[Bug 1330430] Re: apparmor profile needs review/improvement
Other suffixes are affected besides .pdf. I've just spotted some incidents in my logs involving denied read attempts on .epsi, .ps2 and suffixless application/postscript files. Since .epsi is listed as valid in /etc/mime.types I've now added the following to /etc/apparmor.d/local/usr.bin.evince and verified that it allowed .epsi files to be opened: /**.[eE][pP][sS][fFiI23] rw, However, one could argue that file types can and should be detected based on the file's content, not on its name. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1330430 Title: apparmor profile needs review/improvement To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1330430/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1344810] [NEW] etc/apparmor.d/usr.bin.evince should allow /run/user/*/gvfs-metadata/**
Public bug reported:
/etc/apparmor.d/usr.bin.evince has a line
@{HOME}/.local/share/gvfs-metadata/** l,
However, it is possible (seen on trusty) for session state files to be stored
under /run/user/uid/ instead of ~/.local/share/ . Please consider adding
owner /run/user/*/gvfs-metadata/** l,
to the apparmor profile.
Moreover (but this may be worth discussing and tracking separately) I've
seen evince being denied r access to gvfs-
metadata/home-[[:xdigit:]]+.log . I'm not sure what it needs that access
for, but maybe there is a legitimate need?
** Affects: evince (Ubuntu)
Importance: Undecided
Status: New
** Tags: apparmor
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1344810
Title:
etc/apparmor.d/usr.bin.evince should allow /run/user/*/gvfs-
metadata/**
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1344810/+subscriptions
--
desktop-bugs mailing list
desktop-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
Re: [Bug 1229066] Re: evince-thumbnailer can't run mktexpk
* Sebastien Bacher [2014-01-08 16:57:52 -]: Thanks for your bug report. Could you add an example for such dvi file? I cen try and construct one that reproduces the issue on my system, but there is no guarantee that the same choice of font will reproduce the problem somewhere else: that depends on the history of the individual system (specifically, on whether the pk files for the font in question have already been generated and cached). That would make easier to reproduce/debug the issue With texlive-fonts-extra installed, try the following. If you happen to have used font t2c-iwonami in the past, try with a different font. Note the Permission denied errors when running evince, and the decision to substitute a (very) different font for the one that was requested. $ tex testfont This is TeX, Version 3.1415926 (TeX Live 2009/Debian) (/usr/share/texmf-texlive/tex/plain/base/testfont.tex Name of the font to test = t2c-iwonami Now type a test command (\help for help):) *\table *\bye [1] Output written on testfont.dvi (1 page, 9320 bytes). Transcript written on testfont.log. $ evince testfont.dvi kpathsea: Running mktexpk --mfmode / --bdpi 600 --mag 1+0/600 --dpi 600 t2c-iwonami /usr/bin/mktexpk: 1: /usr/bin/mktexpk: /usr/share/texmf/web2c/mktexnam: Permission denied mktexpk: / already exists. /usr/bin/mktexpk: 210: /usr/bin/mktexpk: /usr/share/texmf/web2c/mktexupd: Permission denied kpathsea: Appending font creation commands to missfont.log. page: Warning: font `t2c-iwonami' at 600x600 not found, trying `cmr10' instead Running the above resulted in the following dmesg entries: [ 2112.341075] type=1400 audit(1389252767.990:36): apparmor=DENIED operation=exec parent=3320 profile=/usr/bin/evince//sanitized_helper name=/usr/share/texmf/web2c/mktexnam pid=3342 comm=mktexpk requested_mask=x denied_mask=x fsuid=1000 ouid=0 [ 2112.475442] type=1400 audit(1389252768.122:37): apparmor=DENIED operation=exec parent=3320 profile=/usr/bin/evince//sanitized_helper name=/usr/share/texmf/web2c/mktexupd pid=3347 comm=mktexpk requested_mask=x denied_mask=x fsuid=1000 ouid=0 The problem goes away if one runs the command that was saved in ~/missfont.log and runs evince again on the same .dvi file. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1229066 Title: evince-thumbnailer can't run mktexpk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1229066/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1229066] [NEW] evince-thumbnailer can't run mktexpk
Public bug reported: On Ubuntu 12.04, when running /usr/bin/evince-thumbnailer on a .dvi file that references a font for which there is no PK file on the system yet, AppArmor blocks the execution of /usr/share/texmf/web2c/mktexnam etc. Here are sample audit log messages: [ 5720.378549] type=1400 audit(1379921624.784:28): apparmor=DENIED operation=exec parent=6181 profile=/usr/bin/evince-thumbnailer//sanitized_helper name=/usr/share/texmf/web2c/mktexnam pid=6204 comm=mktexpk requested_mask=x denied_mask=x fsuid=1000 ouid=0 [ 5720.384833] type=1400 audit(1379921624.788:29): apparmor=DENIED operation=exec parent=6181 profile=/usr/bin/evince-thumbnailer//sanitized_helper name=/usr/share/texmf/web2c/mktexupd pid=6209 comm=mktexpk requested_mask=x denied_mask=x fsuid=1000 