This bug appears again in the package evince 42.3-0ubuntu3 in Xubuntu
22.04.2
It looks the same as described by Kenneth Zadeck in the original report, except
the message says:
'Failed to execute child process "/usr/bin/xfce4-mime-helper"(Permission
denied).'
In the dmesg logs I see the following:
[ 804.143236] audit: type=1400 audit(1679303089.957:269):
apparmor="DENIED" operation="exec" profile="/usr/bin/evince"
name="/usr/bin/xfce4-mime-helper" pid=16286 comm="exo-open"
requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
I edited /etc/apparmor.d/usr.bin.evince
# For Xubuntu to launch the browser
#include <abstractions/exo-open>
/usr/bin/xfce4-mime-helper ixr, # <---- adding this line
A new message appeared in dmesg logs:
[ 838.828241] audit: type=1400 audit(1679303124.641:304):
apparmor="DENIED" operation="exec" profile="/usr/bin/evince"
name="/usr/bin/snap" pid=16706 comm="xfce4-mime-help" requested_mask="x"
denied_mask="x" fsuid=1000 ouid=0
I have two browsers Brave and Firefox; and both installed from snap. So I
edited /etc/apparmor.d/usr.bin.evince again:
# For Xubuntu to launch the browser
#include <abstractions/exo-open>
/usr/bin/xfce4-mime-helper ixr,
/usr/bin/snap ixr, # <---- adding this line
And it complained again:
[ 1268.978351] audit: type=1400 audit(1679303554.790:432):
apparmor="DENIED" operation="connect" profile="/usr/bin/evince"
name="/run/snapd.socket" pid=20462 comm="brave" requested_mask="wr"
denied_mask="wr" fsuid=1000 ouid=0
And I edited /etc/apparmor.d/usr.bin.evince again:
# For Xubuntu to launch the browser
#include <abstractions/exo-open>
/usr/bin/xfce4-mime-helper ixr,
/usr/bin/snap ixr,
/run/snapd.socket wr, # <---- adding this line
And then I was overwhelmed by the following messages.
[ 1817.693397] audit: type=1400 audit(1679304103.502:3198): apparmor="DENIED"
operation="open" profile="/usr/bin/evince"
name="/snap/brave/216/meta/snap.yaml" pid=25949 comm="brave" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=0
[ 1822.942739] audit: type=1400 audit(1679304108.750:3199): apparmor="DENIED"
operation="open" profile="/usr/bin/evince"
name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=26810
comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1822.947632] audit: type=1400 audit(1679304108.754:3200): apparmor="DENIED"
operation="open" profile="/usr/bin/evince" name="/proc/cgroups" pid=26810
comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1822.949047] audit: type=1400 audit(1679304108.758:3201): apparmor="DENIED"
operation="open" profile="/usr/bin/evince" name="/proc/cmdline" pid=26810
comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1822.949070] audit: type=1400 audit(1679304108.758:3202): apparmor="DENIED"
operation="open" profile="/usr/bin/evince"
name="/snap/snapd/18357/usr/lib/snapd/info" pid=26810 comm="brave"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1822.950430] audit: type=1400 audit(1679304108.758:3203): apparmor="DENIED"
operation="open" profile="/usr/bin/evince"
name="/proc/sys/kernel/seccomp/actions_avail" pid=26810 comm="brave"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1822.950649] audit: type=1400 audit(1679304108.758:3204): apparmor="DENIED"
operation="exec" profile="/usr/bin/evince" name="/usr/lib/snapd/snap-seccomp"
pid=26816 comm="brave" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
[ 1822.950883] audit: type=1400 audit(1679304108.758:3205): apparmor="DENIED"
operation="exec" profile="/usr/bin/evince" name="/usr/bin/systemctl" pid=26817
comm="brave" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
[ 1822.951929] audit: type=1400 audit(1679304108.758:3206): apparmor="DENIED"
operation="open" profile="/usr/bin/evince"
name="/snap/brave/216/meta/snap.yaml" pid=26810 comm="brave" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=0
[ 1868.523506] audit: type=1400 audit(1679304154.330:3207): apparmor="DENIED"
operation="open" profile="/usr/bin/evince"
name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=27098
comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1868.528801] audit: type=1400 audit(1679304154.338:3208): apparmor="DENIED"
operation="open" profile="/usr/bin/evince" name="/proc/cgroups" pid=27098
comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1868.530290] audit: type=1400 audit(1679304154.338:3209): apparmor="DENIED"
operation="open" profile="/usr/bin/evince" name="/proc/cmdline" pid=27098
comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1868.530325] audit: type=1400 audit(1679304154.338:3210): apparmor="DENIED"
operation="open" profile="/usr/bin/evince"
name="/snap/snapd/18357/usr/lib/snapd/info" pid=27098 comm="brave"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1868.531868] audit: type=1400 audit(1679304154.338:3211): apparmor="DENIED"
operation="open" profile="/usr/bin/evince"
name="/proc/sys/kernel/seccomp/actions_avail" pid=27098 comm="brave"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1868.532031] audit: type=1400 audit(1679304154.338:3212): apparmor="DENIED"
operation="exec" profile="/usr/bin/evince" name="/usr/lib/snapd/snap-seccomp"
pid=27105 comm="brave" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
[ 1868.532331] audit: type=1400 audit(1679304154.342:3213): apparmor="DENIED"
operation="exec" profile="/usr/bin/evince" name="/usr/bin/systemctl" pid=27106
comm="brave" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
[ 1868.534045] audit: type=1400 audit(1679304154.342:3214): apparmor="DENIED"
operation="open" profile="/usr/bin/evince"
name="/snap/brave/216/meta/snap.yaml" pid=27098 comm="brave" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=0
At that point, it became clear that there's something serious, rather than a
couple of lines missed in configs.
** Also affects: snap (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1891338
Title:
apparmor misconfigured for evince
Status in apparmor package in Ubuntu:
Fix Released
Status in evince package in Ubuntu:
Fix Released
Status in snap package in Ubuntu:
New
Bug description:
On a fully up to date xubuntu 20-04 system, when i run evince and
click on a link, it fails to follow that link in my browser. This kind
of thing happens when you are reading a technical paper and want to
follow one of the references and click on the doi or url.
When i click on the link i get a box that i cannot copy from that says:
Failed to launch preferred application for category "WebBrowser".
Failed to execute child process "/usr/lib/x86_64-linux-
gnu/xfce4/exo-2/exo-helper-2"(Permission denied).
Did I say that it is annoying that i could not copy the text in this
box!!!!!!
The output of the ldd command you asked for is attached.
I should also point out that this worked fine under xubuntu 18.04.
I had originally posted this as an additional comment on
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1869159?comments=all
but https://launchpad.net/~seb128 said that I should submit this as a
separate bug because this is likely an apparmor configuration problem
that is similar to the ancient bug
https://bugs.launchpad.net/bugs/987578.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1891338/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
