[karmic] apparmor breaks zotero extension for firefox

Does adding @{HOME}/.mozilla/**/zotero/** to abstractions/private-files-strict work for you? After adding the line, please perform:
$ sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.evince

and restart evince.

I have similar problem. sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.evince doesn't help.

Sorry; maybe i was wrong. Can you be more specific about what lines should I add to /etc/apparmor/abstractions/private-files-strict ?

"@{HOME}/.mozilla/**/zotero/**" leads to
AppArmor parser error in /etc/apparmor.d/usr.bin.evince at line 741: syntax error, unexpected TOK_ID, expecting TOK_MODE

I'm sorry. Since this is a PDF specific issue, let's put it in the evince profile. Can you add the following to /etc/apparmor/abstractions/evince:
 @{HOME}/.mozilla/**/zotero/** r,

Then run:
$ sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.evince

Please report back if this fixes the problem for you.

I suppose you mean /etc/apparmor.d/, but not /etc/apparmor/

I add this line to the end of file, kill evince, perform sudo apparmor_parser<...>evince, but nothing changes. I still get permission denied.

BTW, here is sample path of zotero PDF file:
~/.mozilla/firefox/xxxxxxxx.default/zotero/storage/XXXXXXXX/x.pdf

davidov@theatre:~/.mozilla/firefox/zd7d6bcj.default/zotero/storage/5T4G9J5X$ tail /etc/apparmor.d/abstractions/evince
  /**.[pP][nN][gG] r,
  /**.[pP][sS] r,
  /**.[eE][pP][sS] r,
  /**.[tT][iI][fF][fF] r,
  /**.[xX][pP][mM] r,
  /**.[gG][zZ] r,
  /**.[cC][bB][rRzZ7] r,

 #fix zotero
 @{HOME}/.mozilla/**/zotero/** r,
davidov@theatre:~/.mozilla/firefox/zd7d6bcj.default/zotero/storage/5T4G9J5X$ killall evince
evince: no process found
davidov@theatre:~/.mozilla/firefox/zd7d6bcj.default/zotero/storage/5T4G9J5X$ sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.evince
davidov@theatre:~/.mozilla/firefox/zd7d6bcj.default/zotero/storage/5T4G9J5X$ evince 1990\ Nierhaus\ Biochimie.pdf
Error: Couldn't open file '/home/davidov/.mozilla/firefox/zd7d6bcj.default/zotero/storage/5T4G9J5X/1990 Nierhaus Biochimie.pdf': Permission denied.

Can you please attach your kern.log after getting the permission denied? Also, what version of zotero are you using?

Adding firefox-3.5 task. It needs the following in /etc/apparmor.d/ufw.bin.firefox-3.5:

  @{HOME}/.mozilla/**/*.sqlite k,

Needs to be changed to:
  @{HOME}/.mozilla/**/*.sqlite* k,

kern.log:
Oct 14 18:04:16 theatre kernel: [179834.672527] type=1503 audit(1255523470.059:129): operation="open" pid=22597 parent=20331 profile="/usr/bin/evince" requested_mask="r::" denied_mask="r::" fsuid=1000 ouid=1000 name=2F686F6D652F64617669646F762F2E6D6F7A696C6C612F66697265666F782F7A6437643662636A2E64656661756C742F7A6F7465726F2F73746F726167652F35543447394A35582F31393930204E696572686175732042696F6368696D69652E706466

Zotero 2.0b7.2

I played around with this a bit, and evince works ok for me. For example:
$ apparmor module is loaded.
14 profiles are loaded.
14 profiles are in enforce mode.
   ...
   /usr/bin/evince-previewer
   /usr/bin/evince-thumbnailer
   /usr/bin/evince
   ...

Then after opening the pdf via zotero (by double clicking the item in the middle pane):
$ sudo aa-status | grep 'evince ('
   /usr/bin/evince (7570)
$ ps auxww|grep 7570
jamie 7570 1.1 0.6 400912 27180 ? Sl 09:27 0:00 evince file:///home/jamie/.mozilla/firefox/o8cpmki3.default/zotero/storage/W99ZU22G/desktopguide.pdf

Can you give exact steps as to how to reproduce the problem? I am new to zotero and am using the beta version of the extension.

Ok. Adding @{HOME}/.mozilla/**/zotero/** r, is not enough due to bug #451422. I will work around this in the evince profile and upload it later today.

