Ubuntu
evince package

evince can't access locale-related files because apparmor settings are too strict

Bug #413454 reported by Martijn vdS
26
This bug affects 3 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
High
Jamie Strandboge
evince (Ubuntu)
Fix Released
High
Jamie Strandboge

Bug Description

Binary package hint: evince

The AppArmor profile included with evince 2.27.90-0ubuntu2 seems to be too restrictive, as evince can't read its localization files anymore, according to dmesg:

[343924.228908] type=1503 audit(1250235605.374:41): operation="open" pid=16097 parent=1 profile="/usr/bin/evince" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/usr/share/locale-langpack/nl/LC_MESSAGES/evince.mo"
[343924.234642] type=1503 audit(1250235605.378:42): operation="open" pid=16097 parent=1 profile="/usr/bin/evince" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/usr/share/locale-langpack/nl/LC_MESSAGES/gtk20-properties.mo"
[343924.464463] type=1503 audit(1250235605.606:43): operation="open" pid=16097 parent=1 profile="/usr/bin/evince" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/usr/share/locale-langpack/nl/LC_MESSAGES/libc.mo"
[343924.639313] type=1503 audit(1250235605.782:44): operation="open" pid=16097 parent=1 profile="/usr/bin/evince" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/usr/share/locale-langpack/nl/LC_MESSAGES/atk10.mo"
[343927.274672] type=1503 audit(1250235608.418:45): operation="open" pid=16097 parent=1 profile="/usr/bin/evince" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/usr/share/cups/locale/nl/cups_nl.po"

Also, when started remotely (ssh -X somehost evince), evince tries to execute dbus-launch, which fails:

[345494.473059] type=1503 audit(1250237175.618:49): operation="exec" pid=16433 parent=16430 profile="/usr/bin/evince" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/usr/bin/dbus-launch"

Revision history for this message
Martijn vdS (martijn) wrote : apport-collect data

Architecture: amd64
DistroRelease: Ubuntu 9.10
NonfreeKernelModules: nvidia
Package: evince 2.27.90-0ubuntu2
PackageArchitecture: amd64
ProcEnviron:
 SHELL=/bin/bash
 PATH=(custom, user)
 LANG=nl_NL.UTF-8
 LANGUAGE=nl_NL:nl
ProcVersionSignature: Ubuntu 2.6.31-5.24-generic
Uname: Linux 2.6.31-5-generic x86_64
UserGroups: adm admin audio cdrom dialout dip floppy fuse lpadmin plugdev scanner video

Revision history for this message
Martijn vdS (martijn) wrote : Re: New evince can't access locale-related files
tags: added: apport-collected
summary: - New evince can't access locale-related files
+ evince can't access locale-related files because pparmor settings are
+ too strict
summary: - evince can't access locale-related files because pparmor settings are
+ evince can't access locale-related files because apparmor settings are
too strict
Sebastien Bacher (seb128)
Changed in evince (Ubuntu):
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
KUmo (shiragumo) wrote :

Confirmed,
this restriction also crashes evince when trying to view *.djvu files.

Aug 14 10:58:28 xxxx kernel: [ 3317.879147] type=1503 audit(1250240215.088:174): operation="open" pid=30039 parent=4824 profile="/usr/bin/evince" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/usr/share/djvu/osi/languages.xml"

Adding
  /usr/share/djvu/** r,
  /usr/share/locale-langpack/** r,
to the apparmor profile fixes this for me.

$ apt-cache policy evince
evince:
  Installed: 2.27.90-0ubuntu2
  Candidate: 2.27.90-0ubuntu2
  Version table:
     2.27.90-0ubuntu2 0
        500 http://archive.ubuntu.com karmic/main Packages
 *** 2.27.90-0ubuntu2 0
        100 /var/lib/dpkg/status

Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → High
status: New → In Progress
Changed in evince (Ubuntu):
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.3.1+1403-0ubuntu12

---------------
apparmor (2.3.1+1403-0ubuntu12) karmic; urgency=low

  * abstractions/base: add more locale paths (LP: #413454)

 -- Jamie Strandboge <email address hidden> Fri, 14 Aug 2009 07:31:03 -0500

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package evince - 2.27.90-0ubuntu3

---------------
evince (2.27.90-0ubuntu3) karmic; urgency=low

  * debian/apparmor-profiles.abstraction: allow opening of djvu files
    (LP: #413454)
  * debian/evince.postint: update timestamp on usr.bin.evince to force
    apparmor cache regneration (needed when updating just the abstraction)

 -- Jamie Strandboge <email address hidden> Fri, 14 Aug 2009 07:33:20 -0500

Changed in evince (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Martijn vdS (martijn) wrote :

This wasn't fixed completely.

One thing I've discovered that still fails is launching the web browser (the one set in Gnome "preferred application" settings, dynamically). I imagine the same thing happens for email clients/email address links.

Changed in evince (Ubuntu):
status: Fix Released → Confirmed
Changed in apparmor (Ubuntu):
status: Fix Released → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The web browser issue was bug #414114. Can you make sure you have 2.27.90-0ubuntu4 installed and report back? If it is still an issue, please attach your kern.log.

Changed in apparmor (Ubuntu):
status: Confirmed → Fix Released
Changed in evince (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Martijn vdS (martijn) wrote :

Ah, apparently I'd missed that upgrade. Sorry.

Changed in evince (Ubuntu):
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.