Ubuntu
apparmor package

Regression: Using evince in mozplugger fails with "Error opening file: Permission denied"

Bug #468565 reported by Martin Ling
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Invalid
Undecided
Jamie Strandboge

Bug Description

Binary package hint: mozplugger

In Jaunty, installing mozplugger with the default configuration would make PDF files embed correctly in Firefox using evince.

In Karmic, evince opens with an error bar saying "Unable to open document: Permission denied".

Embedding of other applications such as OpenOffice works fine. For PDFs, GV works, but is ugly and horrible to use. Acroread has been crashing my X server (bug #458306), but seems to embed correctly when it doesn't crash.

ProblemType: Bug
Architecture: i386
Date: Sun Nov 1 13:23:36 2009
DistroRelease: Ubuntu 9.10
Package: mozplugger 1.12.1-1ubuntu1
ProcEnviron:
 PATH=(custom, user)
 LANG=en_GB.UTF-8
 SHELL=/usr/bin/zsh
ProcVersionSignature: Ubuntu 2.6.31-14.48-generic
SourcePackage: mozplugger
Uname: Linux 2.6.31-14-generic i686
XsessionErrors:
 (gnome-settings-daemon:6767): GLib-CRITICAL **: g_propagate_error: assertion `src != NULL' failed
 (gnome-settings-daemon:6767): GLib-CRITICAL **: g_propagate_error: assertion `src != NULL' failed
 (polkit-gnome-authentication-agent-1:6805): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed
 (nautilus:6802): Eel-CRITICAL **: eel_preferences_get_boolean: assertion `preferences_is_initialized ()' failed
 (gnome-panel:6801): Gdk-WARNING **: /build/buildd/gtk+2.0-2.18.3/gdk/x11/gdkdrawable-x11.c:952 drawable is not a pixmap or window

Revision history for this message
Martin Ling (martin-launchpad) wrote :
tags: added: regression-release
removed: regression
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and taking the time to report a bug. This looks like it could be a problem with the apparmor profile. Can you please open a terminal and attach the output of the following command:
$ grep audit /var/log/kern.log

Changed in mozplugger (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Incomplete
Revision history for this message
Martin Ling (martin-launchpad) wrote :

Looks like you're right, Jamie:

Nov 4 01:26:41 nomad kernel: [245222.309493] type=1503 audit(1257298001.732:48): operation="open" pid=17053 parent=17051 profile="/usr/bin/evince" requested_mask="r::" denied_mask="r::" fsuid=1000 ouid=1000 name="/home/martin/.mozilla/firefox/v92kfy11.default/Cache/6D21496Bd01"

I guess nobody thought evince would need to open things directly from the Firefox cache.

Changed in mozplugger (Ubuntu):
status: Incomplete → New
Revision history for this message
Martin Ling (martin-launchpad) wrote :

Ah - in fact they had, but it seems like the line has been accidentally removed.

Below is the last part of /etc/apparmor.d/abstractions/evince. It looks like the commented section at the bottom, to be restored when LP #451422 is fixed, was replaced with the contents of abstractions/private-files-strict but without the following "owner @{HOME}/.mozilla/**/*Cache/* r,".

When I put that line back in, uncommented, then this problem is solved.

---- cut ----

  # Use abstractions/private-files instead of abstractions/private-files-strict
  # and add the sensitive files manually to work around LP: #451422. The goal
  # is to disallow access to the .mozilla folder in general, but to allow
  # access to the Cache directory, which the browser may tell evince to open
  # from directly.