This bug was fixed in the package evince - 2.28.0-0ubuntu4

---------------
evince (2.28.0-0ubuntu4) karmic; urgency=low

  * debian/apparmor-profile.abstraction: allow access to mozilla's cache.
    Unfortunately, the method used is not as clean as it should be due to
    LP: #451422. Once that bug is fixed, the added access will be much
    simpler.
    - LP: #439484
    - LP: #449286

 -- Jamie Strandboge <email address hidden> Wed, 14 Oct 2009 13:11:42 -0500

This bug was fixed in the package firefox-3.5 - 3.5.3+build1+nobinonly-0ubuntu4

---------------
firefox-3.5 (3.5.3+build1+nobinonly-0ubuntu4) karmic; urgency=low

  [ Fabien Tassin <email address hidden> ]
  * Bump requirement for system sqlite to >= 3.6.16 (bmo 508104)
    - update debian/rules

  [ Alexander Sack <email address hidden> ]
  * fix LP: #423610 - daily build failures after landing of mozilla-nss.pc droppage
    (bug 422829); we drop our previously used nspr pkgconfig patch and fix
    configure.in to not require in-source nspr if libxul-sdk is used
    - delete debian/patches/nspr_flags_by_pkg_config_hack.patch
    - add debian/patches/bzXXX_libxul_sdk_nspr.patch
    - update debian/patches/series
  * now that we always use libxul-sdk for getting the nspr flags we
    can use --without-system-nspr and --without-system-nss all the time
    - update debian/rules
  * rework localized search engine patch to use ChromeRegistry locale
    information rather than a char pref; also change plugin dir order to allow
    locale specific searchplugins to overlay the ones shipped in
    "searchplugins/common"
    - add debian/patches/bz515232_att399338_distro_locale_searchplugins.patch
    - update debian/patches/series
  * adjust packaging to support localized searchplugins
    + ship default searchplugins in /usr/lib/firefox-addons/searchplugins/en-US/
      and link that directory to $(DEBIAN_FF3_DIR)/distribution/searchplugins instead
      of the main firefox APP_DIR
      - update debian/rules
    + set default searchplugin locale pref to en-US - which is used as a
      fallback if no matching searchplugins/LOCALE directory exists for the
      current locale directory
      - update debian/firefox.js
    + do not install upstream searchplugins through debhelper file and
      install "debsearch" to the new distribution/.../en-US location
      - update debian/firefox-3.0.install
    + ship "common" searchplugins link that points to the old default
      searchplugins location '/usr/lib/firefox-addons/searchplugins/
      - update debian/rules

  [ Jamie Strandboge <email address hidden> ]
  * fix bugs surrounding apparmor profile
    + allow ixr access to gnash (LP: #429061)
    + allow ixr access to pulseaudio (LP: #432702)
    + allow access to plugins directory (LP: #428071)
    + allow access to mounted media (LP: #433362)
    + allow access to abstractions/ubuntu-console-email,
      abstractions/ubuntu-email and abstractions/ubuntu-gnome-terminal
      for mailto:. Add commented section for using xterm and konsole
      - update debian/usr.bin.firefox-3.5
    + allow access to extensions directory (LP: #433128)
    + allow 'k' access to @{HOME}/.mozilla/**/*.sqlite* (LP: #449286)
    + allow Ux access to apport-bug (LP: #449423)
    + allow access to /etc/mplayerplug-in.conf (LP: #439484)

 -- Alexander Sack <email address hidden> Thu, 15 Oct 2009 02:30:48 +0200

Jamie, thanks you very much for fast fix.
I see that there are new versions of this packages but cannot find them in updates.
Were can I get packages to test them?

I upgraded today and I still see the problem with zotero:

[ 161.516661] type=1503 audit(1255611582.902:26): operation="file_lock" pid=2852 parent=1 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="k::" denied_mask="k::" fsuid=1000 ouid=1000 name="/home/gjc/.mozilla/firefox/default.dng/zotero/zotero.sqlite.tmp"
[ 161.677961] type=1503 audit(1255611583.057:27): operation="exec" pid=2922 parent=2921 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/usr/bin/mkfifo"
[ 191.525758] type=1503 audit(1255611612.909:28): operation="truncate" info="Failed name lookup - deleted entry" error=-2 pid=2852 parent=1 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="w::" denied_mask="w::" fsuid=1000 ouid=1000 name=2F7661722F746D702F6574696C71735F4D3450786E4C7A4D625569566A344C202864656C6574656429

Gustavo, for zotero.sqlite.tmp you need the latest firefox-3.5, which is 3.5.3+build1+nobinonly-0ubuntu4. However, there is a kernel bug #451375 for truncate that is still pending that cannot be working around via profiling.

Unfortunately, at this point (due to bug #451375) if you are using zotero you cannot use the apparmor firefox profile. To disable the profile, do:
$ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.firefox-3.5 ; sudo ln -s /etc/apparmor.d/usr.bin.firefox-3.5 /etc/apparmor.d/disable/usr.bin.firefox-3.5

Adding an apparmor task for tracking, even though the master bug is in bug #451375.

That should have been a 'linux' task, not apparmor. Since the evince and firefox parts are fixed and only the linux part remains, I am going to mark this as a duplicate of bug #451375 for the linux task.

I should point out, that while AppArmor in the kernel is deviating from standard unix semantics by disallowing the access to the deleted file even though the profile allows it, the problem is that zotero seems to have a bug in that it is trying to truncate a file that has already been deleted. If upstream fixes this, then the problem would go away.