Ubuntu
apparmor package

AppArmor not allowing evince to read files needed for theming

Bug #460125 reported by ApathyFace
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Jamie Strandboge
Karmic
Fix Released
Undecided
Jamie Strandboge

Bug Description

Binary package hint: evince

This appears to be similar to several bugs already posted and fixed related to the evince AppArmor profile -- but it seems that in my case, the files being blocked are actually inside of my home folder (~/.icons/ and ~/.themes), which appears to be different than some of the other bugs.

When AppArmor is active, the evince GTK theme is the ugly boxy fallback theme instead of my custom theme. When I disable AppArmor and start up evince, my theme comes up just fine.

Evince version: 2.28.1-0ubuntu1

I upgraded from 9.04 to 9.10 via update-manager.

ProblemType: Bug
Architecture: amd64
Date: Sat Oct 24 20:21:02 2009
DistroRelease: Ubuntu 9.10
ExecutablePath: /usr/bin/evince
NonfreeKernelModules: nvidia
Package: evince 2.28.1-0ubuntu1
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-14.48-generic
SourcePackage: evince
Uname: Linux 2.6.31-14-generic x86_64

Revision history for this message
ApathyFace (prosenfeld) wrote :
Sebastien Bacher (seb128)
affects: evince (Ubuntu) → apparmor (Ubuntu)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this bug has already been reported. Please review https://wiki.ubuntu.com/DebuggingApparmor#Adjusting%20Tunables as well as the information and solution in bug #447292.

You can see this specifically with this entry:
Oct 24 20:20:57 conundrum kernel: [14551.485942] type=1503 audit(1256430057.286:805): operation="open" pid=13048 parent=1 profile="/usr/bin/evince" requested_mask="r::" denied_mask="r::" fsuid=1000 ouid=1000 name="/media/d_drive/home/paul/.icons/nuoveXT.2.2/icon-theme.cache"

It looks like you should add /media/d_drive/home/ to @{HOMEDIRS}.

Changed in apparmor (Ubuntu):
status: New → Won't Fix
tags: added: apparmor
Revision history for this message
ApathyFace (prosenfeld) wrote :

Ah, thank you -- I forgot that I had a weird home folder setup on this machine.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

In looking more closely at this, adjust tunables will help with everything except access to ~/.themes. To get that to work /etc/apparmor.d/abstractions/gnome needs to be adjusted to have:
  @{HOME}/.themes/ r,
  @{HOME}/.themes/** r,

Changed in apparmor (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Won't Fix → Triaged
Revision history for this message
ApathyFace (prosenfeld) wrote :

I just double checked and after changing the home directory in tunables, all apparmor messages relating to evince have stopped. I don't appear to have any trouble with ~/.themes

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

SRU REQUEST

1. gnome abstraction does not allow access to themes. Fix is trivial.

2. The fix is not in Lucid yet

3. The fix is to adjust profiles/apparmor.d/abstractions/gnome:
  @{HOME}/.themes/ r,
  @{HOME}/.themes/** r,

4. I don't have a test case. The problem was identified in the user's dmesg and it is clear that it could be an issue for some users down the line.

5. The regression potential is very low. We only allow access to files that we didn't previously have access to.

Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
status: Triaged → Fix Committed
Changed in apparmor (Ubuntu Karmic):
status: New → Fix Committed
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Uploaded apparmor_2.3.1+1403-0ubuntu27.1 to karmic-proposed.

Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Accepted apparmor into karmic-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.3.1+1403-0ubuntu28

---------------
apparmor (2.3.1+1403-0ubuntu28) lucid; urgency=low

  [ Jamie Strandboge ]
  * update skype profile in extras. Based on work by Андрей Калинин.
    (LP: #226624)
  * abstractions/ubuntu-browsers: add opera and icecat (LP: #432778)
  * abstractions/ubuntu-browsers: add epiphany (epiphany-browser and
    epiphany-webkit were already present, but the recent changes in
    epiphany packaging require /usr/bin/epiphany) (LP: #472952)
  * usr.sbin.dnsmasq: allow pidfiles for /var/run/dnsmasq*.pid (LP: #445818)
  * abstractions/gnome: allow access to ~/.themes (LP: #460125)
  * abstractions/kde: allow access to /etc/kde4rc and /usr/bin/kde4-config
    (LP: #447006)

  [ Marc Deslauriers ]
  * utils/Subdomain.pm: don't skip reading profiles that are also in the
    cache directory (LP: #446449)
  * utils/Subdomain.pm: correctly parse PUxr modes
  * utils/Subdomain.pm: support include directories

 -- Jamie Strandboge <email address hidden> Wed, 04 Nov 2009 11:02:27 -0600

Changed in apparmor (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Installed 2.3.1+1403-0ubuntu27.1 from -proposed, and there were no regressions.

Revision history for this message
Martin Pitt (pitti) wrote :

I have run the new apparmor for two days without noticing regressions or violations. I tested evince with a few PDF files and they work fine.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.3.1+1403-0ubuntu27.1

---------------
apparmor (2.3.1+1403-0ubuntu27.1) karmic-proposed; urgency=low

  [ Jamie Strandboge ]
  * abstractions/ubuntu-browsers: add opera and icecat (LP: #432778)
  * abstractions/ubuntu-browsers: add epiphany (epiphany-browser and
    epiphany-webkit were already present, but the recent changes in
    epiphany packaging require /usr/bin/epiphany) (LP: #472952)
  * usr.sbin.dnsmasq: allow pidfiles for /var/run/dnsmasq*.pid (LP: #445818)
  * abstractions/gnome: allow access to ~/.themes (LP: #460125)
  * abstractions/kde: allow access to /etc/kde4rc and /usr/bin/kde4-config
    (LP: #447006)

  [ Marc Deslauriers ]
  * utils/Subdomain.pm: don't skip reading profiles that are also in the
    cache directory (LP: #446449)
  * utils/Subdomain.pm: correctly parse PUxr modes
  * utils/Subdomain.pm: support include directories

 -- Jamie Strandboge <email address hidden> Tue, 03 Nov 2009 14:30:19 -0600

Changed in apparmor (Ubuntu Karmic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.