[Touch-packages] [Bug 1891338] Re: apparmor misconfigured for evince
** Package changed: snap (Ubuntu) => snapd (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1891338 Title: apparmor misconfigured for evince Status in apparmor package in Ubuntu: Fix Released Status in evince package in Ubuntu: Fix Released Status in snapd package in Ubuntu: New Bug description: On a fully up to date xubuntu 20-04 system, when i run evince and click on a link, it fails to follow that link in my browser. This kind of thing happens when you are reading a technical paper and want to follow one of the references and click on the doi or url. When i click on the link i get a box that i cannot copy from that says: Failed to launch preferred application for category "WebBrowser". Failed to execute child process "/usr/lib/x86_64-linux- gnu/xfce4/exo-2/exo-helper-2"(Permission denied). Did I say that it is annoying that i could not copy the text in this box!! The output of the ldd command you asked for is attached. I should also point out that this worked fine under xubuntu 18.04. I had originally posted this as an additional comment on https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1869159?comments=all but https://launchpad.net/~seb128 said that I should submit this as a separate bug because this is likely an apparmor configuration problem that is similar to the ancient bug https://bugs.launchpad.net/bugs/987578. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1891338/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891338] Re: apparmor misconfigured for evince
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: snapd (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1891338 Title: apparmor misconfigured for evince Status in apparmor package in Ubuntu: Fix Released Status in evince package in Ubuntu: Fix Released Status in snapd package in Ubuntu: New Bug description: On a fully up to date xubuntu 20-04 system, when i run evince and click on a link, it fails to follow that link in my browser. This kind of thing happens when you are reading a technical paper and want to follow one of the references and click on the doi or url. When i click on the link i get a box that i cannot copy from that says: Failed to launch preferred application for category "WebBrowser". Failed to execute child process "/usr/lib/x86_64-linux- gnu/xfce4/exo-2/exo-helper-2"(Permission denied). Did I say that it is annoying that i could not copy the text in this box!! The output of the ldd command you asked for is attached. I should also point out that this worked fine under xubuntu 18.04. I had originally posted this as an additional comment on https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1869159?comments=all but https://launchpad.net/~seb128 said that I should submit this as a separate bug because this is likely an apparmor configuration problem that is similar to the ancient bug https://bugs.launchpad.net/bugs/987578. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1891338/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891338] Re: apparmor misconfigured for evince
This bug appears again in the package evince 42.3-0ubuntu3 in Xubuntu 22.04.2 It looks the same as described by Kenneth Zadeck in the original report, except the message says: 'Failed to execute child process "/usr/bin/xfce4-mime-helper"(Permission denied).' In the dmesg logs I see the following: [ 804.143236] audit: type=1400 audit(1679303089.957:269): apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/usr/bin/xfce4-mime-helper" pid=16286 comm="exo-open" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 I edited /etc/apparmor.d/usr.bin.evince # For Xubuntu to launch the browser #include /usr/bin/xfce4-mime-helper ixr, # < adding this line A new message appeared in dmesg logs: [ 838.828241] audit: type=1400 audit(1679303124.641:304): apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/usr/bin/snap" pid=16706 comm="xfce4-mime-help" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 I have two browsers Brave and Firefox; and both installed from snap. So I edited /etc/apparmor.d/usr.bin.evince again: # For Xubuntu to launch the browser #include /usr/bin/xfce4-mime-helper ixr, /usr/bin/snap ixr, # < adding this line And it complained again: [ 1268.978351] audit: type=1400 audit(1679303554.790:432): apparmor="DENIED" operation="connect" profile="/usr/bin/evince" name="/run/snapd.socket" pid=20462 comm="brave" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0 And I edited /etc/apparmor.d/usr.bin.evince again: # For Xubuntu to launch the browser #include /usr/bin/xfce4-mime-helper ixr, /usr/bin/snap ixr, /run/snapd.socket wr, # < adding this line And then I was overwhelmed by the following messages. [ 1817.693397] audit: type=1400 audit(1679304103.502:3198): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/snap/brave/216/meta/snap.yaml" pid=25949 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ 1822.942739] audit: type=1400 audit(1679304108.750:3199): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=26810 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ 1822.947632] audit: type=1400 audit(1679304108.754:3200): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/proc/cgroups" pid=26810 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ 1822.949047] audit: type=1400 audit(1679304108.758:3201): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/proc/cmdline" pid=26810 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ 1822.949070] audit: type=1400 audit(1679304108.758:3202): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/snap/snapd/18357/usr/lib/snapd/info" pid=26810 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ 1822.950430] audit: type=1400 audit(1679304108.758:3203): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/proc/sys/kernel/seccomp/actions_avail" pid=26810 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ 1822.950649] audit: type=1400 audit(1679304108.758:3204): apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/usr/lib/snapd/snap-seccomp" pid=26816 comm="brave" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 [ 1822.950883] audit: type=1400 audit(1679304108.758:3205): apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/usr/bin/systemctl" pid=26817 comm="brave" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 [ 1822.951929] audit: type=1400 audit(1679304108.758:3206): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/snap/brave/216/meta/snap.yaml" pid=26810 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ 1868.523506] audit: type=1400 audit(1679304154.330:3207): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=27098 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ 1868.528801] audit: type=1400 audit(1679304154.338:3208): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/proc/cgroups" pid=27098 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ 1868.530290] audit: type=1400 audit(1679304154.338:3209): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/proc/cmdline" pid=27098 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ 1868.530325] audit: type=1400 audit(1679304154.338:3210): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/snap/snapd/18357/usr/lib/snapd/info" pid=27098 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [ 1868.531868] audit: type=1400 audit(1679304154.338:3211): apparmor="DENIED" operation="open" profile="/usr/bin/evince"
[Touch-packages] [Bug 1891338] Re: apparmor misconfigured for evince
This bug was fixed in the package evince - 41.3-1 --- evince (41.3-1) unstable; urgency=medium [ Jeremy Bicha ] * New upstream release [ Sebastien Bacher ] * debian/apparmor-profile: - use the exo abstraction rather than listing the binaries directly (lp: #1891338) -- Jeremy Bicha Sun, 21 Nov 2021 13:03:23 -0500 ** Changed in: evince (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1891338 Title: apparmor misconfigured for evince Status in apparmor package in Ubuntu: Fix Released Status in evince package in Ubuntu: Fix Released Bug description: On a fully up to date xubuntu 20-04 system, when i run evince and click on a link, it fails to follow that link in my browser. This kind of thing happens when you are reading a technical paper and want to follow one of the references and click on the doi or url. When i click on the link i get a box that i cannot copy from that says: Failed to launch preferred application for category "WebBrowser". Failed to execute child process "/usr/lib/x86_64-linux- gnu/xfce4/exo-2/exo-helper-2"(Permission denied). Did I say that it is annoying that i could not copy the text in this box!! The output of the ldd command you asked for is attached. I should also point out that this worked fine under xubuntu 18.04. I had originally posted this as an additional comment on https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1869159?comments=all but https://launchpad.net/~seb128 said that I should submit this as a separate bug because this is likely an apparmor configuration problem that is similar to the ancient bug https://bugs.launchpad.net/bugs/987578. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1891338/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891338] Re: apparmor misconfigured for evince
** Changed in: evince (Ubuntu) Importance: Undecided => Low ** Changed in: evince (Ubuntu) Status: Triaged => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1891338 Title: apparmor misconfigured for evince Status in apparmor package in Ubuntu: Fix Released Status in evince package in Ubuntu: Fix Committed Bug description: On a fully up to date xubuntu 20-04 system, when i run evince and click on a link, it fails to follow that link in my browser. This kind of thing happens when you are reading a technical paper and want to follow one of the references and click on the doi or url. When i click on the link i get a box that i cannot copy from that says: Failed to launch preferred application for category "WebBrowser". Failed to execute child process "/usr/lib/x86_64-linux- gnu/xfce4/exo-2/exo-helper-2"(Permission denied). Did I say that it is annoying that i could not copy the text in this box!! The output of the ldd command you asked for is attached. I should also point out that this worked fine under xubuntu 18.04. I had originally posted this as an additional comment on https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1869159?comments=all but https://launchpad.net/~seb128 said that I should submit this as a separate bug because this is likely an apparmor configuration problem that is similar to the ancient bug https://bugs.launchpad.net/bugs/987578. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1891338/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891338] Re: apparmor misconfigured for evince
This bug was fixed in the package apparmor - 3.0.0~beta1-0ubuntu6 --- apparmor (3.0.0~beta1-0ubuntu6) groovy; urgency=medium * Drop d/p/lp1824812.patch: this patch was only needed with 2.13 and not 3.0. With AppArmor 3, the patch ends up setting SFS_MOUNTPOINT to the wrong directory in is_container_with_internal_policy(), which causes policy to always fail to load in containers. Thanks to Christian Ehrhardt for the analysis. (LP: #1895967) apparmor (3.0.0~beta1-0ubuntu5) groovy; urgency=medium [ John Johansen ] * d/p/fix-parser-to-emit-proc-attr-access-for-all-situations.patch: fix-automatic-adding-of-rule-for-change-hat-iface.patch fixed the parser to emit rules needed for change_hat in the hat profiles but broke the rule being emitted for the parent profile, this fixes it for both so that it is emitted for any profile that is a hat or that contains a hat. * d/p/fix-change-profile-stack-abstraction.patch: fix the change_profile abstraction so that it allows access to the apparmor attribute paths under LSM stacking. apparmor (3.0.0~beta1-0ubuntu2) groovy; urgency=medium [ John Johansen ] * d/p/fix-automatic-adding-of-rule-for-change-hat-iface.patch: fix parser not adding a rule to profiles if they are a hat or contain hats granting write access to the kernel interfaces. apparmor (3.0.0~beta1-0ubuntu1) groovy; urgency=medium [ John Johansen ] * New upstream release (LP: #1895060, LP: #1887577, LP: #1880841) * Drop all patches backported from upstream: applied in 3.0 * d/p/policy-provide-example-and-base-abi-to-pin-pre-3.0-p.patch: provide example and base abi to pin pre 3.0 policy * d/p/ubuntu/enable-pinning-of-pre-AppArmor-3.x-poli.patch: enable pinning of pre AppArmor 3.x policy * drop d/p/debian/dont-include-site-local-with-dovecot.patch: no longer needed with upstream 'include if exists' [ Steve Beattie ] * d/p/parser-fix_cap_match.patch: fix cap match to work correctly, important now that groovy has a 5.8 kernel. * d/apparmor-profiles.install: + adjust for renamed postfix profiles + add usr.bin.dumpcap and usr.bin.mlmmj-receive to extra-profiles + remove usr.sbin.nmbd and usr.sbin.smbd from extra-profiles (already in apparmor-profiles) * d/apparmor.install: include abi/ directory and tunables/etc. * d/apparmor.manpages: add apparmor_xattrs.7 manpage * d/control: + apparmor-utils: no more shipped perl tools, drop perl dependency + apparmor-notify: aa-notify was converted to python3 from perl; adjust -notify dependencies to compensate * d/p/fix-tests-regression-apparmor-prologue-inc-settest.patch: fix sed expression in settest() [ Emilia Torino ] * Removing Ubuntu specific chromium-browser profile. This is safe to do since groovy's chromium-browser deb installs the snap. If apparmor3 is backported to 18.04 or earlier, the profile will need to be taken into consideration - d/profiles/chromium-browser: remove chromium-browser profile - d/apparmor-profiles.postinst: remove postinst script as it only contains chromium-browser related functionallity. - d/apparmor-profiles.postrm: remove postrm script as it only contains chromium-browser related functionallity. - d/apparmor-profiles.install: remove ubuntu-specific chromium-browser abstraction and profile - d/apparmor-profiles.lintian-overrides: remove chromium-browser profile lintian overrides - d/p/ubuntu/add-chromium-browser.patch: remove patch which added chrome-browser [ Alex Murray ] * d/p/policy-provide-example-and-base-abi-to-pin-pre-3.0-p.patch: refresh this patch with the official upstream version * d/p/ubuntu/enable-pinning-of-pre-AppArmor-3.x-poli.patch: refresh this patch to match the above * d/p/parser-add-abi-warning-flags.patch: enable parser warnings to be silenced or to be treated as errors [ Jamie Strandboge ] * d/p/adjust-for-ibus-1.5.22.patch: update ibus abstract path for ibus 1.5.22. This can be dropped with AppArmor 3.0 final. * d/p/parser-add-abi-warning-flags.patch: refresh to avoid lintian warnings * d/p/ubuntu/lp1891338.patch: adjust ubuntu-integration to use abstractions/exo-open (LP: #1891338) * d/p/ubuntu/lp1889699.patch: adjust to support brave in ubuntu abstractions. Patch thanks to François Marier (LP: #1889699) * d/p/ubuntu/lp1881357.patch: adjust for new ICEauthority path in /run (LP: #1881357) -- Jamie Strandboge Tue, 22 Sep 2020 15:10:33 + ** Changed in: apparmor (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1891338 Title: apparmor misconfigured for evince Status in apparmor package in Ubuntu: Fix Released Status in evince package in Ubuntu: Triaged
[Touch-packages] [Bug 1891338] Re: apparmor misconfigured for evince
** Summary changed: - apparmor misconfigured for envice + apparmor misconfigured for evince -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1891338 Title: apparmor misconfigured for evince Status in apparmor package in Ubuntu: In Progress Status in evince package in Ubuntu: Triaged Bug description: On a fully up to date xubuntu 20-04 system, when i run evince and click on a link, it fails to follow that link in my browser. This kind of thing happens when you are reading a technical paper and want to follow one of the references and click on the doi or url. When i click on the link i get a box that i cannot copy from that says: Failed to launch preferred application for category "WebBrowser". Failed to execute child process "/usr/lib/x86_64-linux-gnu/xfce4/exo-2 /exo-helper-2"(Permission denied). Did I say that it is annoying that i could not copy the text in this box!! The output of the ldd command you asked for is attached. I should also point out that this worked fine under xubuntu 18.04. I had originally posted this as an additional comment on https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1869159?comments=all but https://launchpad.net/~seb128 said that I should submit this as a separate bug because this is likely an apparmor configuration problem that is similar to the ancient bug https://bugs.launchpad.net/bugs/987578. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1891338/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
