Package: papers Version: 48.3-1 Severity: normal X-Debbugs-Cc: [email protected]
Dear Maintainer, While testing the “Sign Digitally” feature in GNOME Papers, I found that the signing process fails due to AppArmor blocking access to several paths required by NSS and by smartcard middleware. I reproduced the same issue on Ubuntu as well and documented it here: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2106133 The audit log shows consistent AppArmor denials such as: - ~/.pki/nssdb/cert9.db (file_lock) - ~/.mozilla/firefox/*/cert9.db (read) - /run/pcscd/pcscd.comm (connect) - /sys/devices/... (open) After testing, I confirmed that extending the AppArmor profile resolves the issue and restores the digital-signature functionality. Adding the following rules to `/etc/apparmor.d/usr.bin.papers` fixes the problem: owner @{HOME}/.pki/** lrk, /sys/devices/** r, /run/pcscd/pcscd.comm rw, If possible, please consider adjusting the AppArmor file in Debian so that GNOME Papers can access the necessary NSS and smartcard paths by default. This is the file in the repository: https://salsa.debian.org/gnome-team/papers/-/blob/debian/latest/debian/apparmor-profile These are the messages in my journalctl: -------------------- Apr 02 23:23:23 desktop kernel: audit: type=1400 audit(1743647003.486:12599): apparmor="DENIED" operation="file_lock" class="file" profile="/usr/bin/papers" name="/home/cristiano/.pki/nssdb/cert9.db" pid=811514 comm="papers" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000 Apr 02 23:25:37 desktop kernel: audit: type=1400 audit(1743647137.429:12896): apparmor="DENIED" operation="file_lock" class="file" profile="/usr/bin/papers" name="/home/cristiano/.pki> Apr 02 23:31:26 desktop kernel: audit: type=1400 audit(1743647486.460:13357): apparmor="DENIED" operation="open" class="file" profile="/usr/bin/papers" name="/sys/devices/pci0000:00/0> Apr 02 23:33:49 desktop kernel: audit: type=1400 audit(1743647629.944:13632): apparmor="DENIED" operation="connect" class="file" profile="/usr/bin/papers" name="/run/pcscd/pcscd.comm"> -------------------- Best regards, Cristiano Fraga G. Nunes -- System Information: Debian Release: 13.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.12.48+deb13-amd64 (SMP w/12 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages papers depends on: ii dconf-gsettings-backend [gsettings-backend] 0.40.0-5 ii gsettings-desktop-schemas 48.0-1 ii libadwaita-1-0 1.7.6-1~deb13u1 ii libc6 2.41-12 ii libgcc-s1 14.2.0-19 ii libgdk-pixbuf-2.0-0 2.42.12+dfsg-4 ii libglib2.0-0t64 2.84.4-3~deb13u1 ii libgraphene-1.0-0 1.10.8-5 ii libgtk-4-1 4.18.6+ds-2 ii libnautilus-extension4 48.3-2 ii libpango-1.0-0 1.56.3-1 ii libppsdocument-4.0-5 48.3-1 ii libppsview-4.0-4 48.3-1 ii papers-common 48.3-1 ii shared-mime-info 2.4-5+b2 papers recommends no packages. Versions of packages papers suggests: ii gvfs 1.57.2-2 pn nautilus-sendto <none> ii poppler-data 0.4.12-1 pn unrar <none> -- no debconf information
