Ubuntu
apparmor package

Apparmor denial when viewing print preview in evince

Bug #1431641 reported by Charles Lawrence
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Invalid
Low
Unassigned
evince (Ubuntu)
Fix Released
Low
Jamie Strandboge

Bug Description

AppArmor Message. Preview and print still worked normally.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: apparmor 2.8.95~2430-0ubuntu5.1
ProcVersionSignature: Ubuntu 3.13.0-45.74-generic 3.13.11-ckt13
Uname: Linux 3.13.0-45-generic i686
ApportVersion: 2.14.1-0ubuntu3.7
Architecture: i386
CurrentDesktop: X-Cinnamon
Date: Thu Mar 12 20:15:45 2015
InstallationDate: Installed on 2014-12-11 (91 days ago)
InstallationMedia: Linux Mint 17.1 "Rebecca" - Release i386 20141126
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-3.13.0-45-generic root=/dev/mapper/mint--vg-root ro apparmor=1 security=apparmor apparmor=1 security=apparmor quiet splash vt.handoff=7
SourcePackage: apparmor
Syslog:

UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Charles Lawrence (chaso2001) wrote :
Revision history for this message
Christian Boltz (cboltz) wrote :

Relevant line from KernLog.txt (timestamp etc. removed):

apparmor="DENIED" operation="connect" profile="/usr/bin/evince-previewer" name="/run/dbus/system_bus_socket" pid=25608 comm="pool" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Confirmed on Vivid (evince 3.14.2-0ubuntu1).

At first glance, it looks like the evince-previewer profile needs to '#include <dbus>' in order to connect to the system bus. However, testing is needed to confirm that there are no additional accesses needed after granting permission to connect to the system bus.

Marking as 'Low' since preview and print still work as expected.

tags: added: aa-policy
Changed in apparmor (Ubuntu):
importance: Undecided → Low
status: New → Triaged
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Marking the apparmor task as 'Invalid' since the evince AppArmor profile is shipped in the evince package.

Changed in apparmor (Ubuntu):
status: Triaged → Invalid
Changed in evince (Ubuntu):
status: New → Triaged
importance: Undecided → Low
summary: - Bug Apparmor on print preview Fotoxx
+ Apparmor denial when viewing print preview in evince
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Charles, can you adjust the evince-previewer policy in /etc/apparmor.d/usr.bin.evince to have:

...
/usr/bin/evince-previewer {
  #include <abstractions/dbus-strict>
  ...
}

Then reload the profile with:
$ sudo apparmor_parser -r /etc/apparmor.d/usr.bin.evince

then try to reproduce the bug and report back?

Thanks!

Changed in evince (Ubuntu):
status: Triaged → Incomplete
Revision history for this message
Charles Lawrence (chaso2001) wrote : Re: [Bug 1431641] Re: Apparmor denial when viewing print preview in evince

Hi Jamie,

Thanks for getting back to me. I did as you requested and tried many
times to reproduce the bug, but to no avail. I guess this is good news.

Regards,

Charles

On 15-03-13 03:22 PM, Jamie Strandboge wrote:
> Charles, can you adjust the evince-previewer policy in
> /etc/apparmor.d/usr.bin.evince to have:
>
> ...
> /usr/bin/evince-previewer {
> #include <abstractions/dbus-strict>
> ...
> }
>
> Then reload the profile with:
> $ sudo apparmor_parser -r /etc/apparmor.d/usr.bin.evince
>
> then try to reproduce the bug and report back?
>
> Thanks!
>
> ** Changed in: evince (Ubuntu)
> Status: Triaged => Incomplete
>

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

It is good news :)

Changed in evince (Ubuntu):
status: Incomplete → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package evince - 3.14.2-0ubuntu2

---------------
evince (3.14.2-0ubuntu2) vivid; urgency=medium

  * debian/apparmor-profile: allow 'abstractions/dbus-strict' in previewer to
    silence denial with print previews (LP: #1431641)
 -- Jamie Strandboge <email address hidden> Mon, 06 Apr 2015 10:07:52 -0500

Changed in evince (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Raymond (rrogers-b) wrote :

Added jdstrand's usr.bin.evince fix above to evince 3.10.3 in Ubuntu 14.04 trusty release and it seems to fix it.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.