Evince apparmor settings not allowing sitewide dconf changes

Bug #1355804 reported by Lars Madsen
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
evince (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Description: Ubuntu 14.04.1 LTS

apt-cache policy evince evince-common
evince:
  Installed: 3.10.3-0ubuntu10.1
  Candidate: 3.10.3-0ubuntu10.1
  Version table:
 *** 3.10.3-0ubuntu10.1 0
        500 http://dk.archive.ubuntu.com/ubuntu/ trusty-updates/main i386 Packages
        100 /var/lib/dpkg/status
     3.10.3-0ubuntu10 0
        500 http://dk.archive.ubuntu.com/ubuntu/ trusty/main i386 Packages
evince-common:
  Installed: 3.10.3-0ubuntu10.1
  Candidate: 3.10.3-0ubuntu10.1
  Version table:
 *** 3.10.3-0ubuntu10.1 0
        500 http://dk.archive.ubuntu.com/ubuntu/ trusty-updates/main i386 Packages
        100 /var/lib/dpkg/status
     3.10.3-0ubuntu10 0
        500 http://dk.archive.ubuntu.com/ubuntu/ trusty/main i386 Packages

There are a few issues here. The main problem is that the Evince apparmor settings does not honor site wide dconf settings as described in dconf(7). I'm currently preparing a multiuser setup where we need some site wide configurations, one of which affects Evince.

Problem (1): As described in dconf(7) system wide settings can be made by creating and editing /etc/dconf/profile/user, which will be read if it exists. However if we do

echo 'user-db:user' | sudo tee -a /etc/dconf/profile/user
sudo dconf update
evince

We get the following warning

(evince:9145): dconf-WARNING **: Unable to open /etc/dconf/profile/user: Permission denied

and the following message in SYSLOG

kernel: [ 1129.931888] type=1400 audit(1407843498.164:65): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/etc/dconf/profile/user" pid=9145 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Indeed if we search through all files in /etc/apparmod.d , /etc/dconf is not mentioned anywhere.

Possible solution: Add

/etc/dconf/** r,

to /etc/apparmor.d/abscractions/evince (I've added it at the end of the /etc/ list already there), and run

sudo apparmor_parser -r /etc/apparmor.d/usr.bin.evince

Then there are no complaints anymore

Problem (2): Again reading dconf(7) it is recommended to change the settigns if /home is NFS mounted. Thus in /etc/dconf/profile/user we should replace /user-db:user' by 'service-db:keyfile/user'

This causes a new permission denied problem. Remember to run 'sudo dconf update' and log out and ind again.

(evince:19187): dconf-WARNING **: unable to open file '/run/user/1000/dconf-service/keyfile/user': Failed to open file '/run/user/1000/dconf-service/keyfile/user': open() failed: Permission denied; expect degraded performance

from syslog:

kernel: [ 5430.597984] type=1400 audit(1407848788.264:81): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/run/user/1000/dconf-service/keyfile/user" pid=19188 comm=64636F6E6620776F726B6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

The apparmor files does mention '/run/user/' (in usr.bin.evince):

# Maybe add to an abstraction?
  owner /{,var/}run/user/*/dconf/ w,
  owner /{,var/}run/user/*/dconf/user rw,

however, this does not match 'dconf-service'. One can fix this by adding

owner /{,var/}run/user/*/dconf-service/keyfile/ w,
owner /{,var/}run/user/*/dconf-service/keyfile/user rw,

to /etc/apparmor.d/abstractions/evince (I added them right after the other 'owner' lines at the top

Tags: apparmor

Related branches

tags: added: apparmor
Changed in evince (Ubuntu):
importance: Undecided → High
Changed in evince (Ubuntu):
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package evince - 3.10.3-0ubuntu15

---------------
evince (3.10.3-0ubuntu15) utopic; urgency=medium

  * debian/apparmor-profile:
    - allow site-wide dconf. Thanks to Lars Masden. (LP: #1355804)
    - allow read/write to files we own in /media (LP: #1096837)
    - allow read/write to files we own in /run/user/1000/at-spi2-*
      (LP: #1308488)
    - allow 'l' to /run/user/*/gvfs-metadata/** (LP: #1344810)
    - allow read/write of @{HOME}/.cache/dconf/user (LP: #1024605)
  * debian/apparmor-profile.abstraction:
    - allow read of /etc/xdg/lubuntu/applications/defaults.list (LP: #1290157,
      LP: #1299239)
    - allow read of /**.[eE][pP][sS][fFiI23] (LP: #1330430)
 -- Jamie Strandboge <email address hidden> Tue, 12 Aug 2014 14:30:43 -0500

Changed in evince (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Michael Schaller (misch-9) wrote :

Can the fix also be backported to Trusty? I've tested the fix on Trusty and it works for me.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.