On 11/21/2017 10:44 AM, John Johansen wrote:
> On 11/21/2017 08:58 AM, Shuah Khan wrote:
>> Hi John,
>>
>> I am seeing the following on my laptop. Unfortunately this is my primary
>> system and my ability to bisect might be a bit limited. The system is
>> running
>>
>> 4.14.0+ #4 SMP Tue Nov 14 19:25:58 MST 2017 x86_64 x86_64 x86_64 GNU/Linux
>>
>> on Ubuntu 17.10 base.
>>
>> Is this a known issue? Please see the dmesg excerpts below:
>>
> Its not. I'll start looking into it today
>
> Do you have any other information that you can send to me?
>
> Any particular task/work load that triggers this?
> Can you tar up your /etc/apparmor.d/ and send that to me?
>
>
Yeah. I forgot mention that detail :)
I first noticed it when I tried starting "/usr/bin/evince"
evince doesn't start and runs into this error.
Happens every time evince is invoked. I tried evince again.
xournal works just fine. xournal doesn't have usr.bin.*file* for
it anyway, so that doesn't matter I would think.
Attached /etc/apparmor.d/usr.bin.evince
thanks,
-- Shuah
# vim:syntax=apparmor
# Author: Kees Cook <k...@canonical.com>
# Jamie Strandboge <ja...@canonical.com>
#include <tunables/global>
/usr/bin/evince {
#include <abstractions/audio>
#include <abstractions/bash>
#include <abstractions/cups-client>
#include <abstractions/dbus>
#include <abstractions/dbus-session>
#include <abstractions/dbus-accessibility>
#include <abstractions/evince>
#include <abstractions/ibus>
#include <abstractions/nameservice>
#include <abstractions/ubuntu-browsers>
#include <abstractions/ubuntu-console-browsers>
#include <abstractions/ubuntu-email>
#include <abstractions/ubuntu-console-email>
#include <abstractions/ubuntu-media-players>
# Terminals for using console applications. These abstractions should ideally
# have 'ix' to restrict access to what only evince is allowed to do
#include <abstractions/ubuntu-gnome-terminal>
# By default, we won't support launching a terminal program in Xterm or
# KDE's konsole. It opens up too many unnecessary files for most users.
# People who need this functionality can uncomment the following:
##include <abstractions/ubuntu-xterm>
##include <abstractions/ubuntu-konsole>
/usr/bin/evince rmPx,
/usr/bin/evince-previewer Px,
/usr/bin/yelp Cx -> sanitized_helper,
/usr/bin/bug-buddy px,
# 'Show Containing Folder' (LP: #1022962)
/usr/bin/nautilus Cx -> sanitized_helper, # Gnome
/usr/bin/pcmanfm Cx -> sanitized_helper, # LXDE
/usr/bin/krusader Cx -> sanitized_helper, # KDE
/usr/bin/thunar Cx -> sanitized_helper, # XFCE
# For Xubuntu to launch the browser
/usr/bin/exo-open ixr,
/usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
/etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
/etc/xdg/xfce4/helpers.rc r,
# For text attachments
/usr/bin/gedit ixr,
# For Send to
/usr/bin/nautilus-sendto Cx -> sanitized_helper,
# allow directory listings (ie 'r' on directories) so browsing via the file
# dialog works
/ r,
/**/ r,
# This is need for saving files in your home directory without an extension.
# Changing this to '@{HOME}/** r' makes it require an extension and more
# secure (but with 'rw', we still have abstractions/private-files-strict in
# effect).
owner @{HOME}/** rw,
owner /media/** rw,
owner @{HOME}/.local/share/gvfs-metadata/** l,
owner /{,var/}run/user/*/gvfs-metadata/** l,
owner @{HOME}/.gnome2/evince/* rwl,
owner @{HOME}/.gnome2/accels/ rw,
owner @{HOME}/.gnome2/accelsevince rw,
owner @{HOME}/.gnome2/accels/evince rw,
# Maybe add to an abstraction?
/etc/dconf/** r,
owner @{HOME}/.cache/dconf/user rw,
owner @{HOME}/.config/dconf/user r,
owner /{,var/}run/user/*/dconf/ w,
owner /{,var/}run/user/*/dconf/user rw,
owner /{,var/}run/user/*/dconf-service/keyfile/ w,
owner /{,var/}run/user/*/dconf-service/keyfile/user rw,
owner /{,var/}run/user/*/at-spi2-*/ rw,
owner /{,var/}run/user/*/at-spi2-*/** rw,
# from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
# read and write for all supported file formats
/**.[bB][mM][pP] rw,
/**.[dD][jJ][vV][uU] rw,
/**.[dD][vV][iI] rw,
/**.[gG][iI][fF] rw,
/**.[jJ][pP][gG] rw,
/**.[jJ][pP][eE][gG] rw,
/**.[oO][dD][pP] rw,
/**.[fFpP][dD][fF] rw,
/**.[pP][nN][mM] rw,
/**.[pP][nN][gG] rw,
/**.[pP][sS] rw,
/**.[eE][pP][sS] rw,
/**.[tT][iI][fF] rw,
/**.[tT][iI][fF][fF] rw,
/**.[xX][pP][mM] rw,
/**.[gG][zZ] rw,
/**.[bB][zZ]2 rw,
/**.[cC][bB][rRzZ7] rw,
/**.[xX][zZ] rw,
# evince creates a temporary stream file like '.goutputstream-XXXXXX' in the
# directory a file is saved. This allows that behavior.
owner /**/.goutputstream-* w,
}
/usr/bin/evince-previewer {
#include <abstractions/audio>
#include <abstractions/bash>
#include <abstractions/cups-client>
#include <abstractions/dbus-session>
#include <abstractions/dbus-accessibility>
#include <abstractions/dbus-strict>
#include <abstractions/evince>
#include <abstractions/ibus>
#include <abstractions/nameservice>
#include <abstractions/ubuntu-browsers>
#include <abstractions/ubuntu-console-browsers>
#include <abstractions/ubuntu-email>
#include <abstractions/ubuntu-console-email>
#include <abstractions/ubuntu-media-players>
# Terminals for using console applications. These abstractions should ideally
# have 'ix' to restrict access to what only evince is allowed to do
#include <abstractions/ubuntu-gnome-terminal>
# By default, we won't support launching a terminal program in Xterm or
# KDE's konsole. It opens up too many unnecessary files for most users.
# People who need this functionality can uncomment the following:
##include <abstractions/ubuntu-xterm>
/usr/bin/evince-previewer mr,
/usr/bin/yelp Cx -> sanitized_helper,
/usr/bin/bug-buddy px,
# Lenient, but remember we still have abstractions/private-files-strict in
# effect). Write is needed for 'print to file' from the previewer.
@{HOME}/ r,
@{HOME}/** rw,
# Maybe add to an abstraction?
owner /{,var/}run/user/*/dconf/ w,
owner /{,var/}run/user/*/dconf/user rw,
}
/usr/bin/evince-thumbnailer {
#include <abstractions/dbus-session>
#include <abstractions/evince>
# The thumbnailer doesn't need access to everything in the nameservice
# abstraction. Allow reading of /etc/passwd and /etc/group, but suppress
# logging denial of nsswitch.conf.
/etc/passwd r,
/etc/group r,
deny /etc/nsswitch.conf r,
# TCP/UDP network access for NFS
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
/usr/bin/evince-thumbnailer mr,
# Lenient, but remember we still have abstractions/private-files-strict in
# effect).
@{HOME}/ r,
owner @{HOME}/** rw,
owner /media/** rw,
}
