Apparmor denial when viewing print preview in evince

Bug #1431641 reported by Charles Lawrence on 2015-03-13
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Low
Unassigned
evince (Ubuntu)
Low
Jamie Strandboge

Bug Description

AppArmor Message. Preview and print still worked normally.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: apparmor 2.8.95~2430-0ubuntu5.1
ProcVersionSignature: Ubuntu 3.13.0-45.74-generic 3.13.11-ckt13
Uname: Linux 3.13.0-45-generic i686
ApportVersion: 2.14.1-0ubuntu3.7
Architecture: i386
CurrentDesktop: X-Cinnamon
Date: Thu Mar 12 20:15:45 2015
InstallationDate: Installed on 2014-12-11 (91 days ago)
InstallationMedia: Linux Mint 17.1 "Rebecca" - Release i386 20141126
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-3.13.0-45-generic root=/dev/mapper/mint--vg-root ro apparmor=1 security=apparmor apparmor=1 security=apparmor quiet splash vt.handoff=7
SourcePackage: apparmor
Syslog:

UpgradeStatus: No upgrade log present (probably fresh install)

Charles Lawrence (chaso2001) wrote :
Christian Boltz (cboltz) wrote :

Relevant line from KernLog.txt (timestamp etc. removed):

apparmor="DENIED" operation="connect" profile="/usr/bin/evince-previewer" name="/run/dbus/system_bus_socket" pid=25608 comm="pool" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0

Tyler Hicks (tyhicks) wrote :

Confirmed on Vivid (evince 3.14.2-0ubuntu1).

At first glance, it looks like the evince-previewer profile needs to '#include <dbus>' in order to connect to the system bus. However, testing is needed to confirm that there are no additional accesses needed after granting permission to connect to the system bus.

Marking as 'Low' since preview and print still work as expected.

tags: added: aa-policy
Changed in apparmor (Ubuntu):
importance: Undecided → Low
status: New → Triaged
Tyler Hicks (tyhicks) wrote :

Marking the apparmor task as 'Invalid' since the evince AppArmor profile is shipped in the evince package.

Changed in apparmor (Ubuntu):
status: Triaged → Invalid
Changed in evince (Ubuntu):
status: New → Triaged
importance: Undecided → Low
summary: - Bug Apparmor on print preview Fotoxx
+ Apparmor denial when viewing print preview in evince
Jamie Strandboge (jdstrand) wrote :

Charles, can you adjust the evince-previewer policy in /etc/apparmor.d/usr.bin.evince to have:

...
/usr/bin/evince-previewer {
  #include <abstractions/dbus-strict>
  ...
}

Then reload the profile with:
$ sudo apparmor_parser -r /etc/apparmor.d/usr.bin.evince

then try to reproduce the bug and report back?

Thanks!

Changed in evince (Ubuntu):
status: Triaged → Incomplete

Hi Jamie,

Thanks for getting back to me. I did as you requested and tried many
times to reproduce the bug, but to no avail. I guess this is good news.

Regards,

Charles

On 15-03-13 03:22 PM, Jamie Strandboge wrote:
> Charles, can you adjust the evince-previewer policy in
> /etc/apparmor.d/usr.bin.evince to have:
>
> ...
> /usr/bin/evince-previewer {
> #include <abstractions/dbus-strict>
> ...
> }
>
> Then reload the profile with:
> $ sudo apparmor_parser -r /etc/apparmor.d/usr.bin.evince
>
> then try to reproduce the bug and report back?
>
> Thanks!
>
> ** Changed in: evince (Ubuntu)
> Status: Triaged => Incomplete
>

Jamie Strandboge (jdstrand) wrote :

It is good news :)

Changed in evince (Ubuntu):
status: Incomplete → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package evince - 3.14.2-0ubuntu2

---------------
evince (3.14.2-0ubuntu2) vivid; urgency=medium

  * debian/apparmor-profile: allow 'abstractions/dbus-strict' in previewer to
    silence denial with print previews (LP: #1431641)
 -- Jamie Strandboge <email address hidden> Mon, 06 Apr 2015 10:07:52 -0500

Changed in evince (Ubuntu):
status: In Progress → Fix Released
Raymond (rrogers-b) wrote :

Added jdstrand's usr.bin.evince fix above to evince 3.10.3 in Ubuntu 14.04 trusty release and it seems to fix it.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers