Hi, >> Does it end with ".pdf", like name="/run/..../....pdf", or does it >> look different?
Since then, Laurent shared details privately (thanks!) and we now know that the path passed to name="..." does not end with a known extension, so we can't match on that :/ This is, unfortunately, a good example of the limitations of AppArmor for desktop apps. Short term, we need to choose between: - Option A: works out of the box for files stored behind gvfs, impact of exploitation of Evince is higher by default Add a rule like the one you suggested initially. - Option B: opening files stored behind gvfs requires tweaking files in /etc, impact of exploitation of Evince is lower by default I think the maintainers of the app are generally the best placed to decide what's best. My 2 cts: personally, given how wide open the Evince profile already is, I don't think the marginal security improvement of option B is worth the UX pain, so I would go for option A. And in passing, another 2 cts: mid term, as long as we ship desktop apps as Debian packages weakly-sandboxed with AppArmor, as opposed to Flatpak, perhaps we should consider making them use Desktop Portals (e.g. via GTK_USE_PORTAL=1). This would allow us to make the AppArmor policy much stricter, and would solve the whole class of UX problems that this bug is part of. Cheers, -- intrigeri
