control: clone -1
control: retitle -1 AppArmor: profile doesn't allow to access Acrobat Reader
control: tags -1 user thunderb...@packages.debian.org
control: usertags -1 tb-apparmor
Hello Francois
On Thu, Jan 11, 2018 at 08:29:50PM +0100, Francois Mescam wrote:
...
> > > In the log when I try to open a pdf I have this message :
> > >
> > > Jan 11 10:47:46 eiffel6 kernel: [40296.963168] audit: type=1400
> > > audit(1515664066.510:296): apparmor="DENIED" operation="exec"
> > > profile="thunderbird" name="/usr/bin/acroread" pid=12815
> > > comm="thunderbird"
> > > requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> > >
> > > After I do
> > >
> > > aa-disable /etc/apparmor.d/usr.bin.thunderbird
> > >
> > > acroread is launched correctly.
> > >
> > > I observe this problem on a laptop running debian testing up to date.
> > you don't have written which version you use, testing has 52.4.0-1
> > unstable is on 52.5.2-2 and especially the apparmor stuff has changed
> > significantly between both versions.
> I use version 52.4.0-1
then your added information isn't really relevant for the reported
issue as the profile currently seems to not allow the usage of
/usr/bin/acroread. I cloned the report into a new issue to track this
separately.
You can try to add a line for the Acrobat Reader into the profile. But
this is blind shot from me, acroread will requesting probably further
files.
diff --git a/debian/apparmor/usr.bin.thunderbird
b/debian/apparmor/usr.bin.thunderbird
index d1f4098c75..6744f4e058 100644
--- a/debian/apparmor/usr.bin.thunderbird
+++ b/debian/apparmor/usr.bin.thunderbird
@@ -198,6 +198,8 @@ profile thunderbird @{thunderbird_executable} {
/{usr/,}bin/ps Uxr,
/{usr/,}bin/uname Uxr,
/usr/bin/locale Uxr,
+ # may work for Adobe Acrobat
+ /usr/bin/acroread Uxr,
/usr/bin/gpg Cx -> gpg,
/usr/bin/gpg2 Cx -> gpg,
Regards
Carsten
