On Thu, 24 Jul 2025 at 14:22:08 +0100, Simon McVittie wrote:

In the "journalctl -f" output, I see
this AppArmor denial (uid 0 or adm membership required):

Jul 24 12:27:49 espresso kernel: audit: type=1400 audit(1753356469.641:148): apparmor="DENIED" operation="exec" class="file" profile="/usr/bin/evince" name="/usr/bin/papers-previewer" pid=12463 comm="gio-launch-desk" requested_mask="x" denied_mask="x"

fsuid=1000 ouid=0

A possible patch:

----8<----
--- debian/apparmor-profile 2025-07-17 14:27:11.713382824 +0100
+++ /etc/apparmor.d/usr.bin.evince 2025-07-24 14:23:39.877301150 +0100
@@ -63,6 +63,7 @@

/usr/bin/evince rmPx,
/usr/bin/evince-previewer Px,
+ /usr/bin/papers-previewer Pix,
/usr/bin/yelp Cx -> sanitized_helper,
/usr/bin/bug-buddy px,
# 'Show Containing Folder' (LP: #1022962)
---->8----

smcv

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Package: evince
Version: 48.1-2
Severity: normal
Control: affects -1 + papers apparmor gtk+3.0
X-Debbugs-Cc: Alessandro Astone <[email protected]>, [email protected], [email protected], [email protected]

Steps to reproduce
==================

1. Install system, originally from
debian-trixie-DI-rc2-amd64-netinst.iso, with task-gnome-desktop.
Upgrade all packages to their latest versions from Debian trixie.

2. As root: apt install papers

3. In a terminal, as root or a member of adm: journalctl -f

4. In another terminal: evince /usr/share/doc/shared-mime-info/*.pdf
(probably any PDF would do, but this one is convenient)

5. Open evince's main menu (3 horizontal lines / "hamburger menu")

6. Click on the printer icon

7. Observe GTK printing dialog, with buttons in its headerbar as
follows:
|[Cancel] Print [Preview] [Print]|

8. Click on [Preview]

Expected result
===============

A second window appears with a print preview, either provided by evince (/usr/share/applications/org.gnome.Evince-previewer.desktop,
"evince-previewer" executable) or provided by papers (/usr/share/applications/org.gnome.Papers-previewer.desktop,
"papers-previewer" executable) or any similar previewer. The evince
window remains open.

Note in particular that if I replace step 2 with, as root

apt purge papers

I get the expected result; in this case the preview dialog is provided
by evince-previewer.

Actual result
=============

A progress bar briefly appears, but then disappears, leaving only the
normal evince window visible. In the "journalctl -f" output, I see
this AppArmor denial (uid 0 or adm membership required):

Jul 24 12:27:49 espresso kernel: audit: type=1400 audit(1753356469.641:148): apparmor="DENIED" operation="exec" class="file" profile="/usr/bin/evince" name="/usr/bin/papers-previewer" pid=12463 comm="gio-launch-desk" requested_mask="x" denied_mask="x"

fsuid=1000 ouid=0

Workarounds
===========

Either:

* as root: apt purge papers

or:

* as root: apt install apparmor-utils
* as root: aa-complain /usr/bin/evince

Diagnosis
=========

As demonstrated by the workarounds, I believe this is a problem with the combination of two components:

* the /usr/bin/evince (/etc/apparmor.d/usr.bin.evince) AppArmor profile
originally added by Ubuntu in or before 2016, applied in an effort to
harden evince against crafted documents (PDF, DjVu, etc.) that might
have been provided by an attacker to achieve arbitrary code execution
via security vulnerabilities in document format parsing libraries;

* and the GTK 3 patch
debian/patches/printing-Default-to-papers-previewer-and-fallback-to-evin.patch
recently contributed by an Ubuntu developer to make GTK 3 default to
using papers-previewer in preference to evince-previewer if it is
installed

I believe the problem is that evince's AppArmor profile explicitly
allows running evince-previewer, but does not allow running
papers-previewer.

Any other GTK 3 application with a non-trivial AppArmor profile and the
ability to do a print-preview would presumably have the same issue.
evince is merely the most prominent example of a GTK 3 application with non-trivial AppArmor confinement.

-- System Information:
Debian Release: 13.0
APT prefers testing-security
APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.35+deb13-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages evince depends on:
ii dconf-gsettings-backend [gsettings-backend] 0.40.0-5
ii evince-common 48.1-2
ii gsettings-desktop-schemas 48.0-1
ii libatk1.0-0t64 2.56.2-1
ii libc6 2.41-10
ii libcairo-gobject2 1.18.4-1+b1
ii libcairo2 1.18.4-1+b1
ii libevdocument3-4t64 48.1-2
ii libevview3-3t64 48.1-2
ii libgdk-pixbuf-2.0-0 2.42.12+dfsg-3
ii libglib2.0-0t64 2.84.3-1
ii libgnome-desktop-3-20t64 44.3-3
ii libgtk-3-0t64 3.24.49-3
ii libhandy-1-0 1.8.3-2
ii libpango-1.0-0 1.56.3-1
ii libpangocairo-1.0-0 1.56.3-1
ii libsecret-1-0 0.21.7-1
ii shared-mime-info 2.4-5+b2

Versions of packages evince recommends:
ii dbus-user-session [default-dbus-session-bus] 1.16.2-2

Versions of packages evince suggests:
ii gvfs 1.57.2-2
pn nautilus-sendto <none>
ii poppler-data 0.4.12-1

-- no debconf information

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 24 Jul 2025 at 20:45:28 +0200, Christian Boltz wrote:

we need a separate profile for papers-previewer

We already have one, in the papers package. It's rather elaborate, and
heavily based on evince's own profile; papers is quite similar to evince
in structure and functionality (other than using GTK 4 instead of 3),
and I think it might even have originated as a fork of evince (but I'm
not 100% sure about that).

/usr/bin/evince-previewer Px,
+ /usr/bin/papers-previewer Pix,

A Px rule (without the ix fallback) would be better.

Would that load successfully, but gracefully decline to run /usr/bin/papers-previewer (which in practice would not exist), if the
papers package isn't installed?

I thought that falling back to "same access to things that evince would
already have had" would be less bad than falling back to "can't run at
all". Running arbitrary code with "ix" is no worse for hardening
purposes than the same code being in-process, after all...

evince needs to work normally if papers is not installed, in which case
print preview should get ENOENT when attempting to run papers-previewer,
and fall back to evince-previewer, the same as it would do in the
absence of AppArmor.

smcv

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)