 audit(1762490114.460:1911):
apparmor="DENIED" operation="open" class="file"
profile="/usr/bin/papers"
name="/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/0000:02:00.0/0000:03:00.0/vendor"
pid=21129 comm="papers" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
[ 8329.547944] audit: type=1400 audit(1762490114.460:1912):
apparmor="DENIED" operation="open" class="file"
profile="/usr/bin/papers"
name="/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/0000:02:00.0/0000:03:00.0/device"
pid=21129 comm="papers" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
[ 8343.497445] kauditd_printk_skb: 73 callbacks suppressed
[ 8343.497448] audit: type=1400 audit(1762490128.412:1986):
apparmor="DENIED" operation="open" class="file"
profile="/usr/bin/papers"
name="/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/0000:02:00.0/0000:03:00.0/uevent"
pid=21530 comm="papers" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
[ 8343.497490] audit: type=1400 audit(1762490128.412:1987):
apparmor="DENIED" operation="open" class="file"
profile="/usr/bin/papers"
name="/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/0000:02:00.0/0000:03:00.0/uevent"
pid=21530 comm="papers" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
[ 8343.497527] audit: type=1400 audit(1762490128.412:1988):
apparmor="DENIED" operation="open" class="file"
profile="/usr/bin/papers"
name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=21530
comm="papers" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 8343.497562] audit: type=1400 audit(1762490128.412:1989):
apparmor="DENIED" operation="open" class="file"
profile="/usr/bin/papers"
name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=21530
comm="papers" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 8343.497863] audit: type=1400 audit(1762490128.412:1990):
apparmor="DENIED" operation="open" class="file"
profile="/usr/bin/papers"
name="/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/0000:02:00.0/0000:03:00.0/uevent"
pid=21530 comm="papers" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
[ 8343.497905] audit: type=1400 audit(1762490128.412:1991):
apparmor="DENIED" operation="open" class="file"
profile="/usr/bin/papers"
name="/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/0000:02:00.0/0000:03:00.0/uevent"
pid=21530 comm="papers" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
[ 8343.497939] audit: type=1400 audit(1762490128.412:1992):
apparmor="DENIED" operation="open" class="file"
profile="/usr/bin/papers"
name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=21530
comm="papers" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 8343.497973] audit: type=1400 audit(1762490128.412:1993):
apparmor="DENIED" operation="open" class="file"
profile="/usr/bin/papers"
name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=21530
comm="papers" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 8343.501907] audit: type=1400 audit(1762490128.416:1994):
apparmor="DENIED" operation="open" class="file"
profile="/usr/bin/papers"
name="/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/0000:02:00.0/0000:03:00.0/vendor"
pid=21530 comm="papers" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
[ 8343.501918] audit: type=1400 audit(1762490128.416:1995):
apparmor="DENIED" operation="open" class="file"
profile="/usr/bin/papers"
name="/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/0000:02:00.0/0000:03:00.0/device"
pid=21530 comm="papers" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
---------------------------------------

More information about the pkg-gnome-maintainers mailing list