Other suffixes are affected besides .pdf. I've just spotted some incidents in my logs involving denied read attempts on .epsi, .ps2 and suffixless application/postscript files. Since .epsi is listed as valid in /etc/mime.types I've now added the following to /etc/apparmor.d/local/usr.bin.evince and verified that it allowed .epsi files to be opened:
/**.[eE][pP][sS][fFiI23] rw, However, one could argue that file types can and should be detected based on the file's content, not on its name. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1330430 Title: apparmor profile needs review/improvement Status in “evince” package in Ubuntu: Confirmed Bug description: Apparmor rules for evince forbid opening a PDF from an external drive mounted under /media/… unless its filename ends in '.pdf'. Same file will be opened if it is copied to /home/… or renamed to a filename tailing in '.pdf' on the external drive. See bugs #1096837 and #1327161. On a GNU/Linux system like Ubuntu these rules are useless because filetype is not determined by an extension. Checking the filename adds no security. It smells like snakeoil to me. Please review the apparmor profile. On an GNU/Linux system opening a PDF should not denied on filename. This bug affects Ubuntu versions 14.04 LTS, 12.04 LTS and 10.04 LTS. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1330430/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