  #include <abstractions/private-files>
  audit deny @{HOME}/.gnupg/** mrwkl,
  audit deny @{HOME}/.ssh/** mrwkl,
  audit deny @{HOME}/.gnome2_private/** mrwkl,

  audit deny @{HOME}/.mozilla/*/*/* mrwkl,
  audit deny @{HOME}/.mozilla/**/bookmarkbackups/** mrwkl,
  audit deny @{HOME}/.mozilla/**/chrome/** mrwkl,
  audit deny @{HOME}/.mozilla/**/extensions/** mrwkl,
  audit deny @{HOME}/.mozilla/**/gm_scripts/** mrwkl,

  # When LP: #451422 is fixed, change the above to simply be:
  ##include <abstractions/private-files-strict>
  #owner @{HOME}/.mozilla/**/*Cache/* r,

Revision history for this message
Martin Ling (martin-launchpad) wrote :

The bug is in /etc/apparmor.d/abstractions/evince, which is in the evince package.

affects: mozplugger (Ubuntu) → evince (Ubuntu)
Changed in evince (Ubuntu):
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I'm confused. Can you attach the /etc/apparmor.d/abstractions/evince file that worked and didn't work? Accessing files in firefox's cache works fine here.

Changed in evince (Ubuntu):
status: Confirmed → Incomplete
tags: added: apparmor
Revision history for this message
Martin Ling (martin-launchpad) wrote :
Revision history for this message
Martin Ling (martin-launchpad) wrote :
Revision history for this message
Martin Ling (martin-launchpad) wrote :

All I did was uncomment the last line.

--- evince-broken 2009-11-04 04:09:07.000000000 +0000
+++ evince-working 2009-11-04 04:08:57.000000000 +0000
@@ -103,5 +103,5 @@

   # When LP: #451422 is fixed, change the above to simply be:
   ##include <abstractions/private-files-strict>
- #owner @{HOME}/.mozilla/**/*Cache/* r,
+ owner @{HOME}/.mozilla/**/*Cache/* r,

Changed in evince (Ubuntu):
status: Incomplete → New
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks. Can you attach a tarball of the /etc/apparmor.d/ directory:
$ sudo tar -zcvf /tmp/468565.tar.gz /etc/apparmor.d

Changed in evince (Ubuntu):
status: New → Incomplete
Revision history for this message
Martin Ling (martin-launchpad) wrote :
Martin Ling (martin-launchpad)
Changed in evince (Ubuntu):
status: Incomplete → New
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

That line was intentionally left out, because it is not needed (bug #451422 is not fixed yet after all). Specifically, the last 3 lines need to be exactly:
  # When LP: #451422 is fixed, change the above to simply be:
  ##include <abstractions/private-files-strict>
  #owner @{HOME}/.mozilla/**/*Cache/* r,

I think your profile cache may have gotten out of sync when testing. Please adjust the profile as mentioned, then perform:
$ sudo rm -f /etc/apparmor.d/cache/usr.bin.evince
$ sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.evince

Then try again. It works fine here when I do (I copied a PDF file to ~/.mozilla/firefox/*.default/Cache/6D21496Bd01 to match you):
$ evince ~/.mozilla/firefox/*.default/Cache/6D21496Bd01

Revision history for this message
Martin Ling (martin-launchpad) wrote :

Sorry, I didn't know about the profile cache being in there. Having already patched alternatives/evince and run /etc/init.d/apparmor reload to work around the problem, I just reverted the patch before running tar to get what I posted.

Now, having gone back to the original version and reloaded again, I can no longer reproduce the bug.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Closing as Invalid per the user's last comment. Please feel free to reopen if this is in error or report any other bugs you may find.

Changed in evince (Ubuntu):
status: New → Invalid
Revision history for this message
Geoffrey Mainland (mainland) wrote :

I'm seeing the same buggy behavior as the OP, even after executing

$ sudo rm -f /etc/apparmor.d/cache/usr.bin.evince
$ sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.evince

I've attached the contents of /etc/apparmor.d that exists after executing the above command sequence.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Geoffrey,

Can you also attach the output of 'grep audit /var/log/kern.log' after you see the problem?

