Ubuntu
apparmor package

AppArmor profile misses entry for /var/lib/snapd/desktop/applications/mimeinfo.cache

Bug #1712039 reported by ts
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

The evince AppArmor profile seems to miss an entry for /var/lib/snapd/desktop/applications/mimeinfo.cache.
If evince is launched, the following gets logged to syslog:

kernel: [81577.596186] audit: type=1400 audit(1503306090.062:2011): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/var/lib/snapd/desktop/applications/mimeinfo.cache" pid=32268 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

I don't know if this should be allowed or denied. If you could add the correct behaviour to the profile, that would be nice; otherwise, every time evince is launched, a notification pops up (apparmor-notify installed).

(Workaround:

Add to original profile (/etc/apparmor.d/usr.bin.evince):
  #include <local/usr.bin.evince>

Insert into local profile (/etc/apparmor.d/local/usr.bin.evince):
  /var/lib/snapd/desktop/applications/mimeinfo.cache r,
)

Release: Ubuntu 16.04.3 LTS
Package Version: evince-common 3.18.2-1ubuntu4.1

Revision history for this message
Sebastien Bacher (seb128) wrote :

The file is not specific to evince, that's probably better placed in a common file from appamor itself right?

affects: evince (Ubuntu) → apparmor (Ubuntu)
Revision history for this message
ts (tsdz) wrote :

The file itself may be not specific to evince, but the behaviour that evince tries to read it (and AppArmor denies that) is specific to the AppArmor profile file that gets delivered with evince-common (/etc/apparmor.d/usr.bin.evince).
That is why i think it affects the package evince or evince-common, to be precise.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
status: Confirmed → In Progress
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.12-4ubuntu5

---------------
apparmor (2.12-4ubuntu5) bionic; urgency=medium

  [ Didier Roche ]
  * debian/patches/ubuntu/communitheme-snap-support.patch:
    - support communitheme snap (LP: #1762983)

  [ Jamie Strandboge ]
  * debian/patches/ubuntu/add-chromium-browser.patch: adjust for newer
    chromium (LP: #1101298, LP: #1594589, LP: #1647142)
    - add attach_disconnected
    - allow reading /proc/vmstat
    - don't require owner match for /proc/pid/{stat,status} and task
      counterparts
    - adjust pci[0-9] to be pci[0-9a-f]
    - allow reading all uevents and /sys/devices/virtual/tty/tty0/active
    - allow ptracing xdgsettings and lsb-release
    - xdgsettings uses head and tr and looks at /usr/share/ubuntu/applications/
    - lsb-release uses python 3.6 and looks at apport, apt.conf, dpkg and
      distro-info
    - use 'm' on on sandbox
  * debian/patches/ubuntu/mimeinfo-snap-support.patch: allow reading
    /var/lib/snapd/desktop/applications *.desktop and mimeinfo.cache
    (LP: #1712039)

 -- Jamie Strandboge <email address hidden> Tue, 17 Apr 2018 20:15:16 +0000

Changed in apparmor (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.