ouid=0 I suspect this is because the sanitized_helper profile in /etc/apparmor.d/abstractions/ubuntu-helpers only covers /bin, /sbin, /usr/bin and /usr/sbin, not /usr/share/texmf/web2c . I'm not sure whether this bug should be filed against apparmor, evince or texlive-binaries; I can think of at least three ways of addressing the issue: 1) add /usr/share/texmf/web2c/* Pixr to the sanitized_helper profile; 2) modify the profile for /usr/bin/evince-thumbnailer to use something other than sanitized_helper; 3) provide a separate AppArmor profile for the /usr/bin/mktexpk wrapper (and its siblings). ** Affects: evince (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1229066 Title: evince-thumbnailer can't run mktexpk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1229066/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1020244] [NEW] gvfsd-http loops requesting the same page
Public bug reported: Seen on a lucid system: # pgrep -fl gvfs 2086 /usr/lib/gvfs/gvfsd 2093 /usr/lib/gvfs//gvfs-fuse-daemon /home/CENSORED/.gvfs 2116 /usr/lib/gvfs/gvfs-gdu-volume-monitor 2122 /usr/lib/gvfs/gvfsd-trash --spawner :1.7 /org/gtk/gvfs/exec_spaw/0 2124 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor 2126 /usr/lib/gvfs/gvfs-afc-volume-monitor 2159 /usr/lib/gvfs/gvfsd-metadata 2175 /usr/lib/gvfs/gvfsd-burn --spawner :1.7 /org/gtk/gvfs/exec_spaw/1 2500 /usr/lib/gvfs/gvfsd-http --spawner :1.7 /org/gtk/gvfs/exec_spaw/2 5282 /usr/lib/gvfs/gvfsd-computer --spawner :1.7 /org/gtk/gvfs/exec_spaw/3 20563 gdb /usr/lib/gvfs/gvfsd-http 2500 Until I attached gvfsd-http with the debugger, it was bombarding a web server with HTTP HEAD requests for the same URL at about 6 seconds' interval. (The web server responded in less than a second.) The requests were all using the same TCP connection, except when the server returned 503 Service Unavailable; then a new TCP connection was established and used. Here is the backtrace from gdb: 0x7f529f794543 in *__GI___poll (fds=value optimized out, nfds=value optimized out, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:87 87 ../sysdeps/unix/sysv/linux/poll.c: No such file or directory. in ../sysdeps/unix/sysv/linux/poll.c (gdb) bt #0 0x7f529f794543 in *__GI___poll (fds=value optimized out, nfds=value optimized out, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:87 #1 0x7f529fa7f4a9 in ?? () from /lib/libglib-2.0.so.0 #2 0x7f529fa7fc55 in g_main_loop_run () from /lib/libglib-2.0.so.0 #3 0x0040cbce in ?? () #4 0x0040ce5f in ?? () #5 0x7f529f6d8c4d in __libc_start_main (main=value optimized out, argc=value optimized out, ubp_av=value optimized out, init=value optimized out, fini=value optimized out, rtld_fini=value optimized out, stack_end=0x72d4e2a8) at libc-start.c:226 #6 0x00409299 in ?? () #7 0x72d4e2a8 in ?? () #8 0x001c in ?? () #9 0x0004 in ?? () #10 0x72d4ea83 in ?? () #11 0x72d4ea9c in ?? () #12 0x72d4eaa6 in ?? () #13 0x72d4eaab in ?? () #14 0x in ?? () ** Affects: gvfs (Ubuntu) Importance: Undecided Status: New ** Tags: lucid -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1020244 Title: gvfsd-http loops requesting the same page To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1020244/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1020244] Re: gvfsd-http loops requesting the same page
** Attachment added: Output of apport-cli -f -p gvfs-backends https://bugs.launchpad.net/bugs/1020244/+attachment/3211178/+files/gvfs.apport -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1020244 Title: gvfsd-http loops requesting the same page To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1020244/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 807507] Re: apparmor denies evince creating links in .local/share/gvfs-metadata
Also seen on lucid, at least when booted into a 2.6.38 kernel (from linux-image-generic-lts-backport-natty). -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/807507 Title: apparmor denies evince creating links in .local/share/gvfs-metadata To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/807507/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 81813] Re: ekiga hangs after x server restart
** Bug watch added: Debian Bug tracker #420132 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=420132 ** Also affects: ekiga (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=420132 Importance: Unknown Status: Unknown -- ekiga hangs after x server restart https://bugs.launchpad.net/bugs/81813 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug contact for ekiga in ubuntu. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 81813] Re: ekiga hangs after x server restart
I believe I can reproduce this in Debian 4.0 (and in Ubuntu 6.06). I didn't have to actually zap my X server; just closing the ekiga window with Alt+F4 is enough to leave the instance running in the background. It will start spinning at 100% CPU after logout. -- ekiga hangs after x server restart https://bugs.launchpad.net/bugs/81813 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug contact for ekiga in ubuntu. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
