I made my Debian GNU/Linux 12 “bookworm” aware of locally installed fonts in a non-root partition:
$ la -la /usr/local/share/fonts/
…
lrwxrwxrwx 1 root staff 40 8. Feb 22:16 Folder1 -> '/media/WIN_SYS/Folder1'
lrwxrwxrwx 1 root staff 33 8. Feb 23:05 Folder2 -> /media/WIN_SYS/Folder2
…
# fc-cache -fv
After that, evince started to report a bunch of errors “some font thing failed” on the console while opening certain (not all) PDF files. Examining /var/log/syslog yielded a bunch of messages as follows
[date&time] MachineName kernel: [210785.968345] audit: type=1400 audit(1708091486.368:26210): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/media/WIN_SYS/Folder1/some_font_file.ttf" pid=3000142 comm="EvJobScheduler" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
some_font_file.ttf advertises itself as Courier New, Regular to gnome-font-viewer.
Does evince really need some_font_file.ttf? I see no adverse effects in the evince viewer window itself, though
pdffonts viewed_document.pdf | grep -i couryields, among other stuff,ABCDEE+Courier New TrueType WinAnsi yes yes no 3 0 ABCDEE+Courier New CID TrueType Identity-H yes yes yes 11 0 CourierNewPSMT TrueType WinAnsi no no no 70 0I cannot regenerate viewed_document.pdf (it was created by someone else long ago). Of course, there's always a chance of me overseeing some visual output which should be there while viewing the PDF but has eluded my attention so far.
- How to relax the settings of apparmor in the least permissive yet concise way to allow evince to get to the font files from /media/WIN_SYS/Folder1, /media/WIN_SYS/Folder2, …, including their subfolders? There are way too may font files there, and their names and locations inside Folder1 and Folder2 are subject to change, so listing each font file separately is not an option. Allowing evince to access all of the mounted non-root partitions is also not an option, as this is an unnecessary security risk.
