Bug#807880: apparmor-profiles-extra: AppArmor profile prevents evince from starting under wayland

[intrigeri]

Control: reassign -1 apparmor
Control: retitle -1 Missing/incomplete abstractions for starting Evince under 
Wayland
Control: affects -1 + evince
Control: notfound -1 apparmor-profiles-extra/1.6
Control: found -1 apparmor/2.10.95-2

The evince profile moved to the evince package, so that's not an
apparmor-profiles-extra bug anymore. Still, IMO this should be
resolved in an abstraction, not in the evince profile itself, so
reassigning to the apparmor package, that ships the most
common abstractions.

Bug#807880: apparmor-profiles-extra: AppArmor profile prevents evince from starting under wayland

[intrigeri]

Control: severity -1 minor

Hi,

> +  owner /{,var/}run/user/*/weston-shared-* rw,

Thanks for your report!

I personally won't be leading a resolution of this bug short term, so
here are a few hints for anyone interested:

 * I doubt that Evince is the only piece of software that'll need such
   permissions, so likely there's room for a wayland abstraction.
   Not sure where exactly it should go, perhaps in the main AppArmor
   package just like the X abstraction. Next step is to start
   a discussion on the AppArmor mailing-list about it, IMO.

 * The path component after /run/user could be a bit more restrictive,
   with e.g. [0-9]* (I know, this is not used consistently across all
   profiles we ship).

Cheers!

Bug#807880: apparmor-profiles-extra: AppArmor profile prevents evince from starting under wayland

[Kjö Hansi Glaz]

Package: apparmor-profiles-extra
Version: 1.6
Severity: normal

Dear Maintainer,

   * What led up to the situation?

1) Install and enable evince Apparmor profile shipped in
   apparmor-profile-extra
2) Use GNOME wayland

   * What exactly did you do (or not do) that was effective (or
 ineffective)?

Launch evince.

   * What was the outcome of this action?

The following line in system journal:

kernel: audit: type=1400 audit(1450058045.992:347): apparmor="DENIED" 
operation="mknod" profile="/usr/bin/evince" 
name="/run/user/1000/weston-shared-BEqtJs" pid=32238 comm="evince" 
requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

   * What outcome did you expect instead?

evince to show up!

The following patch solves the issue for me:

diff --git a/apparmor.d/usr.bin.evince b/apparmor.d/usr.bin.evince
index d77fb3b..8e93137 100644
--- a/apparmor.d/usr.bin.evince
+++ b/apparmor.d/usr.bin.evince
@@ -109,6 +109,8 @@
   # evince creates a temporary stream file like '.goutputstream-XX' in the
   # directory a file is saved. This allows that behavior.
   owner /**/.goutputstream-* w,
+
+  owner /{,var/}run/user/*/weston-shared-* rw,
 }
 
 /usr/bin/evince-previewer {

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (900, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apparmor-profiles-extra depends on:
ii  apparmor  2.10-2+b1

apparmor-profiles-extra recommends no packages.

apparmor-profiles-extra suggests no packages.

-- Configuration Files:
/etc/apparmor.d/usr.bin.evince changed:
/usr/bin/evince {
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  # Terminals for using console applications. These abstractions should ideally
  # have 'ix' to restrict access to what only evince is allowed to do
  #include 
  # By default, we won't support launching a terminal program in Xterm or
  # KDE's konsole. It opens up too many unnecessary files for most users.
  # People who need this functionality can uncomment the following:
  ##include 
  ##include 
  /usr/bin/evince rmPx,
  /usr/bin/evince-previewer Px,
  /usr/bin/yelp Cx -> sanitized_helper,
  /usr/bin/bug-buddy px,
  # 'Show Containing Folder' (LP: #1022962)
  /usr/bin/nautilus Cx -> sanitized_helper, # Gnome
  /usr/bin/pcmanfm Cx -> sanitized_helper,  # LXDE
  /usr/bin/krusader Cx -> sanitized_helper, # KDE
  /usr/bin/thunar Cx -> sanitized_helper,   # XFCE
  # For Xubuntu to launch the browser
  /usr/bin/exo-open ixr,
  /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
  /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
  /etc/xdg/xfce4/helpers.rc r,
  # For text attachments
  /usr/bin/gedit ixr,
  # For Send to
  /usr/bin/nautilus-sendto Cx -> sanitized_helper,
  # allow directory listings (ie 'r' on directories) so browsing via the file
  # dialog works
  / r,
  /**/ r,
  # This is need for saving files in your home directory without an extension.
  # Changing this to '@{HOME}/** r' makes it require an extension and more
  # secure (but with 'rw', we still have abstractions/private-files-strict in
  # effect).
  owner @{HOME}/** rw,
  owner /media/**  rw,
  owner @{HOME}/.local/share/gvfs-metadata/** l,
  owner /{,var/}run/user/*/gvfs-metadata/** l,
  owner @{HOME}/.gnome2/evince/*   rwl,
  owner @{HOME}/.gnome2/accels/rw,
  owner @{HOME}/.gnome2/accelsevince   rw,
  owner @{HOME}/.gnome2/accels/evince  rw,
  # Maybe add to an abstraction?
  /etc/dconf/**   r,
  owner @{HOME}/.cache/dconf/user rw,
  owner @{HOME}/.config/dconf/userr,
  owner /{,var/}run/user/*/dconf/ w,
  owner /{,var/}run/user/*/dconf/user rw,
  owner /{,var/}run/user/*/dconf-service/keyfile/ w,
  owner /{,var/}run/user/*/dconf-service/keyfile/user rw,
  owner /{,var/}run/user/*/at-spi2-*/   rw,
  owner /{,var/}run/user/*/at-spi2-*/** rw,
  # from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
  # read and write for all supported file formats
  /**.[bB][mM][pP] rw,
  /**.[dD][jJ][vV][uU] rw,
  /**.[dD][vV][iI] rw,
  /**.[gG][iI][fF] rw,
  /**.[jJ][pP][gG] rw,
  /**.[jJ][pP][eE][gG] rw,
  /**.[oO][dD][pP] rw,
  /**.[fFpP][dD][fF]   rw,
  /**.[pP][nN][mM] rw,
  /**.[pP][nN][gG] rw,
  /**.[pP][sS] rw,
  /**.[eE][pP][sS] rw,
  /**.[tT][iI][fF] rw,
  /**.[tT][iI][fF][fF] rw,
  /**.[xX][pP][mM] rw,
  /**.[gG][zZ] rw,
  /**.[bB][zZ]2rw,
  /**.[cC][bB][rRzZ7]  rw,
  /**.[xX][zZ] rw,
  # evince creates a temporary stream file like '.goutputstream-XX' in the
  # directory a file is saved. This allows that behavior.
  owner