Ubuntu
apparmor package

evince-thumbnailer can't run mktexpk

Bug #1229066 reported by Sergio Gelato
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Triaged
Low
Unassigned

Bug Description

On Ubuntu 12.04, when running /usr/bin/evince-thumbnailer on a .dvi file that references a font for which there is no PK file on the system yet, AppArmor blocks the execution of /usr/share/texmf/web2c/mktexnam etc. Here are sample audit log messages:

[ 5720.378549] type=1400 audit(1379921624.784:28): apparmor="DENIED" operation="exec" parent=6181 profile="/usr/bin/evince-thumbnailer//sanitized_helper" name="/usr/share/texmf/web2c/mktexnam" pid=6204 comm="mktexpk" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
[ 5720.384833] type=1400 audit(1379921624.788:29): apparmor="DENIED" operation="exec" parent=6181 profile="/usr/bin/evince-thumbnailer//sanitized_helper" name="/usr/share/texmf/web2c/mktexupd" pid=6209 comm="mktexpk" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

I suspect this is because the sanitized_helper profile in /etc/apparmor.d/abstractions/ubuntu-helpers only covers /bin, /sbin, /usr/bin and /usr/sbin, not /usr/share/texmf/web2c . I'm not sure whether this bug should be filed against apparmor, evince or texlive-binaries; I can think of at least three ways of addressing the issue:
1) add "/usr/share/texmf/web2c/* Pixr" to the sanitized_helper profile;
2) modify the profile for /usr/bin/evince-thumbnailer to use something other than sanitized_helper;
3) provide a separate AppArmor profile for the /usr/bin/mktexpk wrapper (and its siblings).

Tags: aa-policy
Sebastien Bacher (seb128)
tags: added: apparmor
Revision history for this message
Sebastien Bacher (seb128) wrote :

Thanks for your bug report. Could you add an example for such dvi file? That would make easier to reproduce/debug the issue

Changed in evince (Ubuntu):
importance: Undecided → Low
Revision history for this message
Sergio Gelato (sergio-gelato) wrote : Re: [Bug 1229066] Re: evince-thumbnailer can't run mktexpk

* Sebastien Bacher [2014-01-08 16:57:52 -0000]:
> Thanks for your bug report. Could you add an example for such dvi file?

I cen try and construct one that reproduces the issue on my system, but
there is no guarantee that the same choice of font will reproduce the
problem somewhere else: that depends on the history of the individual
system (specifically, on whether the pk files for the font in question
have already been generated and cached).

> That would make easier to reproduce/debug the issue

With texlive-fonts-extra installed, try the following. If you happen to have
used font t2c-iwonami in the past, try with a different font. Note the
"Permission denied" errors when running evince, and the decision to
substitute a (very) different font for the one that was requested.

$ tex testfont
This is TeX, Version 3.1415926 (TeX Live 2009/Debian)
(/usr/share/texmf-texlive/tex/plain/base/testfont.tex

Name of the font to test = t2c-iwonami
Now type a test command (\help for help):)
*\table

*\bye
[1]
Output written on testfont.dvi (1 page, 9320 bytes).
Transcript written on testfont.log.
$ evince testfont.dvi

kpathsea: Running mktexpk --mfmode / --bdpi 600 --mag 1+0/600 --dpi 600 t2c-iwonami
/usr/bin/mktexpk: 1: /usr/bin/mktexpk: /usr/share/texmf/web2c/mktexnam: Permission denied
mktexpk: / already exists.
/usr/bin/mktexpk: 210: /usr/bin/mktexpk: /usr/share/texmf/web2c/mktexupd: Permission denied
kpathsea: Appending font creation commands to missfont.log.
page: Warning: font `t2c-iwonami' at 600x600 not found, trying `cmr10' instead

Running the above resulted in the following dmesg entries:

[ 2112.341075] type=1400 audit(1389252767.990:36): apparmor="DENIED" operation="exec" parent=3320 profile="/usr/bin/evince//sanitized_helper" name="/usr/share/texmf/web2c/mktexnam" pid=3342 comm="mktexpk" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
[ 2112.475442] type=1400 audit(1389252768.122:37): apparmor="DENIED" operation="exec" parent=3320 profile="/usr/bin/evince//sanitized_helper" name="/usr/share/texmf/web2c/mktexupd" pid=3347 comm="mktexpk" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

The problem goes away if one runs the command that was saved in ~/missfont.log
and runs evince again on the same .dvi file.

Revision history for this message
Sebastien Bacher (seb128) wrote :

thanks, it seems like the "mktexpk" command should be allow in the profile then

Revision history for this message
Sebastien Bacher (seb128) wrote :

in fact the command is already in the profile, the other scripts in web2c are not though

Changed in evince (Ubuntu):
status: New → Confirmed
Jamie Strandboge (jdstrand)
affects: evince (Ubuntu) → apparmor (Ubuntu)
Changed in apparmor (Ubuntu):
status: Confirmed → Triaged
Tyler Hicks (tyhicks)
Changed in apparmor (Ubuntu):
assignee: nobody → Tyler Hicks (tyhicks)
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
assignee: Tyler Hicks (tyhicks) → nobody
Jamie Strandboge (jdstrand)
tags: added: aa-policy
removed: apparmor
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.