evince-thunbnailer gets permission denied from apparmor (and hangs the system for long periods of time)

Bug #778638 reported by Andre D on 2011-05-06
120
This bug affects 22 people
Affects Status Importance Assigned to Milestone
evince (Ubuntu)
Low
Jamie Strandboge
Natty
Low
Marc Gariépy

Bug Description

Binary package hint: evince

On my workstation (10.65.4.190), my $(HOME) is mounted from an nfs server (10.65.21.2) and for some reason apparmor denies evince-thumbnailer to do its work. This causes _long_ delays blocking the complete desktop for many minutes every now and then:

[ 97.012905] type=1400 audit(1304700706.641:24): apparmor="DENIED" operation="sendmsg" parent=2437 profile="/usr/bin/evince-thumbnailer" pid=2464 comm="evince-thumbnai" laddr=10.65.4.190 lport=712 faddr=10.65.21.2 fport=2049 family="inet" sock_type="stream" protocol=6
[ 97.012921] nfs: RPC call returned error 13

This is on maverick, but also on oneiric

evince version: 2.32.0-0ubuntu12.1
apparmor version: 2.6.1-0ubuntu3

Andre D (ad-andred) wrote :

Sorry, not on maverick, but on natty and oneiric

James Turner (james-turner) wrote :

Not experienced the hanging issue, but operation of evince-thumbnailer over the network is restricted as of 2.32.0-0ubuntu10 - see bug #720961. One of the knock-on effects of this is that thumbnails of PDF files, etc, no longer work on NFS shares. The fault reported here may be a regression issue arising from this change?

Arne Hanssen (kingel) wrote :

I'm also experiencing this problem - a temporarely solution disabling the evince profile with the command
apparmor_parser -R /etc/apparmor.d/usr.bin.evince
before using evince. Otherwise evince becomes useless. Does anyone know hos to fix this?

Philip Langdale (langdalepl) wrote :

Yeah, it's a result of that change. If you re-include abstractions/nameservice for evince-thumbnailer, it works with files over nfs again. This is not unreasonable functionality, so a way should be found to allow previews for nfs files while restricting more general, undesirable, access.

Hi,
My workstation on Natty hang with the same messages.
Regards.

Harald Rudell (harald-rudell) wrote :

Have it, too: natty x64 box uses share from maverick x86

double-click a pdf in Nautilus on nfs-share file: hangs evince, Nautilus, and any Terminal trying to ls the nfs share

get-around is (as mentioned):
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.evince

Arne Hanssen (kingel) wrote :

Better work-around is, as metioned by Philip Langdale, editing the file
/etc/apparmor.d/usr.bin.evince
like this (insert the nameservice-line):

/usr/bin/evince-thumbnailer {
  #include <abstractions/evince>
  #include <abstractions/nameservice>
:

abssorb (abssorb) wrote :

Also experiencing this. /home mounted from server by autofs 11.04 64 bit.

dr=192.168.1.24 lport=725 faddr=192.168.1.99 fport=2049 family="inet" sock_type="stream" protocol=6
[ 650.501418] nfs: RPC call returned error 13
[ 653.513082] type=1400 audit(1307380623.806:126): apparmor="DENIED" operation="sendmsg" parent=1 profile="/usr/bin/evince-thumbnailer" pid=2999 comm="evince-thumbnai" laddr=192.168.1.24 lport=725 faddr=192.168.1.99 fport=2049 family="inet" sock_type="stream" protocol=6
[ 653.513106] nfs: RPC call returned error 13
[ 656.521924] type=1400 audit(1307380626.816:127): apparmor="DENIED" operation="sendmsg" parent=1 profile="/usr/bin/evince-thumbnailer" pid=2999 comm="evince-thumbnai" laddr=192.168.1.24 lport=725 faddr=192.168.1.99 fport=2049 family="inet" sock_type="stream" protocol=6
[ 656.521939] nfs: RPC call returned error 13

Claudio Bernardini (claudiob) wrote :

Modifying /etc/apparmor.d/usr.bin.evince as mentioned by Philip Langdale and suggested by Arne Hanssen worked for me.
This is a seriuos problem for a network of Ubuntu 11.04 clients with NFS network access.

