1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1109826: [pkg-apparmor] Bug#1109826: evince: print preview doesn't

    From Christian Boltz@21:1/5 to All on Thu Jul 24 20:45:28 2025
    To: [email protected]

    Hello,

    Am Donnerstag, 24. Juli 2025, 15:35 schrieb Simon McVittie:
    On Thu, 24 Jul 2025 at 14:22:08 +0100, Simon McVittie wrote:
    In the "journalctl -f" output, I see
    this AppArmor denial (uid 0 or adm membership required):
    Jul 24 12:27:49 espresso kernel: audit: type=1400 >>audit(1753356469.641:148): apparmor="DENIED" operation="exec" >>class="file" profile="/usr/bin/evince"
    name="/usr/bin/papers-previewer" pid=12463 comm="gio-launch-desk" >>requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
    A possible patch:

    ----8<----
    --- debian/apparmor-profile 2025-07-17 14:27:11.713382824 +0100
    +++ /etc/apparmor.d/usr.bin.evince 2025-07-24 14:23:39.877301150
    +0100
    @@ -63,6 +63,7 @@

    /usr/bin/evince rmPx,
    /usr/bin/evince-previewer Px,
    + /usr/bin/papers-previewer Pix,

    A Px rule (without the ix fallback) would be better.

    Obviously this means that we need a separate profile for
    papers-previewer.

    Since you switched the evince profile to complain mode, your audit.log
    should already include everything to create that profile.

    Are you familiar enough with aa-logprof to create the papers-previewer
    profile? Otherwise, please attach your /var/log/audit/audit.log (and
    possibly audit.log.[0-9] if they have been rotated away - should be
    obvious by looking at the timestamp).


    Regards,

    Christian Boltz
    --
    Well, in rc3 it complains about using an uninitialized value at
    line 1465. But at least the message is shorter now, so it's a
    kind of improvement. :-/ [Steffen Winterfeldt in https://bugzilla.novell.com/show_bug.cgi?id=223909]

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCAAdFiEEcMqgYN4EKq6xsVGWxqaC6mPILxwFAmiCf0gACgkQxqaC6mPI Lxw4ihAAkZpM1lVjfxBUEUCNE222tGXxEk8P5ZgwPPxdOd+PhFtv3Mdrxb8kvy90 Wl3xRf+H/r766PX7qvm/UQOFpbkK1lf5frHxGOn9mgnvAiWklPzwONwN+06RqH1S XQj9I6U+XMlXtfWDzTNjCHjFXa1KpOrt3YTE/TVTg3kAQ/Ot2ll9/6rjXfFCAE6p jShQRVzQiJazhz7d60uVjSUJCjoc6+nXk+0q7Q5+0zGCIOpav7KOsCiIdRYW3ZzI +ELAYU1Sib2qVFNFgvW6ZfNhXQ+EYuCwryYvlINDlx8fU7wDRfs6Cwy/1tYElcrv o+EYfRZ7DQlMWFlnfx2wr6JfksAHcvRAA3702v9xLJMEORtH2IPR7QAgNRQA394Y CJh4oNnea3wArvrAodMUhwNB1M2R0UtVswLx1rj8e9kywjRzHgf6CDAF3Qbbr4ii 7Pu6zv4YH0rhdIvKoBGVb0iboXRQCRtdY8Y4W7l+8gjRlPwXyPCc34S6nMx5QVhM sPRtm+cp8xrcdzllhUI9IAsf/HeKAIU2qVzsVcaBMVxhrLHOAwhY2zWJo5kEf6LD D8IC30mBtuYfMOnHj3AoMxmxE64lLo7JsU8LDYSDwNJ9SVw9DYPiQTN60WSBdkhh Jnzx4qNJxhYcnev37pKqHNWiuqw4Tvx45VKsjCWcS8X6Jj1AT7k=
    =wxX2
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Christian Boltz@21:1/5 to All on Thu Jul 24 22:33:54 2025
    Hello,

    Am Donnerstag, 24. Juli 2025, 21:54 schrieb Simon McVittie:
    On Thu, 24 Jul 2025 at 20:45:28 +0200, Christian Boltz wrote:
    we need a separate profile for papers-previewer

    We already have one, in the papers package.

