I have been setting up my own apparmor profile for the okular and one thing has me confused, I wonder if someone could shed some light on it.
I have got it to a point where it does function but one denied error is still given, name=randomstringofcharacters mask=“wc” which I assume means it is trying to make a file in / I am assuming this is a temp file perhaps just odd why not put it in /tmp/ I have omited the random string of characters here as I am unsure what it relates to. I get this when I open a pdf, maybe go into the settings - typical stuff really.
I just find it strange why a pdf reader would need to write directly to / if I
I am using the okular from the Arch repos of course.
I am unsure if it’s a bug, as if it was a tmp file why not use /tmp/ or /var/tmp/ ?
Thanks for your reply,
I did just check my $TMPDIR and it wasn’t set. But even after setting it oddly apparmor still reports a denied object.
I am just trying to figure out this oddity.
Here is some more of the apparmor log
audit: type=1400 apparmor=“DENIED” operation=“open” class=“file” profile=“/usr/bin/okular” name=omitedrandomstringofcharacters comm=“okular” requested_mask=“wc” denied_mask=“wc”
Can one let audit sigill Okular, get a coredump and do a backtrace? If we have the open-point and the resource, it should be reasonably easy to figure out what’s up.
I do not think the file actually exists, the error seems to occur when I either exit okular after editing the settings ( toggle one for example ) or attempt to save the file.
But I am able to save the document and have changes persist as well.
A couple examples.
Open pdf, highlight text CTRL + S.
error:
apparmor=“DENIED” operation=“mknod” class=“file” profile=“/usr/bin/okular” comm=“KIO::WorkerThre” requested_mask=“c” denied_mask=“c”
type okular in start, open recent pdf.
error:
apparmor=“DENIED” operation=“mknod” class=“file” profile=“/usr/bin/okular” comm=“okular” requested_mask=“c” denied_mask=“c”
The file literally is just name=loadofcharacters I am unsure if the number is worth omitting just playing that safe. To me it looks like a temp file perhaps. It has no /path on it so I think it must be trying to write to / and create a file.
Thanks for your reply, I have not dealt with core dumps and such before so am not entirely sure how to proceed, what information would you need exactly?
I don’t know if creating a temporary file would end up in mknod, this might come from an attempt at creating a named pipe.
Unfortunately no idea why it would do that or where it would come from.
If there is no leading slash then it is more likely relative to the “current working directory” of the process.
When you launch through the GUI that is most likely the user’s home directory.
Your right, it was not actually accessing the / directory. Seems to actually be the home directory.
Adding
@{HOME}/** rwk,
stops the error occuring entirely. Also tested a pdf on a usb and no error there either.
During this I did have a denied error to .mozilla specifically cert9.db with file_lock error, but aside from the other oddity the culprit has been found.
But why might okular access .mozilla ? possible to verify a pdf cert? Just wondering.
Appreciate the extra info about the certs. But no it was not related to the random string thing, was more of a general query.
As said above the random string thing was not trying to be written to / but actually the home directory. Makes more sense as I did not want to give /** rwk as a permission. It must be either a temp file of sorts or a named pipe.