apparmor misconfigured for evince

Bug #1891338 reported by Kenneth Zadeck
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned
evince (Ubuntu)
Fix Released
Low
Unassigned
snapd (Ubuntu)
New
Undecided
Unassigned

Bug Description

On a fully up to date xubuntu 20-04 system, when i run evince and click on a link, it fails to follow that link in my browser. This kind of thing happens when you are reading a technical paper and want to follow one of the references and click on the doi or url.

When i click on the link i get a box that i cannot copy from that says:
Failed to launch preferred application for category "WebBrowser".

Failed to execute child process "/usr/lib/x86_64-linux-gnu/xfce4/exo-2/exo-helper-2"(Permission denied).

Did I say that it is annoying that i could not copy the text in this box!!!!!!

The output of the ldd command you asked for is attached.

I should also point out that this worked fine under xubuntu 18.04.

I had originally posted this as an additional comment on https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1869159?comments=all but https://launchpad.net/~seb128 said that I should submit this as a separate bug because this is likely an apparmor configuration problem that is similar to the ancient bug https://bugs.launchpad.net/bugs/987578.

Tags: apparmor
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello Kenneth, can you please include the DENIED lines from dmesg output, /var/log/syslog, or /var/log/audit/audit.log ?

Thanks

Revision history for this message
Kenneth Zadeck (zadeck) wrote :

from syslog:

Aug 13 15:57:23 numenor dbus-daemon[1322]: [session uid=1000 pid=1322] Activating service name='org.gnome.evince.Daemon' requested by ':1.130' (uid=1000 pid=7816 comm="evince main.pdf " label="/usr/bin/evince (enforce)")
Aug 13 15:57:23 numenor dbus-daemon[1322]: [session uid=1000 pid=1322] Successfully activated service 'org.gnome.evince.Daemon'
Aug 13 15:57:42 numenor kernel: [20935.681193] audit: type=1400 audit(1597348662.582:58): apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/usr/lib/x86_64-linux-gnu/xfce4/exo-2/exo-helper-2" pid=7841 comm="exo-open" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

I do not have a var/log/audit/audit.log

Revision history for this message
Sebastien Bacher (seb128) wrote :

/etc/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration: /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,

/etc/apparmor.d/usr.bin.evince: /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,

looks like those needs to be adapted to include the new exo revision?

affects: evince (Ubuntu) → apparmor (Ubuntu)
Revision history for this message
Sebastien Bacher (seb128) wrote :

reassigning to apparmor since the ubuntu-browsers.d is coming from there ... why is evince having a duplicate entry rather than including the browser rules?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

You are right that there are two places this is defined: in /etc/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration and in /etc/apparmor.d/usr.bin.evince.

I'll adjust apparmor to fix ubuntu-integration to use the exo-open abstraction.

There is an evince task though because we don't want it to use the ubuntu-integration abstraction. Instead the exo-open stanza in the usr.bin.evince should just include the exo-open abstraction. Ie, replace this:

  # For Xubuntu to launch the browser
  /usr/bin/exo-open ixr,
  /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
  /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
  /etc/xdg/xfce4/helpers.rc r,

with this:

  # For Xubuntu to launch the browser
  #include <abstractions/exo-open>

Changed in apparmor (Ubuntu):
status: New → In Progress
Changed in evince (Ubuntu):
status: New → Triaged
Rolf Leggewie (r0lf)
summary: - apparmor misconfigured for envice
+ apparmor misconfigured for evince
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (4.5 KiB)

This bug was fixed in the package apparmor - 3.0.0~beta1-0ubuntu6

---------------
apparmor (3.0.0~beta1-0ubuntu6) groovy; urgency=medium

  * Drop d/p/lp1824812.patch: this patch was only needed with 2.13 and not
    3.0. With AppArmor 3, the patch ends up setting SFS_MOUNTPOINT to the
    wrong directory in is_container_with_internal_policy(), which causes
    policy to always fail to load in containers. Thanks to Christian Ehrhardt
    for the analysis. (LP: #1895967)

apparmor (3.0.0~beta1-0ubuntu5) groovy; urgency=medium

  [ John Johansen ]
  * d/p/fix-parser-to-emit-proc-attr-access-for-all-situations.patch:
    fix-automatic-adding-of-rule-for-change-hat-iface.patch fixed the
    parser to emit rules needed for change_hat in the hat profiles but
    broke the rule being emitted for the parent profile, this fixes it for
    both so that it is emitted for any profile that is a hat or that
    contains a hat.
  * d/p/fix-change-profile-stack-abstraction.patch: fix the change_profile
    abstraction so that it allows access to the apparmor attribute paths
    under LSM stacking.

apparmor (3.0.0~beta1-0ubuntu2) groovy; urgency=medium

  [ John Johansen ]
  * d/p/fix-automatic-adding-of-rule-for-change-hat-iface.patch: fix
    parser not adding a rule to profiles if they are a hat or contain hats
    granting write access to the kernel interfaces.

apparmor (3.0.0~beta1-0ubuntu1) groovy; urgency=medium

  [ John Johansen ]
  * New upstream release (LP: #1895060, LP: #1887577, LP: #1880841)
  * Drop all patches backported from upstream: applied in 3.0
  * d/p/policy-provide-example-and-base-abi-to-pin-pre-3.0-p.patch: provide
    example and base abi to pin pre 3.0 policy
  * d/p/ubuntu/enable-pinning-of-pre-AppArmor-3.x-poli.patch: enable pinning
    of pre AppArmor 3.x policy
  * drop d/p/debian/dont-include-site-local-with-dovecot.patch: no longer
    needed with upstream 'include if exists'

  [ Steve Beattie ]
  * d/p/parser-fix_cap_match.patch: fix cap match to work correctly, important
    now that groovy has a 5.8 kernel.
  * d/apparmor-profiles.install:
    + adjust for renamed postfix profiles
    + add usr.bin.dumpcap and usr.bin.mlmmj-receive to extra-profiles
    + remove usr.sbin.nmbd and usr.sbin.smbd from extra-profiles (already in
      apparmor-profiles)
  * d/apparmor.install: include abi/ directory and tunables/etc.
  * d/apparmor.manpages: add apparmor_xattrs.7 manpage
  * d/control:
    + apparmor-utils: no more shipped perl tools, drop perl dependency
    + apparmor-notify: aa-notify was converted to python3 from perl; adjust
      -notify dependencies to compensate
  * d/p/fix-tests-regression-apparmor-prologue-inc-settest.patch:
    fix sed expression in settest()

  [ Emilia Torino ]
  * Removing Ubuntu specific chromium-browser profile. This is safe to do
    since groovy's chromium-browser deb installs the snap. If apparmor3
    is backported to 18.04 or earlier, the profile will need to be taken
    into consideration
    - d/profiles/chromium-browser: remove chromium-browser profile
    - d/apparmor-profiles.postinst: remove postinst script as it only
      contains chromium-browser related functionallity.
    ...

Read more...

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
Changed in evince (Ubuntu):
importance: Undecided → Low
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package evince - 41.3-1

---------------
evince (41.3-1) unstable; urgency=medium

  [ Jeremy Bicha ]
  * New upstream release

  [ Sebastien Bacher ]
  * debian/apparmor-profile:
    - use the exo abstraction rather than listing the binaries directly
      (lp: #1891338)

 -- Jeremy Bicha <email address hidden> Sun, 21 Nov 2021 13:03:23 -0500

Changed in evince (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Dmitriy Vakhrushev (kr41) wrote :
Download full text (5.8 KiB)

This bug appears again in the package evince 42.3-0ubuntu3 in Xubuntu 22.04.2

It looks the same as described by Kenneth Zadeck in the original report, except the message says:
'Failed to execute child process "/usr/bin/xfce4-mime-helper"(Permission denied).'

In the dmesg logs I see the following:

[ 804.143236] audit: type=1400 audit(1679303089.957:269): apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/usr/bin/xfce4-mime-helper" pid=16286 comm="exo-open" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

I edited /etc/apparmor.d/usr.bin.evince

  # For Xubuntu to launch the browser
  #include <abstractions/exo-open>
  /usr/bin/xfce4-mime-helper ixr, # <---- adding this line

A new message appeared in dmesg logs:

[ 838.828241] audit: type=1400 audit(1679303124.641:304): apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/usr/bin/snap" pid=16706 comm="xfce4-mime-help" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

I have two browsers Brave and Firefox; and both installed from snap. So I edited /etc/apparmor.d/usr.bin.evince again:

  # For Xubuntu to launch the browser
  #include <abstractions/exo-open>
  /usr/bin/xfce4-mime-helper ixr,
  /usr/bin/snap ixr, # <---- adding this line

And it complained again:

[ 1268.978351] audit: type=1400 audit(1679303554.790:432): apparmor="DENIED" operation="connect" profile="/usr/bin/evince" name="/run/snapd.socket" pid=20462 comm="brave" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0

And I edited /etc/apparmor.d/usr.bin.evince again:

  # For Xubuntu to launch the browser
  #include <abstractions/exo-open>
  /usr/bin/xfce4-mime-helper ixr,
  /usr/bin/snap ixr,
  /run/snapd.socket wr, # <---- adding this line

And then I was overwhelmed by the following messages.

[ 1817.693397] audit: type=1400 audit(1679304103.502:3198): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/snap/brave/216/meta/snap.yaml" pid=25949 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1822.942739] audit: type=1400 audit(1679304108.750:3199): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=26810 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1822.947632] audit: type=1400 audit(1679304108.754:3200): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/proc/cgroups" pid=26810 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1822.949047] audit: type=1400 audit(1679304108.758:3201): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/proc/cmdline" pid=26810 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1822.949070] audit: type=1400 audit(1679304108.758:3202): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/snap/snapd/18357/usr/lib/snapd/info" pid=26810 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1822.950430] audit: type=1400 audit(1679304108.758:3203): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/proc/sys/kernel/seccomp/actions_avail" pid=268...

Read more...

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in snapd (Ubuntu):
status: New → Confirmed
Paul White (paulw2u)
affects: snap (Ubuntu) → snapd (Ubuntu)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.