Comment 1 Peter Åstrand 2012-11-13 11:19:08 CET

Confirmed with a standard Ubuntu 12.04 installation. Found this upstream bug:

https://bugs.launchpad.net/ubuntu/+source/evince/+bug/523803

Unfortunately RESOLVED NOTABUG. It is indeed an AppArmor thing. Stupid if you ask me... Wrt configuration, there's a file:

/etc/apparmor.d/abstractions/X

...that only allows these files:

  # .Xauthority files required for X connections, per user
  @{HOME}/.Xauthority           r,
  owner /{,var/}run/gdm/*/database r,
  owner /{,var/}run/lightdm/authority/[0-9]* r,

This "abstration" is used by:

./abstractions/ubuntu-browsers.d/multimedia
./abstractions/gnome
./abstractions/kde

The gnome abstraction is used by:

./abstractions/ubuntu-browsers.d/java
./abstractions/ubuntu-gnome-terminal
./abstractions/evince
./disable/usr.bin.firefox
./usr.bin.firefox

Thus, fortunately, it seems like Evince is basically the only problematic program. Whee, this gives SO much more security! 

I guess we could ask them to include /var/opt/thinlinc/... in the default configuration...

Comment 2 Peter Åstrand 2012-11-13 11:31:31 CET

By adding this line to /etc/apparmor.d/abstractions/X:

  owner /{,var/}opt/thinlinc/sessions/*/*/Xauthority r,

...evince actually "starts". However, it looks like shit, and writes this to the console:

(evince:13833): GRIP-WARNING **: failed to determine device types

(evince:13833): GRIP-WARNING **: Failed to initialize gesture manager.

(evince:13833): GRIP-WARNING **: Failed to initialize gesture manager.
...

It's not even possible to close the application. This does not help either:

# mv /etc/apparmor.d/usr.bin.evince /etc/apparmor.d/disable/

I'd say that this is FUBAR.

In my opinion the best workaround is to reconfigure apparmor with an "additional home", 

sudo dpkg-reconfigure apparmor

specify /var/opt/thinlinc/sessions/ as an "additional home".

Everything works. Maybe document this as a workaround?

Comment 4 Aaron Sowry 2013-02-04 14:02:17 CET

(In reply to comment #3)
> In my opinion the best workaround is to reconfigure apparmor with an
> "additional home", 

I'm leaning towards this solution too - AFAICT, any automated solution involves modifying system files, which is not a good idea IMO. Perhaps we can simply document this workaround in Platform Specific Notes.

Comment 5 Aaron Sowry 2013-02-04 15:51:46 CET

Workaround added to Platform Specific Notes in r26497.

Comment 6 Aaron Sowry 2013-02-05 15:03:51 CET

Vetoed - we've decided to keep investigating additional possible solutions to this issue.

Comment 7 Pierre Ossman 2013-04-24 13:38:34 CEST

AppArmor sucks royally. I cannot see any proper way of extending the existing policy ("local/" is for the administrator, and is not guaranteed to be used).

There is a tunables/home.d that seems open for abuse though. We might be able to drop the necessary policy changes in there. Not really what that directory is supposed to be used for, but I don't see any other options.

Comment 8 Pierre Ossman 2013-04-24 14:44:59 CEST

Bah. home.d is included in the preamble, so we cannot add any rules there. The only thing we can do is modify variables. So we can automate the workaround in comment 3, but not much else.

Comment 9 Pierre Ossman 2013-04-24 15:08:50 CEST

tl-setup was modified to configure this for the administrator in r27172.

Tester should remove the old information on the web during the test period.

Comment 10 Aaron Sowry 2013-04-29 10:04:43 CEST

The apparmor module is not shipping.

Comment 11 Aaron Sowry 2013-04-29 10:10:40 CEST

Also, error on line 197 of apparmor.py.

Comment 12 Pierre Ossman 2013-04-29 16:47:35 CEST

Fixed.

Comment 13 Karl Mikaelsson 2013-05-20 16:17:42 CEST

> open("/var/opt/thinlinc/sessions/cendio/1/Xauthority", O_RDONLY) = 7

Didn't have any problems with the AppArmor install on 12.04 and Evince starts up nicely. Calling this one done, solved and closed.