    Even better :-)

    /usr/bin/evince-previewer Px,

    + /usr/bin/papers-previewer Pix,

    A Px rule (without the ix fallback) would be better.

    Would that load successfully, but gracefully decline to run /usr/bin/papers-previewer (which in practice would not exist), if the
    papers package isn't installed?

    Right, the profile will load successfully.

    If evince tries to execute papers-previewer, and that profile isn't
    loaded, the exec will be denied and audit.log will log the denial with something like "target profile doesn't exist".

    I thought that falling back to "same access to things that evince
    would already have had" would be less bad than falling back to "can't
    run at all". Running arbitrary code with "ix" is no worse for
    hardening purposes than the same code being in-process, after all...

    I get your theory.
    In practise, it depends - does the target profile grant more or less permissions than the current profile?
    (There's also the risk that denials will be reported for the "wrong"
    profile if the ix fallback gets used, so the evince profile might get permissions added that are only needed for papers-previewer.)

    evince needs to work normally if papers is not installed, in which
    case print preview should get ENOENT when attempting to run
    papers-previewer, and fall back to evince-previewer, the same as it
    would do in the absence of AppArmor.

    As long as "papers-previewer is installed" also means "the AppArmor
    profile for papers-previewer is loaded", everything should work as you
    expect.


    Regards,

    Christian Boltz
    --
    [19:31] <suseROCKs> #info anditosan just text that he took a sleeping
    pill last night and is trying to wake up to get to the meeting... [19:31] <suseROCKs> :-D
    [19:31] --> anditosan joined the channel (~[email protected]).
    [19:32] <shayonj> hah , there he is
    [19:32] <suseROCKs> anditosan is going to *LOVE* reading the minutes
    after this meeting!
    [from #opensuse-project]

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCAAdFiEEcMqgYN4EKq6xsVGWxqaC6mPILxwFAmiCmLMACgkQxqaC6mPI Lxwcsw//cywYuorX/IQmDRLCFE5xTbjG+O16u1hPMcnHX2MOx5ZqezxHXJY9IFOh 7Hi/n6jWdEcSzDWcsS7QUE3dZmPAVFxE3VcOZPO4NY1czxUCWdkZSTRSY5SrMfDx tTAnu7wWb76gXTTYbKXtwOYlH2gW1QhDquoZPUKzYMRxH7t/fHnmTexyN9aA4w+Y 18usfpVU9B1Tj6jlefkCJj1OI5lbg6sQWij78jGRUQSfW85zec4vAs9O/ilUfg+h omgKQZ5ISCE3lIt9l/73ZkNYQd/LGdvAqNCbYE9ZJDCB9rlk7WWA9PvAhO28Dz/o rySckUEkNMfPZU4Jb4Z20wf6cwXy5wbQKsZ01eQ/u88fOZP1NQIze9LjwoZOcJPV r/U6ZKhEVcWdZI9nxl9Ne/jWX00LbcmgpGCg7lzl9ka4R8523NlHbnhfmDYU3qQa sOPpi64R/U3whKohUAf8O1GT4Y4rCg+oGt8nvPfwDZJIju4YNiNFFJpAAoCiBOta BrrurqeBBtDPgKcp5wur/EA9g9BxHE5dsdsyry2XFc6z1mp9YkMDFz9Zf3nE1WMM /FoIgjBDLF1uCGpWwz8sA+1cUYIE9PFI31ZrN4hw/PydSBGiQzzxwdk1T1Q6F/tY 1YX7YQxAd1MG0YTC4NEDSlDiCtLwxupPP6PiroeZvc9AH7yQQEA=
    =2JgD
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)