Changed in evince (Ubuntu):
status: Invalid → Incomplete
Revision history for this message
Geoffrey Mainland (mainland) wrote :

Here are all relevant entries from /var/log/kern.log.

Nov 6 14:02:59 minipax kernel: [81307.525586] type=1503 audit(1257534179.547:1023): operation="open" pid=16763 parent=16762 profile="/usr/bin/evince" requested_mask="r::" denied_mask="r::" fsuid=33141 ouid=33141 name="/usr/home/mainland/.ICEauthority"
Nov 6 14:02:59 minipax kernel: [81307.537611] type=1503 audit(1257534179.557:1024): operation="open" pid=16763 parent=16762 profile="/usr/bin/evince" requested_mask="r::" denied_mask="r::" fsuid=33141 ouid=33141 name="/usr/home/mainland/.gnome2/accels/evince"
Nov 6 14:02:59 minipax kernel: [81307.592981] type=1503 audit(1257534179.617:1025): operation="open" pid=16763 parent=16762 profile="/usr/bin/evince" requested_mask="r::" denied_mask="r::" fsuid=33141 ouid=33141 name="/usr/home/mainland/.recently-used.xbel"
Nov 6 14:02:59 minipax kernel: [81307.621429] type=1503 audit(1257534179.637:1026): operation="open" pid=16763 parent=16762 profile="/usr/bin/evince" requested_mask="r::" denied_mask="r::" fsuid=33141 ouid=33141 name="/usr/home/mainland/.gnome2/evince/ev-metadata.xml"
Nov 6 14:02:59 minipax kernel: [81307.621456] type=1503 audit(1257534179.637:1027): operation="open" pid=16763 parent=16762 profile="/usr/bin/evince" requested_mask="r::" denied_mask="r::" fsuid=33141 ouid=33141 name="/usr/home/mainland/.gnome2/evince/ev-metadata.xml"
Nov 6 14:02:59 minipax kernel: [81307.621475] type=1503 audit(1257534179.637:1028): operation="open" pid=16763 parent=16762 profile="/usr/bin/evince" requested_mask="r::" denied_mask="r::" fsuid=33141 ouid=33141 name="/usr/home/mainland/.gnome2/evince/ev-metadata.xml"
Nov 6 14:02:59 minipax kernel: [81307.621509] type=1503 audit(1257534179.637:1029): operation="open" pid=16763 parent=16762 profile="/usr/bin/evince" requested_mask="r::" denied_mask="r::" fsuid=33141 ouid=33141 name="/usr/home/mainland/.gnome2/evince/ev-metadata.xml"
Nov 6 14:02:59 minipax kernel: [81307.623829] type=1503 audit(1257534179.646:1030): operation="mknod" pid=16763 parent=16762 profile="/usr/bin/evince" requested_mask="w::" denied_mask="w::" fsuid=33141 ouid=33141 name="/usr/home/mainland/.gnome2/evince/evince-crashed.05FC3U"
Nov 6 14:02:59 minipax kernel: [81307.623884] type=1503 audit(1257534179.646:1031): operation="open" pid=16765 parent=16762 profile="/usr/bin/evince" requested_mask="r::" denied_mask="r::" fsuid=33141 ouid=33141 name="/usr/home/mainland/.mozilla/firefox/mainland/Cache/78619695d01"
Nov 6 14:02:59 minipax kernel: [81307.624204] type=1503 audit(1257534179.646:1032): operation="open" pid=16765 parent=16762 profile="/usr/bin/evince" requested_mask="r::" denied_mask="r::" fsuid=33141 ouid=33141 name="/usr/home/mainland/.mozilla/firefox/mainland/Cache/78619695d01"

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Geoffrey, this is a different bug has already been reported. Please review https://wiki.ubuntu.com/DebuggingApparmor#Adjusting%20Tunables as well as the information and solution in bug #447292.

affects: evince (Ubuntu) → apparmor (Ubuntu)
Changed in apparmor (Ubuntu):
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.