This is going to be a bit tricky.
The intent of the AppArmor confinement we do is to leave /usr/bin/man
itself mostly unconfined, but apply rather stricter confinement to
groff-related subprocesses and decompression filters. It's easy enough
to allow /usr/bin/man itself to read from the network (although it seems
unfortunate that network filesystems require this; that ought to be an
implementation detail). However, at the moment we have to allow
decompression filters to have filesystem read access because AppArmor
revalidates inherited file descriptors (which also seems an unfortunate
behaviour to me), and I really don't want to grant decompressors the
ability to talk to the network.
What I think we need to do is to launder the input data through the
internal equivalent of a "cat" pipe before sending it to the
decompressor, just to stop AppArmor from doing its annoying revalidation
thing (ideally we'd only do this if AppArmor confinement is in effect,
but that's an optimisation and isn't required). It would then be
possible to tweak the /usr/bin/man profile and fix this bug.
** Changed in: man-db (Ubuntu)
Status: New => Triaged
** Changed in: man-db (Ubuntu)
Importance: Undecided => High
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1773223
Title:
man -l local-file fails with Access Denied
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/man-db/+bug/1773223/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
