Ubuntu
evince package

Apparmor blocks evince GUI-Input-Dialogs

Bug #1881294 reported by Reinhard
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
evince (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Network Users (LDAP + NFS4 home) cannot interact with evince GUI-input-elements.

* page navigation per number not possible
* select pages to print not possible
* save open PDF with different name not possible

Local user on the same machine behaves as expected.

apparmor messages in /var/log/syslog

May 29 14:37:07 r002pc51 kernel: [15848.736916] audit: type=1400 audit(1590755827.768:827): apparmor="DENIED" operation="file_lock" profile="/usr/bin/evince" name="/home/teachers/ttfinr/.cache/event-sound-cache.tdb.2176809057334199ab75052753e0683a.x86_64-pc-linux-gnu" pid=34988 comm="evince" requested_mask="k" denied_mask="k" fsuid=4515 ouid=4515

May 29 14:37:07 r002pc51 kernel: [15848.739259] audit: type=1400 audit(1590755827.772:828): apparmor="DENIED" operation="link" profile="/usr/bin/evince" name="/home/teachers/ttfinr/.local/share/gvfs-metadata/.open04eaJ8" pid=34988 comm="pool-evince" requested_mask="l" denied_mask="l" fsuid=4515 ouid=4515 target="/home/teachers/ttfinr/.local/share/gvfs-metadata/home"

May 29 14:37:07 r002pc51 kernel: [15848.739974] audit: type=1400 audit(1590755827.772:829): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/run/user/4515/gvfs-metadata/.openumWxE7" pid=34988 comm="pool-evince" requested_mask="r" denied_mask="r" fsuid=4515 ouid=4515

May 29 14:37:07 r002pc51 kernel: [15848.740088] audit: type=1400 audit(1590755827.772:830): apparmor="DENIED" operation="unlink" profile="/usr/bin/evince" name="/run/user/4515/gvfs-metadata/.openumWxE7" pid=34988 comm="pool-evince" requested_mask="d" denied_mask="d" fsuid=4515 ouid=4515

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello Reinhard, please see the /etc/apparmor.d/tunables/home.d/site.local file, it describes how to add additional paths to the @{HOMEDIRS} variable, which should allow evince, and all other profiles that use @{HOME}, to function in your environment.

Thanks

Changed in evince (Ubuntu):
status: New → Invalid
Revision history for this message
Reinhard (reinhard-fink) wrote :

Hello Arnold,

thanks a lot for your fast and good answer!

But maybe I do something terribly wrong or there is something working strange?

To deploy apparmor changes I started to play around on a test machine with no LDAP and no NFS.

1. created new user: /home/teachers/check
2. added @{HOMEDIRS}+=/home/teachers/ to /etc/apparmor.d/tunables/home.d/site.local
3. sudo apparmor_parser -r /etc/apparmor.d/usr.bin.evince
4. sudo service apparmor reload
5. reboot

but still have the same behavior as described above :-(

And this is the error-message I get now:

Jun 1 11:15:29 r000pc01 kernel: [ 21.460130] audit: type=1400 audit(1591002929.480:45): apparmor="DENIED" operation="connect" profile="/usr/bin/evince" pid=2103 comm="pool-evince" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/home/teachers/check/.cache/ibus/dbus-1kIdhqFI" peer="unconfined"

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

@Reinhard, you are now hitting bug #1856738 which prevents @{HOME} from being used in the peer_addr for an abstract socket. For now, I suggest updating /etc/apparmor.d/abstractions/ibus to have:

  unix (connect, receive, send)
       type=stream
       peer=(addr="@/home/teachers/*/.cache/ibus/dbus-*"),

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.