Changed in evince (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
tags: added: apparmor
Jamie Strandboge (jdstrand) wrote :

To re-enable network access, you can add the following to /etc/appamor.d/usr.bin.evince to the '/usr/bin/evince-thumbnailer' stanza:
  # TCP/UDP network access
  network inet stream,
  network inet6 stream,
  network inet dgram,
  network inet6 dgram,

Then do:
$ sudo apparmor_parser -r /etc/apparmor.d/usr.bin.evince

It should be noted that the default install of Ubuntu uses 'Local Files Only' for thumbnailing via nautilus, and changes this preference back to the default should also workaround this issue.

Changed in evince (Ubuntu):
importance: Undecided → Low
status: New → Triaged
Changed in evince (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → Jamie Strandboge (jdstrand)
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package evince - 3.0.2-0ubuntu3

---------------
evince (3.0.2-0ubuntu3) oneiric; urgency=low

  * debian/apparmor-profile: re-enable networking for the thumbnailer for
    people who have configured nautilus to preview remote files when using
    NFS. This reverts the fix for LP 720961.
    - LP: #778638
 -- Jamie Strandboge <email address hidden> Wed, 22 Jun 2011 13:35:48 -0500

Changed in evince (Ubuntu):
status: In Progress → Fix Released
Nico Haase (nicohaase) wrote :

Will there also be a fix for Natty?

Giovanni Bajo (giovannibajo) wrote :

Can we please get a backport for Natty?

Marc Gariépy (mgariepy) wrote :

Here is the debdiff for the package in natty.

Changed in evince (Ubuntu Natty):
status: New → Triaged
tags: added: patch-needswork
Jamie Strandboge (jdstrand) wrote :

Marc, thanks for your patch!

The patch looks good except that you included the fix for bug #807507 as part of the patch, but didn't include it in the changelog. Since it isn't clear what the intent is here, please either update the patch to remove this fix or update the changelog to include a description of this fix (and update bug #807507 according to https://wiki.ubuntu.com/StableReleaseUpdates).

Please mark the bug back to 'Confirmed' and resubscribe ubuntu-sponsors when the changes are complete. Thanks again.

Changed in evince (Ubuntu Natty):
assignee: nobody → Marc Gariépy (mgariepy)
importance: Undecided → Low
status: Triaged → Incomplete
Marc Gariépy (mgariepy) wrote :

updated patch, removing the patch from the other bug.

Changed in evince (Ubuntu Natty):
status: Incomplete → Confirmed
Stéphane Graber (stgraber) wrote :

Looks good, uploaded.

Changed in evince (Ubuntu Natty):
status: Confirmed → Fix Committed

Hello Andre, or anyone else affected,

Accepted evince into natty-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
Konrad Hofer (konrad.hofer) wrote :

works ok for me. When is the package in updates?

Martin Pitt (pitti) wrote :

Thanks for testing! Should go into -updates in 3 days, when the 7 days regression test/reporting period is over.

tags: added: verification-done
removed: verification-needed

Glad to find an answer for this thumbnailer issue. I've just tested the proposed packages and they also work for me.

It's worth mentioning that you need to install both evince and evince-common packages from proposed:

 aptitude install evince/natty-proposed evince-common/natty-proposed

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package evince - 2.32.0-0ubuntu12.3

---------------
evince (2.32.0-0ubuntu12.3) natty-proposed; urgency=low

  * debian/apparmor-profile: enable networking for the thumbnailer for
    people who have configured nautilus to preview remote files when using
    NFS. (LP: #778638)
 -- Marc Gariepy <email address hidden> Wed, 31 Aug 2011 11:42:48 -0400

Changed in evince (Ubuntu Natty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers