Hi, I'm on Ubuntu 23.10 using Brave browser SNAP and I still face the
issue (cannot open links in evince -using Brave browser snap).
Here are the versions:
```console
❯ apt list --installed | rg 'evince|apparmor'
apparmor/mantic,now 4.0.0~alpha2-0ubuntu5 amd64 [installed,automatic]
evince-common/mantic,mantic,now 45.0-1 all [installed,automatic]
evince/mantic,now 45.0-1 amd64 [installed]
libapparmor1/mantic,now 4.0.0~alpha2-0ubuntu5 amd64 [installed,automatic]
```
Brave Browser 120.1.61.101
`journalctl -f` log:
```console
Dec 20 12:18:37 laptop kernel: audit: type=1400 audit(1703071117.044:3565):
apparmor="DENIED" operation="open" class="file"
profile="/usr/bin/evince//snap_browsers" name="/proc/cgroups" pid=1351803
comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Dec 20 12:18:37 laptop brave_brave.desktop[1351803]: internal error, please
report: running "brave" failed: open /snap/brave/323/meta/snap.yaml: permission
denied
Dec 20 12:18:37 laptop kernel: audit: type=1400 audit(1703071117.052:3566):
apparmor="DENIED" operation="open" class="file"
profile="/usr/bin/evince//snap_browsers" name="/snap/brave/323/meta/snap.yaml"
pid=1351803 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
```
I see the following in `/etc/apparmor.d/usr.bin.evince` with all
includes commented, including `snap_browsers` line. Is that normal?
Thanks
```
│ File: /etc/apparmor.d/usr.bin.evince
│ Size: 11.5 KB
───────┼────────────────────────────────────────────────────────────────────────
1 │ # vim:syntax=apparmor
2 │
3 │ # evince is not written with application confinement in mind and is
designed to
4 │ # operate within a trusted desktop session where anything running
within the
5 │ # user's session is trusted. That said, evince will often process
untrusted
6 │ # input (PDFs, images, etc). Ideally evince would be written in such a
way that
7 │ # image processing is separate from the main process and that
processing
8 │ # happens in a restrictive sandbox, but unfortunately that is not
currently the
9 │ # case. Because evince will process untrusted input, this profile aims
to
10 │ # provide some hardening, but considering evince's design and other
factors such
11 │ # as X, gsettings, accessibility, translations, DBus session and system
12 │ # services, etc, complete confinement is not possible.
13 │
14 │ #include <tunables/global>
15 │
16 │ /usr/bin/evince {
17 │ #include <abstractions/audio>
18 │ #include <abstractions/bash>
19 │ #include <abstractions/cups-client>
20 │ #include <abstractions/dbus-accessibility>
21 │ #include <abstractions/evince>
22 │ #include <abstractions/ibus>
23 │ #include <abstractions/nameservice>
24 │
25 │ #include <abstractions/ubuntu-browsers>
26 │ #include <abstractions/ubuntu-console-browsers>
27 │ #include <abstractions/ubuntu-email>
28 │ #include <abstractions/ubuntu-console-email>
29 │ #include <abstractions/ubuntu-media-players>
30 │
31 │ # allow evince to spawn browsers distributed as snaps (LP: #1794064)
32 │ #include if exists <abstractions/snap_browsers>
33 │
34 │ # For now, let evince talk to any session services over dbus. We can
35 │ # blacklist any problematic ones (but note, evince uses libsecret :\)
36 │ #include <abstractions/dbus-session>
37 │
38 │ #include <abstractions/dbus-strict>
39 │ dbus (receive) bus=system,
```
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1794064
Title:
Clicking a hyperlink in a PDF fails to open it if the default browser
is a snap
Status in apparmor package in Ubuntu:
Fix Released
Status in evince package in Ubuntu:
Fix Released
Status in apparmor source package in Jammy:
Fix Released
Status in evince source package in Jammy:
Fix Released
Status in apparmor source package in Lunar:
Fix Released
Status in evince source package in Lunar:
Fix Released
Status in apparmor package in Debian:
Fix Released
Status in evince package in Debian:
Confirmed
Bug description:
[Impact]
* Users cannot open a hyperlink in a PDF opened with evince when the default
browser is a snap.
* The fix creates a snap_browsers abstraction on AppArmor which can be used
in a transition for when the browser is executed. The snap_browsers abstraction
provides the minimal amount of permissions required to execute a browser
provided through snaps. This is a workaround since AppArmor currently does not
provide mediation/filtering on enhanced environment variables.
[Test Plan]
* Make sure the default browser is provided through the snap store.
* Open a PDF that contains a hyperlink using evince and click on the URL.
* The browser should open the requested URL.
[Where problems could occur]
* If the browser or snap core update to have new requirements for
opening a browser, then the current policy could become obsolete and
will need to be updated again.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
