Evince cannot open HTTP link in Google Chrome or chromium-browser
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Fix Released
|
Low
|
Jamie Strandboge | ||
Precise |
Won't Fix
|
Low
|
Unassigned | ||
Quantal |
Fix Released
|
Low
|
Jamie Strandboge |
Bug Description
SRU Justification:
Impact: when chromium-browser or Google Chrome are set as the default browser, the user is unable to open links via PDF files
Development fix: the fix will be applied to Quantal via pocket copy of this SRU.
Stable fix: this was fixed in r2039 by adding the following to /etc/apparmor.
# While the chromium and chrome sandboxes are setuid root, they only link
# in limited libraries so glibc's secure execution should be enough to not
# require the santized_helper (ie, LD_PRELOAD will only use standard system
# paths (man ld.so)).
/usr/
/opt/
/opt/
/opt/
/opt/
TEST CASE:
1. Install chromium-browser and/or Google Chrome
2. Launch chromium-browser (or Chrome) and set it as the default web browser
3. Open a PDF with a link in it (attached) in evince and click on the link.
At this point, chromium-browser (or Chrome) should open to the link specified. Without the patch, it does not open and there are AppArmor denials in /var/log/kern.log.
Regression potential: the regression potential is considered low. Launching chromium-browser and Chrome via evince is currently broken, so there is no regression potential there, however ubuntu-helpers is included by the (disable by default) firefox profile so a mistake in the added policy could prevent firefox policy from loading.
tags: | added: apparmor |
Changed in apparmor (Ubuntu): | |
status: | New → Triaged |
tags: | added: patch |
Changed in apparmor (Ubuntu Quantal): | |
status: | Triaged → In Progress |
assignee: | Steve Beattie (sbeattie) → Jamie Strandboge (jdstrand) |
Thank you for using Ubuntu and filing a bug. This is actually a bug in the ubuntu-helpers abstraction. It currently allows:
# Allow exec of anything, but under this profile. Allow transition
# to other profiles if they exist.
/bin/* Pixr,
/sbin/* Pixr,
/usr/bin/* Pixr,
/usr/sbin/* Pixr,
As you can see, /opt is not listed in there. The ubuntu-helpers abstraction needs to be adjusted accordingly.