desktop-packages team mailing list archive
-
desktop-packages team
-
Mailing list archive
-
Message #54679
[Bug 900324] [NEW] Faulty/useless apparmor profile
Public bug reported:
Hi,
evince comes with apparmor profiles.
1) The profiles are incomplete/outdated. Kernel keeps complaining because evince tries to read from udev which has been moved to /run/udev by some ubuntu berserks:
Dec 5 16:10:19 sodom kernel: [24711.331270] type=1400
audit(1323097819.959:148): apparmor="DENIED" operation="open"
parent=22723 profile="/usr/bin/evince" name="/run/udev/data/b253:6"
pid=23251 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
2) The profiles are mostly useless because the open almost everything for read/write anyway, e.g.
@{HOME}/** rw,
What's the point in having a apparmor profile if it opens all doors? The idea of apparmor is to restrict particular access, not to open everything to make it run like without an apparmor profile.
BTW, the file design is poor. The master profile should contain only
what evince needs to run (like /usr/lib... and such things) and not
intermix with the files to read or write for working. These options
should be put into a separate file to allow the admin to modify it to
local needs without breaking the upgrade process for the main part of
the profile.
ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: evince-common 3.2.1-0ubuntu2
ProcVersionSignature: Error: [Errno 2] Datei oder Verzeichnis nicht gefunden: '/proc/version_signature'
Uname: Linux 3.2.0-030200rc2-generic x86_64
ApportVersion: 1.23-0ubuntu4
Architecture: amd64
Date: Mon Dec 5 16:14:31 2011
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release amd64 (20100427.1)
PackageArchitecture: all
ProcEnviron:
PATH=(custom, user)
LANG=de_DE.UTF-8
SHELL=/bin/tcsh
SourcePackage: evince
UpgradeStatus: Upgraded to oneiric on 2011-10-29 (36 days ago)
** Affects: evince (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apparmor apport-bug oneiric
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/900324
Title:
Faulty/useless apparmor profile
Status in “evince” package in Ubuntu:
New
Bug description:
Hi,
evince comes with apparmor profiles.
1) The profiles are incomplete/outdated. Kernel keeps complaining because evince tries to read from udev which has been moved to /run/udev by some ubuntu berserks:
Dec 5 16:10:19 sodom kernel: [24711.331270] type=1400
audit(1323097819.959:148): apparmor="DENIED" operation="open"
parent=22723 profile="/usr/bin/evince" name="/run/udev/data/b253:6"
pid=23251 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
2) The profiles are mostly useless because the open almost everything for read/write anyway, e.g.
@{HOME}/** rw,
What's the point in having a apparmor profile if it opens all doors? The idea of apparmor is to restrict particular access, not to open everything to make it run like without an apparmor profile.
BTW, the file design is poor. The master profile should contain only
what evince needs to run (like /usr/lib... and such things) and not
intermix with the files to read or write for working. These options
should be put into a separate file to allow the admin to modify it to
local needs without breaking the upgrade process for the main part of
the profile.
ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: evince-common 3.2.1-0ubuntu2
ProcVersionSignature: Error: [Errno 2] Datei oder Verzeichnis nicht gefunden: '/proc/version_signature'
Uname: Linux 3.2.0-030200rc2-generic x86_64
ApportVersion: 1.23-0ubuntu4
Architecture: amd64
Date: Mon Dec 5 16:14:31 2011
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release amd64 (20100427.1)
PackageArchitecture: all
ProcEnviron:
PATH=(custom, user)
LANG=de_DE.UTF-8
SHELL=/bin/tcsh
SourcePackage: evince
UpgradeStatus: Upgraded to oneiric on 2011-10-29 (36 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/900324/+subscriptions
Follow ups
References