Bug#1109826: [pkg-apparmor] Bug#1109826: evince: print preview doesn't work if the papers package is installed: apparmor="DENIED" name="/usr/bin/papers-previewer"

Thu, 24 Jul 2025 15:47:20 -0700 

Yeah a Pix rule sounds good to me.
I was also briefly considering whether it would make sense to hard-code a special case for evince to always use evince-previewer, since it's bundled in the same project. But you probably wouldn't want to override the system default just for one specific app..? 

On 24/07/2025 22:33, Christian Boltz wrote:

Hello,

Am Donnerstag, 24. Juli 2025, 21:54 schrieb Simon McVittie:

On Thu, 24 Jul 2025 at 20:45:28 +0200, Christian Boltz wrote:

we need a separate profile for papers-previewer

We already have one, in the papers package.

Even better :-)


     /usr/bin/evince-previewer Px,

+  /usr/bin/papers-previewer Pix,

A Px rule (without the ix fallback) would be better.

Would that load successfully, but gracefully decline to run
/usr/bin/papers-previewer (which in practice would not exist), if the
papers package isn't installed?

Right, the profile will load successfully.

If evince tries to execute papers-previewer, and that profile isn't
loaded, the exec will be denied and audit.log will log the denial with
something like "target profile doesn't exist".


I thought that falling back to "same access to things that evince
would already have had" would be less bad than falling back to "can't
run at all". Running arbitrary code with "ix" is no worse for
hardening purposes than the same code being in-process, after all...

I get your theory.
In practise, it depends - does the target profile grant more or less
permissions than the current profile?
(There's also the risk that denials will be reported for the "wrong"
profile if the ix fallback gets used, so the evince profile might get
permissions added that are only needed for papers-previewer.)


evince needs to work normally if papers is not installed, in which
case print preview should get ENOENT when attempting to run
papers-previewer, and fall back to evince-previewer, the same as it
would do in the absence of AppArmor.

As long as "papers-previewer is installed" also means "the AppArmor
profile for papers-previewer is loaded", everything should work as you
expect.


Regards,

Christian Boltz
























					Reply via email to