ImageMagick blocking pdf read

When trying to use the ImageMagick convert command on a group of PDF files and also on single files I am getting the following message

convert: attempt to perform an operation not allowed by the security policy `PDF' @ error/constitute.c/IsCoderAuthorized/408.

2019-06-20T09:20:00Z
It turns out it was not snapd or apparmor but a policy of ImageMagick so the post title has been edited accordingly and moved as it is no longer a rant - so some of the comments may seem out of scope but they are not.

2 Likes

I think is related to this

1 Like

I recently started learning Python (By recent I mean two days ago), I ran into this in the first tutorial with the turtle.
import turtle my terminal froze and I had to click it again to see the error and it was actually that except with PS instead of PDF.
I had no idea what was happening, google for a while and had no clue.
I guess I need to learn about AppArmor now. /sigh

It certainly do - and thank you for getting me in the right direction. :slight_smile:

So this issue - with my pdf to png - conversion seems to be totally unrelated to AppArmor.

Neither did I but the blocking is highly security related - as the ImageMagick reading of specific files could allow for malicious code execution.

So the blocking is highly appropriate and the easy fix is very welcome. :slight_smile:


My concern about having snapd and apparmor still stands though.

But being a maintainer - requires me to learn it - so reading on.

So I will learn how to use AppArmor and snaps ...

It would seem that Manjaro Tools is incorporating snap support to have preinstalled snaps on future Manjaro ISO's.

As per the linked thread, the issue comes from this patch apparently:
https://git.archlinux.org/svntogit/packages.git/tree/trunk/IM7-GS-policy.patch?h=packages/imagemagick

Also reported here: https://bugs.archlinux.org/task/62785?project=1&string=imagemagick

2 Likes

We are all about choice, if installed by default, we should be able to uninstall if we don't want / causes problems with our workflow.

This has nothing to do with snaps. It is rather a wanted security feature for protecting users having bad PDFs. More here and here.


Now as this is cleared, let's talk snaps.

Some might know that I went to Montreal to the snapcraft summit. We expanded our relationship with Canonical and the Snapcraft project. Manjaro 18.1 will feature Snaps by default and also will ship some Snaps on the ISO. This can already be tested with our XFCE ISO. This is also part of the new direction of Manjaro, we are currently discussing internally for some days now. As Canonical is changing their way and see us as a partner we all benefit from it. This already shows in their store.

The dependency of snapd for our manjaro-tools is currently needed for opt-snaps support on our ISOs.

To push Manjaro our Core-Team takes decisions which may not look for all in their interest but make sense for the bigger goal we have in mind. Lot of changes are coming ahead and we will include the community partly in our decisions.

We have to move forward and Canonical is a great partner to achieve this.

@linux-aarhus - Frede

As a workround add:

<policy domain="coder" rights="read | write" pattern="PDF" />

To the bottom (next to last line above </policymap>)

/etc/ImageMagick-7/policy.xml

Indeed. I just went and fixed it I can import turtle now. :partying_face:
I was frustrated already yesterday so my searching for a solution was half-hearted at best.
Whether it be Imagemagick or Apparmor, more security is better.... usually. :wink:

As long as we can continue to use Manjaro in an "Arch" way, relying solely on traditional packages from the repos (or is Arch also going snappy?), this shouldn't be much of a problem. I suppose we can simply remove snaps we don't want and use traditional packages?

1 Like

:confused: At this stage, my experience with containers : flatpak is always lighter and faster than snap.
Canonical policy of mixing snaps with apt created an enormous amount of failure threads on the french forum (snap not performing as the .deb, snap mixed with the .deb..)

[Edit] --> Even on the french Ubuntu forum, Canonical snap policy (and snaps alltogether) has low support if any.
In addition, Canonical's orientations do create a real mess : https://www.gamingonlinux.com/articles/valve-looking-to-drop-support-for-ubuntu-1910-and-up-due-to-canonicals-32bit-decision.14421

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by