AppArmor profile misses entry for /var/lib/snapd/desktop/applications/mimeinfo.cache

Bug #1712039 reported by ts on 2017-08-21
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Undecided
Unassigned

Bug Description

The evince AppArmor profile seems to miss an entry for /var/lib/snapd/desktop/applications/mimeinfo.cache.
If evince is launched, the following gets logged to syslog:

kernel: [81577.596186] audit: type=1400 audit(1503306090.062:2011): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/var/lib/snapd/desktop/applications/mimeinfo.cache" pid=32268 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

I don't know if this should be allowed or denied. If you could add the correct behaviour to the profile, that would be nice; otherwise, every time evince is launched, a notification pops up (apparmor-notify installed).

(Workaround:

Add to original profile (/etc/apparmor.d/usr.bin.evince):
  #include <local/usr.bin.evince>

Insert into local profile (/etc/apparmor.d/local/usr.bin.evince):
  /var/lib/snapd/desktop/applications/mimeinfo.cache r,
)

Release: Ubuntu 16.04.3 LTS
Package Version: evince-common 3.18.2-1ubuntu4.1

Sebastien Bacher (seb128) wrote :

The file is not specific to evince, that's probably better placed in a common file from appamor itself right?

affects: evince (Ubuntu) → apparmor (Ubuntu)
ts (tsdz) wrote :

The file itself may be not specific to evince, but the behaviour that evince tries to read it (and AppArmor denies that) is specific to the AppArmor profile file that gets delivered with evince-common (/etc/apparmor.d/usr.bin.evince).
That is why i think it affects the package evince or evince-common, to be precise.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Changed in apparmor (Ubuntu):
status: Confirmed → In Progress
Changed in apparmor (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.12-4ubuntu5

---------------
apparmor (2.12-4ubuntu5) bionic; urgency=medium

  [ Didier Roche ]
  * debian/patches/ubuntu/communitheme-snap-support.patch:
    - support communitheme snap (LP: #1762983)

  [ Jamie Strandboge ]
  * debian/patches/ubuntu/add-chromium-browser.patch: adjust for newer
    chromium (LP: #1101298, LP: #1594589, LP: #1647142)
    - add attach_disconnected
    - allow reading /proc/vmstat
    - don't require owner match for /proc/pid/{stat,status} and task
      counterparts
    - adjust pci[0-9] to be pci[0-9a-f]
    - allow reading all uevents and /sys/devices/virtual/tty/tty0/active
    - allow ptracing xdgsettings and lsb-release
    - xdgsettings uses head and tr and looks at /usr/share/ubuntu/applications/
    - lsb-release uses python 3.6 and looks at apport, apt.conf, dpkg and
      distro-info
    - use 'm' on on sandbox
  * debian/patches/ubuntu/mimeinfo-snap-support.patch: allow reading
    /var/lib/snapd/desktop/applications *.desktop and mimeinfo.cache
    (LP: #1712039)

 -- Jamie Strandboge <email address hidden> Tue, 17 Apr 2018 20:15:16 +0000

Changed in apparmor (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers