Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#923345: evince cannot start default browser due to AppArmor
244 views
Skip to first unread message
Ralf Jung
Feb 26, 2019, 2:10:03 PM2/26/19
to
Package: evince
Version: 3.30.2-3
Severity: normal
Dear Maintainer,
To reproduce:
* Install a browser, e.g. Firefox Beta, from upstream (instead of the Debian repo).
* When the browser asks you, tell it that yes you want it to become the default browser.
* Start evince and click a link in a PDF file.
Expected behavior:
The link should be opened in the default browser.
Actual behavior:
Nothing happens when I click the link.
Further information:
It has puzzled me for quite some time why my default browser works in all
applications, but not in evince. Through some help from upstream (unfortunately
I had to bother them with this Debian-specific issue), I realized that I have
AppArmor enabled on my system and that it has a profile for evince. My default
browser is Firefox Beta, which is not shipped by Debian and hence installed in
my home directory -- and that gets blocked by AppArmor. The blocking happens
without any notice on the command line. I just noticed it *does* get logged in
`dmesg`, but (not even knowing that AppArmor got enabled on my system), I did
not think to look there.
I think the default configuration should enable people to choose their default
browser, and should at least tell them why their setup does not work.
Currently, the failure mode for "someone downloads Firefox from the web and
installs it and tells it to become the default browser" is a siltently
half-broken default browser setup, which is not how things should work.
Kind regards,
Ralf
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (100, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-2-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_USER, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages evince depends on:
ii dconf-gsettings-backend [gsettings-backend] 0.30.1-2
ii evince-common 3.30.2-3
ii gsettings-desktop-schemas 3.28.1-1
ii libatk1.0-0 2.30.0-2
ii libc6 2.28-7
ii libcairo-gobject2 1.16.0-2
ii libcairo2 1.16.0-2
ii libevdocument3-4 3.30.2-3
ii libevview3-3 3.30.2-3
ii libgdk-pixbuf2.0-0 2.38.0+dfsg-7
ii libglib2.0-0 2.58.3-1
ii libgnome-desktop-3-17 3.30.2.1-1
ii libgtk-3-0 3.24.5-1
ii libnautilus-extension1a 3.30.5-1
ii libpango-1.0-0 1.42.4-6
ii libpangocairo-1.0-0 1.42.4-6
ii libsecret-1-0 0.18.7-1
ii shared-mime-info 1.10-1
Versions of packages evince recommends:
ii dbus-user-session [default-dbus-session-bus] 1.12.12-1
ii dbus-x11 [dbus-session-bus] 1.12.12-1
Versions of packages evince suggests:
ii gvfs 1.38.1-3
pn nautilus-sendto <none>
ii poppler-data 0.4.9-2
ii unrar 1:5.6.6-1
-- no debconf information
Version: 3.30.2-3
Severity: normal
Dear Maintainer,
To reproduce:
* Install a browser, e.g. Firefox Beta, from upstream (instead of the Debian repo).
* When the browser asks you, tell it that yes you want it to become the default browser.
* Start evince and click a link in a PDF file.
Expected behavior:
The link should be opened in the default browser.
Actual behavior:
Nothing happens when I click the link.
Further information:
It has puzzled me for quite some time why my default browser works in all
applications, but not in evince. Through some help from upstream (unfortunately
I had to bother them with this Debian-specific issue), I realized that I have
AppArmor enabled on my system and that it has a profile for evince. My default
browser is Firefox Beta, which is not shipped by Debian and hence installed in
my home directory -- and that gets blocked by AppArmor. The blocking happens
without any notice on the command line. I just noticed it *does* get logged in
`dmesg`, but (not even knowing that AppArmor got enabled on my system), I did
not think to look there.
I think the default configuration should enable people to choose their default
browser, and should at least tell them why their setup does not work.
Currently, the failure mode for "someone downloads Firefox from the web and
installs it and tells it to become the default browser" is a siltently
half-broken default browser setup, which is not how things should work.
Kind regards,
Ralf
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (100, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-2-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_USER, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages evince depends on:
ii dconf-gsettings-backend [gsettings-backend] 0.30.1-2
ii evince-common 3.30.2-3
ii gsettings-desktop-schemas 3.28.1-1
ii libatk1.0-0 2.30.0-2
ii libc6 2.28-7
ii libcairo-gobject2 1.16.0-2
ii libcairo2 1.16.0-2
ii libevdocument3-4 3.30.2-3
ii libevview3-3 3.30.2-3
ii libgdk-pixbuf2.0-0 2.38.0+dfsg-7
ii libglib2.0-0 2.58.3-1
ii libgnome-desktop-3-17 3.30.2.1-1
ii libgtk-3-0 3.24.5-1
ii libnautilus-extension1a 3.30.5-1
ii libpango-1.0-0 1.42.4-6
ii libpangocairo-1.0-0 1.42.4-6
ii libsecret-1-0 0.18.7-1
ii shared-mime-info 1.10-1
Versions of packages evince recommends:
ii dbus-user-session [default-dbus-session-bus] 1.12.12-1
ii dbus-x11 [dbus-session-bus] 1.12.12-1
Versions of packages evince suggests:
ii gvfs 1.38.1-3
pn nautilus-sendto <none>
ii poppler-data 0.4.9-2
ii unrar 1:5.6.6-1
-- no debconf information
Michael Deegan
Oct 22, 2021, 9:30:03 AM10/22/21
to
Package: evince
Version: 3.38.2-1
Followup-For: Bug #923345
This bug still exists in bullseye, despite the partial fix in #954013.
Oct 22 15:15:03 joyola kernel: [193012.379454] audit: type=1400 audit(1634886903.112:32): apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/usr/bin/xfce4-mime-helper" pid=1348354 comm="exo-open" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
(Why yes, I *am* running XFCE here!)
-- System Information:
Debian Release: 11.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'oldstable-updates'), (500, 'oldstable-proposed-updates-debug'), (500, 'oldstable-debug'), (500, 'oldoldstable'), (500, 'stable'), (500, 'oldstable'), (470, 'unstable'), (1, 'experimental')
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en
ii evince-common 3.38.2-1
ii gsettings-desktop-schemas 3.38.0-2
ii libatk1.0-0 2.36.0-2
ii libc6 2.31-13+deb11u2
ii libcairo-gobject2 1.16.0-5
ii libcairo2 1.16.0-5
ii libevdocument3-4 3.38.2-1
ii libevview3-3 3.38.2-1
ii libgdk-pixbuf-2.0-0 2.42.2+dfsg-1
ii libglib2.0-0 2.66.8-1
ii libgnome-desktop-3-19 3.38.5-3
ii libgtk-3-0 3.24.24-4
ii libnautilus-extension1a 3.38.2-1+deb11u1
ii libpango-1.0-0 1.46.2-3
ii libpangocairo-1.0-0 1.46.2-3
ii libsecret-1-0 0.20.4-2
ii shared-mime-info 2.0-1
Versions of packages evince recommends:
ii dbus-x11 [dbus-session-bus] 1.12.20-2
Versions of packages evince suggests:
ii gvfs 1.46.2-1
pn nautilus-sendto <none>
ii poppler-data 0.4.10-1
ii unrar 1:6.0.3-1
-- no debconf information
-MD
--
-----------------------------------------------------------------------------
Michael Deegan Hugaholic https://www.deegan.id.au/
------------------------ Jung, zr jbeel? ----------------------------------
Version: 3.38.2-1
Followup-For: Bug #923345
This bug still exists in bullseye, despite the partial fix in #954013.
Oct 22 15:15:03 joyola kernel: [193012.379454] audit: type=1400 audit(1634886903.112:32): apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/usr/bin/xfce4-mime-helper" pid=1348354 comm="exo-open" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
(Why yes, I *am* running XFCE here!)
-- System Information:
Debian Release: 11.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'oldstable-updates'), (500, 'oldstable-proposed-updates-debug'), (500, 'oldstable-debug'), (500, 'oldoldstable'), (500, 'stable'), (500, 'oldstable'), (470, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-9-amd64 (SMP w/4 CPU threads)
Foreign Architectures: i386
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages evince depends on:
ii dconf-gsettings-backend [gsettings-backend] 0.38.0-2
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages evince depends on:
ii evince-common 3.38.2-1
ii gsettings-desktop-schemas 3.38.0-2
ii libatk1.0-0 2.36.0-2
ii libc6 2.31-13+deb11u2
ii libcairo-gobject2 1.16.0-5
ii libcairo2 1.16.0-5
ii libevdocument3-4 3.38.2-1
ii libevview3-3 3.38.2-1
ii libgdk-pixbuf-2.0-0 2.42.2+dfsg-1
ii libglib2.0-0 2.66.8-1
ii libgnome-desktop-3-19 3.38.5-3
ii libgtk-3-0 3.24.24-4
ii libnautilus-extension1a 3.38.2-1+deb11u1
ii libpango-1.0-0 1.46.2-3
ii libpangocairo-1.0-0 1.46.2-3
ii libsecret-1-0 0.20.4-2
ii shared-mime-info 2.0-1
Versions of packages evince recommends:
Versions of packages evince suggests:
pn nautilus-sendto <none>
ii poppler-data 0.4.10-1
ii unrar 1:6.0.3-1
-- no debconf information
-MD
--
-----------------------------------------------------------------------------
Michael Deegan Hugaholic https://www.deegan.id.au/
------------------------ Jung, zr jbeel? ----------------------------------
Amr Ibrahim
Mar 10, 2022, 7:40:03 AM3/10/22
to
Hello,
I'm also affected by this bug. I'm using Firefox from upstream as my
default browser, and Evince refuses to open web URLs in that browser.
In terminal:
> $ evince
> sh: 1: exec: /home/amr/.opt/firefox/firefox: Permission denied
Please fix it in bullseye-updates.
Best,
Amr
I'm also affected by this bug. I'm using Firefox from upstream as my
default browser, and Evince refuses to open web URLs in that browser.
In terminal:
> $ evince
> sh: 1: exec: /home/amr/.opt/firefox/firefox: Permission denied
Please fix it in bullseye-updates.
Best,
Amr
Philippe SWARTVAGHER
May 15, 2022, 3:10:03 PM5/15/22
to
Hello,
I encounter this bug too (XFCE and Firefox-ESR on Sid), for instance
with the PDF produced from these LaTeX sources:
```
\documentclass[12pt,a4paper]{article}
\usepackage{hyperref}
\begin{document}
The \href{https://debian.org}{Debian project}
\end{document}
```
Once built and opened in Evince, if I click on the link, I get an error
and in the logs:
```
May 15 20:17:14 PHILIPPE-PC-DEBIAN kernel: [26008.845553] audit:
type=1400 audit(1652638634.237:25): apparmor="DENIED" operation="exec"
profile="/usr/bin/evince" name="/usr/bin/xfce4-mime-helper" pid=37094
For the record, if I disable the AppArmor profile, the logs are:
```
May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.589686] audit:
type=1400 audit(1652638941.976:34): apparmor="ALLOWED" operation="exec"
profile="/usr/bin/evince" name="/usr/bin/xfce4-mime-helper" pid=38034
May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.589975] audit:
type=1400 audit(1652638941.976:35): apparmor="ALLOWED"
operation="file_inherit"
profile="/usr/bin/evince//null-/usr/bin/xfce4-mime-helper"
name="/dev/null" pid=38034 comm="xfce4-mime-help" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=0
May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.589983] audit:
type=1400 audit(1652638941.976:36): apparmor="ALLOWED"
operation="file_mmap"
profile="/usr/bin/evince//null-/usr/bin/xfce4-mime-helper"
name="/usr/bin/xfce4-mime-helper" pid=38034 comm="xfce4-mime-help"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.589994] audit:
type=1400 audit(1652638941.976:37): apparmor="ALLOWED"
operation="file_mmap"
profile="/usr/bin/evince//null-/usr/bin/xfce4-mime-helper"
name="/usr/lib/x86_64-linux-gnu/ld-2.33.so" pid=38034
comm="xfce4-mime-help" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.590059] audit:
type=1400 audit(1652638941.976:38): apparmor="ALLOWED" operation="open"
profile="/usr/bin/evince//null-/usr/bin/xfce4-mime-helper"
name="/etc/ld.so.cache" pid=38034 comm="xfce4-mime-help"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.590070] audit:
type=1400 audit(1652638941.976:39): apparmor="ALLOWED" operation="open"
profile="/usr/bin/evince//null-/usr/bin/xfce4-mime-helper"
name="/usr/lib/x86_64-linux-gnu/libexo-2.so.0.1.0" pid=38034
comm="xfce4-mime-help" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.590080] audit:
type=1400 audit(1652638941.976:40): apparmor="ALLOWED"
operation="file_mmap"
profile="/usr/bin/evince//null-/usr/bin/xfce4-mime-helper"
name="/usr/lib/x86_64-linux-gnu/libexo-2.so.0.1.0" pid=38034
comm="xfce4-mime-help" requested_mask="rm" denied_mask="rm" fsuid=1000
ouid=0
May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.590099] audit:
type=1400 audit(1652638941.976:41): apparmor="ALLOWED" operation="open"
profile="/usr/bin/evince//null-/usr/bin/xfce4-mime-helper"
name="/usr/lib/x86_64-linux-gnu/libgtk-3.so.0.2404.29" pid=38034
comm="xfce4-mime-help" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.590106] audit:
type=1400 audit(1652638941.976:42): apparmor="ALLOWED"
operation="file_mmap"
profile="/usr/bin/evince//null-/usr/bin/xfce4-mime-helper"
name="/usr/lib/x86_64-linux-gnu/libgtk-3.so.0.2404.29" pid=38034
comm="xfce4-mime-help" requested_mask="rm" denied_mask="rm" fsuid=1000
ouid=0
May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.590137] audit:
type=1400 audit(1652638941.976:43): apparmor="ALLOWED" operation="open"
profile="/usr/bin/evince//null-/usr/bin/xfce4-mime-helper"
name="/usr/lib/x86_64-linux-gnu/libgdk-3.so.0.2404.29" pid=38034
comm="xfce4-mime-help" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
```
I managed to fix the error by adding
```
/usr/bin/xfce4-mime-helper Cx -> sanitized_helper,
```
in /etc/apparmor.d/usr.bin.evince (so here :
https://salsa.debian.org/gnome-team/evince/-/blob/debian/master/debian/apparmor-profile#L73),
but I have no idea if this the correct way to fix it.
Philippe.
I encounter this bug too (XFCE and Firefox-ESR on Sid), for instance
with the PDF produced from these LaTeX sources:
```
\documentclass[12pt,a4paper]{article}
\usepackage{hyperref}
\begin{document}
The \href{https://debian.org}{Debian project}
\end{document}
```
Once built and opened in Evince, if I click on the link, I get an error
and in the logs:
```
May 15 20:17:14 PHILIPPE-PC-DEBIAN kernel: [26008.845553] audit:
type=1400 audit(1652638634.237:25): apparmor="DENIED" operation="exec"
profile="/usr/bin/evince" name="/usr/bin/xfce4-mime-helper" pid=37094
comm="exo-open" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
```
For the record, if I disable the AppArmor profile, the logs are:
```
May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.589686] audit:
type=1400 audit(1652638941.976:34): apparmor="ALLOWED" operation="exec"
profile="/usr/bin/evince" name="/usr/bin/xfce4-mime-helper" pid=38034
comm="exo-open" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
target="/usr/bin/evince//null-/usr/bin/xfce4-mime-helper"
May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.589975] audit:
type=1400 audit(1652638941.976:35): apparmor="ALLOWED"
operation="file_inherit"
profile="/usr/bin/evince//null-/usr/bin/xfce4-mime-helper"
name="/dev/null" pid=38034 comm="xfce4-mime-help" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=0
May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.589983] audit:
type=1400 audit(1652638941.976:36): apparmor="ALLOWED"
operation="file_mmap"
profile="/usr/bin/evince//null-/usr/bin/xfce4-mime-helper"
name="/usr/bin/xfce4-mime-helper" pid=38034 comm="xfce4-mime-help"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.589994] audit:
type=1400 audit(1652638941.976:37): apparmor="ALLOWED"
operation="file_mmap"
profile="/usr/bin/evince//null-/usr/bin/xfce4-mime-helper"
name="/usr/lib/x86_64-linux-gnu/ld-2.33.so" pid=38034
comm="xfce4-mime-help" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.590059] audit:
type=1400 audit(1652638941.976:38): apparmor="ALLOWED" operation="open"
profile="/usr/bin/evince//null-/usr/bin/xfce4-mime-helper"
name="/etc/ld.so.cache" pid=38034 comm="xfce4-mime-help"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.590070] audit:
type=1400 audit(1652638941.976:39): apparmor="ALLOWED" operation="open"
profile="/usr/bin/evince//null-/usr/bin/xfce4-mime-helper"
name="/usr/lib/x86_64-linux-gnu/libexo-2.so.0.1.0" pid=38034
comm="xfce4-mime-help" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.590080] audit:
type=1400 audit(1652638941.976:40): apparmor="ALLOWED"
operation="file_mmap"
profile="/usr/bin/evince//null-/usr/bin/xfce4-mime-helper"
name="/usr/lib/x86_64-linux-gnu/libexo-2.so.0.1.0" pid=38034
comm="xfce4-mime-help" requested_mask="rm" denied_mask="rm" fsuid=1000
ouid=0
May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.590099] audit:
type=1400 audit(1652638941.976:41): apparmor="ALLOWED" operation="open"
profile="/usr/bin/evince//null-/usr/bin/xfce4-mime-helper"
name="/usr/lib/x86_64-linux-gnu/libgtk-3.so.0.2404.29" pid=38034
comm="xfce4-mime-help" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.590106] audit:
type=1400 audit(1652638941.976:42): apparmor="ALLOWED"
operation="file_mmap"
profile="/usr/bin/evince//null-/usr/bin/xfce4-mime-helper"
name="/usr/lib/x86_64-linux-gnu/libgtk-3.so.0.2404.29" pid=38034
comm="xfce4-mime-help" requested_mask="rm" denied_mask="rm" fsuid=1000
ouid=0
May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.590137] audit:
type=1400 audit(1652638941.976:43): apparmor="ALLOWED" operation="open"
profile="/usr/bin/evince//null-/usr/bin/xfce4-mime-helper"
name="/usr/lib/x86_64-linux-gnu/libgdk-3.so.0.2404.29" pid=38034
comm="xfce4-mime-help" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
```
I managed to fix the error by adding
```
/usr/bin/xfce4-mime-helper Cx -> sanitized_helper,
```
in /etc/apparmor.d/usr.bin.evince (so here :
https://salsa.debian.org/gnome-team/evince/-/blob/debian/master/debian/apparmor-profile#L73),
but I have no idea if this the correct way to fix it.
Philippe.
intrigeri
May 22, 2022, 2:00:04 AM5/22/22
to
Hi,
This bug report seems to be about 2 distinct problems:
1. Evince cannot start external applications on XFCE because the
exo-open abstraction lacks permission to execute
/usr/bin/xfce4-mime-helper.
A cursory look at the sources suggests that recent exo-open
needs to execute xfce4-mime-helper in some cases:
https://sources.debian.org/src/exo/4.16.3-1/exo-open/main.c/?hl=265#L265
→
https://sources.debian.org/src/exo/4.16.3-1/exo/exo-execute.c/?hl=263#L86
→
https://sources.debian.org/src/exo/4.16.3-1/exo/exo-execute.c/?hl=263#L263
This suggests it's a bug in the exo-open abstraction.
Is this problem fixed by adding the following line to
/etc/apparmor.d/abstractions/exo-open
/{,usr/}bin/xfce4-mime-helper rix,
?
If that's enough, I'm happy to submit the fix upstream.
2. The list of web browsers that applications can start is hard-coded
and does not support, out of the box, browsers installed in
arbitrary locations.
This is an AppArmor design problem that affects all desktop apps
that need to start a browser. I'm not aware of any plan to fix this
on the short term. Ideally apps would use Portals instead of
implicitly relying on being allowed to execute arbitrary programs.
Meanwhile, the best I can suggest is that users add their preferred
browser to /etc/apparmor.d/abstractions/ubuntu-browsers.
Cheers!
This bug report seems to be about 2 distinct problems:
1. Evince cannot start external applications on XFCE because the
exo-open abstraction lacks permission to execute
/usr/bin/xfce4-mime-helper.
A cursory look at the sources suggests that recent exo-open
needs to execute xfce4-mime-helper in some cases:
https://sources.debian.org/src/exo/4.16.3-1/exo-open/main.c/?hl=265#L265
→
https://sources.debian.org/src/exo/4.16.3-1/exo/exo-execute.c/?hl=263#L86
→
https://sources.debian.org/src/exo/4.16.3-1/exo/exo-execute.c/?hl=263#L263
This suggests it's a bug in the exo-open abstraction.
Is this problem fixed by adding the following line to
/etc/apparmor.d/abstractions/exo-open
/{,usr/}bin/xfce4-mime-helper rix,
?
If that's enough, I'm happy to submit the fix upstream.
2. The list of web browsers that applications can start is hard-coded
and does not support, out of the box, browsers installed in
arbitrary locations.
This is an AppArmor design problem that affects all desktop apps
that need to start a browser. I'm not aware of any plan to fix this
on the short term. Ideally apps would use Portals instead of
implicitly relying on being allowed to execute arbitrary programs.
Meanwhile, the best I can suggest is that users add their preferred
browser to /etc/apparmor.d/abstractions/ubuntu-browsers.
Cheers!
Philippe SWARTVAGHER
Aug 25, 2022, 2:00:04 PM8/25/22
to
Hello,
The problem seems to be now fixed, at least in Sid with Firefox ESR. I
didn't find which change fixed the problem.
Philippe.
The problem seems to be now fixed, at least in Sid with Firefox ESR. I
didn't find which change fixed the problem.
Philippe.
Damien Pous
Dec 2, 2022, 6:00:03 AM12/2/22
to
Hi,
On Sun, 22 May 2022 07:53:43 +0200 intrigeri wrote:
> This suggests it's a bug in the exo-open abstraction.
> Is this problem fixed by adding the following line to
> /etc/apparmor.d/abstractions/exo-open
> /{,usr/}bin/xfce4-mime-helper rix,
> ?
>
> If that's enough, I'm happy to submit the fix upstream.
I had this problem for quite some time, and this did fix it for me after a [sudo service apparmor reload]. Thanks!
I'm wondering however if this fix could be dangerous?
I'm fine with following URLs in the pdf files I read with evince, but I'm happy to know that apparmor is preventing other dangerous things ; isn't this fix defeating's some security mechanism? (other apps, other mime-types...)
Best,
Damien
I'm wondering however if this fix could be dangerous?
I'm fine with following URLs in the pdf files I read with evince, but I'm happy to know that apparmor is preventing other dangerous things ; isn't this fix defeating's some security mechanism? (other apps, other mime-types...)
Best,
Damien
intrigeri
Dec 10, 2022, 12:10:04 PM12/10/22
to
Control: forwarded -1 https://gitlab.com/apparmor/apparmor/-/issues/291
Hi,
Damien Pous (2022-12-02):
> I'm wondering however if this fix could be dangerous?
>
> I'm fine with following URLs in the pdf files I read with evince, but I'm
> happy to know that apparmor is preventing other dangerous things ; isn't
> this fix defeating's some security mechanism? (other apps, other
> mime-types...)
I have no idea, so I reported this upstream as an issue rather than
opening a merge request:
https://gitlab.com/apparmor/apparmor/-/issues/291
Cheers,
--
intrigeri
Hi,
Damien Pous (2022-12-02):
> On Sun, 22 May 2022 07:53:43 +0200 intrigeri wrote:
>> This suggests it's a bug in the exo-open abstraction.
>> Is this problem fixed by adding the following line to
>> /etc/apparmor.d/abstractions/exo-open
>> /{,usr/}bin/xfce4-mime-helper rix,
>> ?
>>
>> If that's enough, I'm happy to submit the fix upstream.
>
> I had this problem for quite some time, and this did fix it for me after a
> [sudo service apparmor reload]. Thanks!
Thanks for confirming!
>> This suggests it's a bug in the exo-open abstraction.
>> Is this problem fixed by adding the following line to
>> /etc/apparmor.d/abstractions/exo-open
>> /{,usr/}bin/xfce4-mime-helper rix,
>> ?
>>
>> If that's enough, I'm happy to submit the fix upstream.
>
> I had this problem for quite some time, and this did fix it for me after a
> [sudo service apparmor reload]. Thanks!
> I'm wondering however if this fix could be dangerous?
>
> I'm fine with following URLs in the pdf files I read with evince, but I'm
> happy to know that apparmor is preventing other dangerous things ; isn't
> this fix defeating's some security mechanism? (other apps, other
> mime-types...)
opening a merge request:
https://gitlab.com/apparmor/apparmor/-/issues/291
Cheers,
--
intrigeri
0 new messages