evince can't access locale-related files because apparmor settings are too strict

Bug #413454 reported by Martijn vdS on 2009-08-14
26
This bug affects 3 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
High
Jamie Strandboge
evince (Ubuntu)
High
Jamie Strandboge

Bug Description

Binary package hint: evince

The AppArmor profile included with evince 2.27.90-0ubuntu2 seems to be too restrictive, as evince can't read its localization files anymore, according to dmesg:

[343924.228908] type=1503 audit(1250235605.374:41): operation="open" pid=16097 parent=1 profile="/usr/bin/evince" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/usr/share/locale-langpack/nl/LC_MESSAGES/evince.mo"
[343924.234642] type=1503 audit(1250235605.378:42): operation="open" pid=16097 parent=1 profile="/usr/bin/evince" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/usr/share/locale-langpack/nl/LC_MESSAGES/gtk20-properties.mo"
[343924.464463] type=1503 audit(1250235605.606:43): operation="open" pid=16097 parent=1 profile="/usr/bin/evince" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/usr/share/locale-langpack/nl/LC_MESSAGES/libc.mo"
[343924.639313] type=1503 audit(1250235605.782:44): operation="open" pid=16097 parent=1 profile="/usr/bin/evince" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/usr/share/locale-langpack/nl/LC_MESSAGES/atk10.mo"
[343927.274672] type=1503 audit(1250235608.418:45): operation="open" pid=16097 parent=1 profile="/usr/bin/evince" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/usr/share/cups/locale/nl/cups_nl.po"

Also, when started remotely (ssh -X somehost evince), evince tries to execute dbus-launch, which fails:

[345494.473059] type=1503 audit(1250237175.618:49): operation="exec" pid=16433 parent=16430 profile="/usr/bin/evince" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/usr/bin/dbus-launch"

Architecture: amd64
DistroRelease: Ubuntu 9.10
NonfreeKernelModules: nvidia
Package: evince 2.27.90-0ubuntu2
PackageArchitecture: amd64
ProcEnviron:
 SHELL=/bin/bash
 PATH=(custom, user)
 LANG=nl_NL.UTF-8
 LANGUAGE=nl_NL:nl
ProcVersionSignature: Ubuntu 2.6.31-5.24-generic
Uname: Linux 2.6.31-5-generic x86_64
UserGroups: adm admin audio cdrom dialout dip floppy fuse lpadmin plugdev scanner video

tags: added: apport-collected
summary: - New evince can't access locale-related files
+ evince can't access locale-related files because pparmor settings are
+ too strict
summary: - evince can't access locale-related files because pparmor settings are
+ evince can't access locale-related files because apparmor settings are
too strict
Changed in evince (Ubuntu):
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
KUmo (shiragumo) wrote :

Confirmed,
this restriction also crashes evince when trying to view *.djvu files.

Aug 14 10:58:28 xxxx kernel: [ 3317.879147] type=1503 audit(1250240215.088:174): operation="open" pid=30039 parent=4824 profile="/usr/bin/evince" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/usr/share/djvu/osi/languages.xml"

Adding
  /usr/share/djvu/** r,
  /usr/share/locale-langpack/** r,
to the apparmor profile fixes this for me.

$ apt-cache policy evince
evince:
  Installed: 2.27.90-0ubuntu2
  Candidate: 2.27.90-0ubuntu2
  Version table:
     2.27.90-0ubuntu2 0
        500 http://archive.ubuntu.com karmic/main Packages
 *** 2.27.90-0ubuntu2 0
        100 /var/lib/dpkg/status

Changed in apparmor (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → High
status: New → In Progress
Changed in evince (Ubuntu):
status: New → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.3.1+1403-0ubuntu12

---------------
apparmor (2.3.1+1403-0ubuntu12) karmic; urgency=low

  * abstractions/base: add more locale paths (LP: #413454)

 -- Jamie Strandboge <email address hidden> Fri, 14 Aug 2009 07:31:03 -0500

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package evince - 2.27.90-0ubuntu3

---------------
evince (2.27.90-0ubuntu3) karmic; urgency=low

  * debian/apparmor-profiles.abstraction: allow opening of djvu files
    (LP: #413454)
  * debian/evince.postint: update timestamp on usr.bin.evince to force
    apparmor cache regneration (needed when updating just the abstraction)

 -- Jamie Strandboge <email address hidden> Fri, 14 Aug 2009 07:33:20 -0500

Changed in evince (Ubuntu):
status: In Progress → Fix Released
Martijn vdS (martijn) wrote :

This wasn't fixed completely.

One thing I've discovered that still fails is launching the web browser (the one set in Gnome "preferred application" settings, dynamically). I imagine the same thing happens for email clients/email address links.

Changed in evince (Ubuntu):
status: Fix Released → Confirmed
Changed in apparmor (Ubuntu):
status: Fix Released → Confirmed
Jamie Strandboge (jdstrand) wrote :

The web browser issue was bug #414114. Can you make sure you have 2.27.90-0ubuntu4 installed and report back? If it is still an issue, please attach your kern.log.

Changed in apparmor (Ubuntu):
status: Confirmed → Fix Released
Changed in evince (Ubuntu):
status: Confirmed → Incomplete
Martijn vdS (martijn) wrote :

Ah, apparently I'd missed that upgrade. Sorry.

Changed in evince (Ubuntu):
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers