Ubuntu
evince package

[apparmor] evince need access to /dev/.udev/data/b

Bug #766882 reported by Oleksij Rempel
36
This bug affects 6 people
Affects Status Importance Assigned to Milestone
evince (Ubuntu)
Fix Released
Medium
Jamie Strandboge
Natty
Fix Released
Medium
Jamie Strandboge
Ubuntu natty-updates
Oneiric
Fix Released
Medium
Jamie Strandboge

Bug Description

Binary package hint: evince

I get warning in dmesg about denied access:
[ 567.296832] type=1400 audit(1303280769.949:31): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/evince" name="/dev/.udev/data/b8:13" pid=3292 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 567.298080] type=1400 audit(1303280769.951:32): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/evince" name="/dev/.udev/data/b8:13" pid=3292 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Looks like apparmor rule should be corrected to allow it:
  /dev/.udev/db/* r,
+ /dev/.udev/data/b[0-9]* r,
  /etc/udev/udev.conf r,
  /sys/devices/**/block/**/uevent r,

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: evince 2.32.0-0ubuntu12
ProcVersionSignature: Error: [Errno 2] No such file or directory: '/proc/version_signature'
Uname: Linux 2.6.39-rc2-00041-gdaab147 x86_64
Architecture: amd64
Date: Wed Apr 20 08:48:32 2011
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Alpha amd64 (20100803.1)
ProcEnviron:
 LANGUAGE=C:de_DE:en
 LANG=de_DE.UTF-8
 SHELL=/bin/bash
SourcePackage: evince
UpgradeStatus: Upgraded to natty on 2011-03-17 (33 days ago)

Revision history for this message
Oleksij Rempel (olerem) wrote :
Jamie Strandboge (jdstrand)
Changed in evince (Ubuntu):
status: New → Triaged
Jamie Strandboge (jdstrand)
Changed in evince (Ubuntu):
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
milestone: none → natty-updates
tags: added: apparmor
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

1. When people use evince, apparmor spams the syslog.

2. This has not been fixed in Oneirc (which isn't open yet)

3. Patch is very small:
- /dev/.udev/db/* r,
+ /dev/.udev/{data,db}/* r,

4. TEST CASE
$ evince /usr/share/doc/shared-mime-info/shared-mime-info-spec.pdf
$ tail /var/log/kern.log
...
Apr 22 13:38:09 sec-natty-amd64 kernel: [ 72.743938] type=1400 audit(1303497489.238:24): apparmor="DENIED" operation="open" parent=1342 profile="/usr/bin/evince" name="/dev/.udev/data/b252:1" pid=1469 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

5. Regression potential is very low, we are only adding access, not taking away.

Changed in evince (Ubuntu):
status: Triaged → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Uploaded to natty-proposed.

Changed in evince (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Clint Byrum (clint-fewbar) wrote : Please test proposed package

Accepted evince into natty-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
Revision history for this message
Pedro Villavicencio (pedro) wrote :

I've verified the proposed package, it indeed fixes the bug and haven't noticed any regressions with it so far, marking this as verification done, thanks all.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package evince - 2.32.0-0ubuntu12.1

---------------
evince (2.32.0-0ubuntu12.1) natty-proposed; urgency=low

  * update debian/apparmor-profile.abstraction to account for move of
    /dev/.udev/db/ to /dev/.udev/data/ (LP: #766882)
 -- Jamie Strandboge <email address hidden> Fri, 22 Apr 2011 12:40:41 -0500

Changed in evince (Ubuntu Natty):
status: Fix Committed → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

Copied to oneiric as well.

Changed in evince (Ubuntu Oneiric):
milestone: natty-updates → none
status: Fix Committed → Fix Released
Revision history for this message
Chris (cmavr8) wrote :

Running 2.32.0-0ubuntu12.1 on 11.04, the problem still exists!

Also, sporadically it causes the kernel to panic (I suspect). Computer is unresponsive, even Alt+PrtSc+S,U,B does not work, and caps lock light flashes forever. Battery/plug pull is needed.

