Comment 10 for bug 1448778

Nearly all the AppArmor rules provided by upstream AppArmor include 'owner' prefixes on files and directories within user home directories. This is intentional -- for example, the <abstractions/fonts> file includes:

  owner @{HOME}/.fonts.conf r,
  owner @{HOME}/.fonts/ r,
  owner @{HOME}/.fonts/** r,
  owner @{HOME}/.local/share/fonts/ r,
  owner @{HOME}/.local/share/fonts/** r,
  owner @{HOME}/.fonts.cache-2 mr,
  owner @{HOME}/.{,cache/}fontconfig/ r,
  owner @{HOME}/.{,cache/}fontconfig/** mrl,
  owner @{HOME}/.fonts.conf.d/ r,
  owner @{HOME}/.fonts.conf.d/** r,
  owner @{HOME}/.config/fontconfig/ r,
  owner @{HOME}/.config/fontconfig/** r,

  /usr/local/share/fonts/ r,
  /usr/local/share/fonts/** r,

Whoever owns the fonts in your ~/.fonts/ directory can probably gain execution privileges by whatever program is rendering the fonts.

You could store your fonts in /usr/local/share/fonts/ if they are appropriate for multiple users on the system.

Or you could amend /etc/apparmor.d/local/usr.bin.evince if you want these fonts to be available to evince without storing them in /usr/local/share/fonts/.

Thanks