Hi, I'm on Ubuntu 23.10 using Brave browser SNAP and I still face the
issue (cannot open links in evince -using Brave browser snap).
Here are the versions:
```console
❯ apt list --installed | rg 'evince|apparmor'
apparmor/mantic,now 4.0.0~alpha2-0ubuntu5 amd64 [installed,automatic]
evince-common/mantic,mantic,now 45.0-1 all [installed,automatic]
evince/mantic,now 45.0-1 amd64 [installed]
libapparmor1/mantic,now 4.0.0~alpha2-0ubuntu5 amd64 [installed,automatic]
```
Brave Browser 120.1.61.101
`journalctl -f` log:
```console
Dec 20 12:18:37 laptop kernel: audit: type=1400 audit(1703071117.044:3565):
apparmor="DENIED" operation="open" class="file"
profile="/usr/bin/evince//snap_browsers" name="/proc/cgroups" pid=1351803
comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Dec 20 12:18:37 laptop brave_brave.desktop[1351803]: internal error, please
report: running "brave" failed: open /snap/brave/323/meta/snap.yaml: permission
denied
Dec 20 12:18:37 laptop kernel: audit: type=1400 audit(1703071117.052:3566):
apparmor="DENIED" operation="open" class="file"
profile="/usr/bin/evince//snap_browsers" name="/snap/brave/323/meta/snap.yaml"
pid=1351803 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
```
I see the following in `/etc/apparmor.d/usr.bin.evince` with all
includes commented, including `snap_browsers` line. Is that normal?
Thanks
```
│ File: /etc/apparmor.d/usr.bin.evince
│ Size: 11.5 KB
───────┼────────────────────────────────────────────────────────────────────────
1 │ # vim:syntax=apparmor
2 │
3 │ # evince is not written with application confinement in mind and is
designed to
4 │ # operate within a trusted desktop session where anything running
within the
5 │ # user's session is trusted. That said, evince will often process
untrusted
6 │ # input (PDFs, images, etc). Ideally evince would be written in such a
way that
7 │ # image processing is separate from the main process and that
processing
8 │ # happens in a restrictive sandbox, but unfortunately that is not
currently the
9 │ # case. Because evince will process untrusted input, this profile aims
to
10 │ # provide some hardening, but considering evince's design and other
factors such
11 │ # as X, gsettings, accessibility, translations, DBus session and system
12 │ # services, etc, complete confinement is not possible.
13 │
14 │ #include <tunables/global>
15 │
16 │ /usr/bin/evince {
17 │ #include <abstractions/audio>
18 │ #include <abstractions/bash>
19 │ #include <abstractions/cups-client>
20 │ #include <abstractions/dbus-accessibility>
21 │ #include <abstractions/evince>
22 │ #include <abstractions/ibus>
23 │ #include <abstractions/nameservice>
24 │
25 │ #include <abstractions/ubuntu-browsers>
26 │ #include <abstractions/ubuntu-console-browsers>
27 │ #include <abstractions/ubuntu-email>
28 │ #include <abstractions/ubuntu-console-email>
29 │ #include <abstractions/ubuntu-media-players>
30 │
31 │ # allow evince to spawn browsers distributed as snaps (LP: #1794064)
32 │ #include if exists <abstractions/snap_browsers>
33 │
34 │ # For now, let evince talk to any session services over dbus. We can
35 │ # blacklist any problematic ones (but note, evince uses libsecret :\)
36 │ #include <abstractions/dbus-session>
37 │
38 │ #include <abstractions/dbus-strict>
39 │ dbus (receive) bus=system,
```
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1794064
Title:
Clicking a hyperlink in a PDF fails to open it if the default browser
is a snap
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions
--
desktop-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