Revision history for this message
Matthias Schmidt (mschmidt) wrote :

Hit this bug with evince 3.2.0-0ubuntu1 on oneiric amd64 from today. AppArmor version is 2.7.0~beta1+bzr1774-1ubuntu2.

The following appears in syslog:

data/b253:0" pid=30395 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 6 18:08:26 hyperion kernel: [17345.346603] type=1400 audit(1317917306.273:66): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/evince" name="/run/udev/data/b253:0" pid=30398 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 6 18:08:26 hyperion kernel: [17345.419773] type=1400 audit(1317917306.349:67): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/evince" name="/run/udev/data/b253:0" pid=30398 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 6 18:08:26 hyperion kernel: [17345.431795] type=1400 audit(1317917306.361:68): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/evince" name="/run/udev/data/b253:0" pid=30398 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[...]

tags: added: oneiric
Revision history for this message
Matthias Schmidt (mschmidt) wrote :

Forgot my last comment (#9). My problem is with /run/udev/data while this bug is about /dev/.udev. Sorry for the noise. Nevertheless, mine is still a bug :)

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Matthias, can you file a new bug?

Revision history for this message
MFeif (matt-feifarek) wrote :

I'm still having this bug, and it does seem like it's hard-crashing my system. I want to get my stability back, but I can't uninstall evince since gnome-core and about 50 other pacakges seem to depend on it.

I'm on Oneiric 64, I have evince 3.2.1-0ubuntu2.2 and apparmor 2.7.0~beta1+bzr1774-1ubuntu2

The mentioned change in the files IS present:
- /dev/.udev/db/* r,
+ /dev/.udev/{data,db}/* r,

The errors in the log are like this:
Apr 2 11:16:01 dude kernel: [ 6565.133886] type=1400 audit(1333383361.979:32): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/evince" name="/run/udev/data/b253:3" pid=24587 comm="evince" requested_
mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 2 11:16:02 dude kernel: [ 6565.197633] type=1400 audit(1333383362.043:33): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/evince" name="/run/udev/data/b253:3" pid=24586 comm="evince" requested_
mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 2 11:16:02 dude kernel: [ 6565.198459] type=1400 audit(1333383362.043:34): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/evince" name="/run/udev/data/b253:3" pid=24587 comm="evince" requested_
mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 2 11:16:02 dude kernel: [ 6565.198680] type=1400 audit(1333383362.043:35): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/evince" name="/run/udev/data/b253:3" pid=24587 comm="evince" requested_
mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 2 11:16:02 dude kernel: [ 6565.214287] type=1400 audit(1333383362.059:36): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/evince" name="/run/udev/data/b253:3" pid=24587 comm="evince" requested_
mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 2 11:16:05 dude kernel: [ 6568.268409] type=1400 audit(1333383365.115:37): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/evince" name="/run/udev/data/b253:3" pid=24586 comm="evince" requested_
mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 2 11:16:07 dude kernel: [ 6570.325875] type=1400 audit(1333383367.171:38): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/evince" name="/run/udev/data/b253:3" pid=24586 comm="evince" requested_
mask="r" denied_mask="r" fsuid=1000 ouid=0

Revision history for this message
Wladimir J. van der Laan (laanwj) wrote :

Regressed for me (on Oneiric):

[ 153.236490] type=1400 audit(1336382759.333:995): apparmor="DENIED" operation="open" parent=2367 profile="/usr/bin/evince" name="/run/udev/data/b8:17" pid=3398 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

I had to add to /etc/apparmor.d/abstractions/evince:

    /run/udev/data/* r,

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

/dev/.udev/data/** was fixed in 11.10, but /run/udev/data/** was not. This is likely not going to be fixed since 11.10 is in maintenance mode now.

== Workaround ==
Add to /etc/apparmor.d/local/usr.bin.evince:
deny /run/udev/data/** r,

Then perform:
$ sudo apparmor_parser -r /etc/apparmor.d/usr.bin.evince

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.