This bug appears again in the package evince 42.3-0ubuntu3 in Xubuntu
22.04.2
It looks the same as described by Kenneth Zadeck in the original report, except
the message says:
'Failed to execute child process "/usr/bin/xfce4-mime-helper"(Permission
denied).'
In the dmesg logs I see the following:
[ 804.143236] audit: type=1400 audit(1679303089.957:269):
apparmor="DENIED" operation="exec" profile="/usr/bin/evince"
name="/usr/bin/xfce4-mime-helper" pid=16286 comm="exo-open"
requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
I edited /etc/apparmor.d/usr.bin.evince
# For Xubuntu to launch the browser
#include <abstractions/exo-open>
/usr/bin/xfce4-mime-helper ixr, # <---- adding this line
A new message appeared in dmesg logs:
[ 838.828241] audit: type=1400 audit(1679303124.641:304):
apparmor="DENIED" operation="exec" profile="/usr/bin/evince"
name="/usr/bin/snap" pid=16706 comm="xfce4-mime-help" requested_mask="x"
denied_mask="x" fsuid=1000 ouid=0
I have two browsers Brave and Firefox; and both installed from snap. So I
edited /etc/apparmor.d/usr.bin.evince again:
# For Xubuntu to launch the browser
#include <abstractions/exo-open>
/usr/bin/xfce4-mime-helper ixr,
/usr/bin/snap ixr, # <---- adding this line
And it complained again:
[ 1268.978351] audit: type=1400 audit(1679303554.790:432):
apparmor="DENIED" operation="connect" profile="/usr/bin/evince"
name="/run/snapd.socket" pid=20462 comm="brave" requested_mask="wr"
denied_mask="wr" fsuid=1000 ouid=0
And I edited /etc/apparmor.d/usr.bin.evince again:
# For Xubuntu to launch the browser
#include <abstractions/exo-open>
/usr/bin/xfce4-mime-helper ixr,
/usr/bin/snap ixr,
/run/snapd.socket wr, # <---- adding this line
And then I was overwhelmed by the following messages.
[ 1817.693397] audit: type=1400 audit(1679304103.502:3198): apparmor="DENIED"
operation="open" profile="/usr/bin/evince"
name="/snap/brave/216/meta/snap.yaml" pid=25949 comm="brave" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=0
[ 1822.942739] audit: type=1400 audit(1679304108.750:3199): apparmor="DENIED"
operation="open" profile="/usr/bin/evince"
name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=26810
comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1822.947632] audit: type=1400 audit(1679304108.754:3200): apparmor="DENIED"
operation="open" profile="/usr/bin/evince" name="/proc/cgroups" pid=26810
comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1822.949047] audit: type=1400 audit(1679304108.758:3201): apparmor="DENIED"
operation="open" profile="/usr/bin/evince" name="/proc/cmdline" pid=26810
comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1822.949070] audit: type=1400 audit(1679304108.758:3202): apparmor="DENIED"
operation="open" profile="/usr/bin/evince"
name="/snap/snapd/18357/usr/lib/snapd/info" pid=26810 comm="brave"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1822.950430] audit: type=1400 audit(1679304108.758:3203): apparmor="DENIED"
operation="open" profile="/usr/bin/evince"
name="/proc/sys/kernel/seccomp/actions_avail" pid=26810 comm="brave"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1822.950649] audit: type=1400 audit(1679304108.758:3204): apparmor="DENIED"
operation="exec" profile="/usr/bin/evince" name="/usr/lib/snapd/snap-seccomp"
pid=26816 comm="brave" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
[ 1822.950883] audit: type=1400 audit(1679304108.758:3205): apparmor="DENIED"
operation="exec" profile="/usr/bin/evince" name="/usr/bin/systemctl" pid=26817
comm="brave" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
[ 1822.951929] audit: type=1400 audit(1679304108.758:3206): apparmor="DENIED"
operation="open" profile="/usr/bin/evince"
name="/snap/brave/216/meta/snap.yaml" pid=26810 comm="brave" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=0
[ 1868.523506] audit: type=1400 audit(1679304154.330:3207): apparmor="DENIED"
operation="open" profile="/usr/bin/evince"
name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=27098
comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1868.528801] audit: type=1400 audit(1679304154.338:3208): apparmor="DENIED"
operation="open" profile="/usr/bin/evince" name="/proc/cgroups" pid=27098
comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1868.530290] audit: type=1400 audit(1679304154.338:3209): apparmor="DENIED"
operation="open" profile="/usr/bin/evince" name="/proc/cmdline" pid=27098
comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1868.530325] audit: type=1400 audit(1679304154.338:3210): apparmor="DENIED"
operation="open" profile="/usr/bin/evince"
name="/snap/snapd/18357/usr/lib/snapd/info" pid=27098 comm="brave"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1868.531868] audit: type=1400 audit(1679304154.338:3211): apparmor="DENIED"
operation="open" profile="/usr/bin/evince"
name="/proc/sys/kernel/seccomp/actions_avail" pid=27098 comm="brave"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1868.532031] audit: type=1400 audit(1679304154.338:3212): apparmor="DENIED"
operation="exec" profile="/usr/bin/evince" name="/usr/lib/snapd/snap-seccomp"
pid=27105 comm="brave" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
[ 1868.532331] audit: type=1400 audit(1679304154.342:3213): apparmor="DENIED"
operation="exec" profile="/usr/bin/evince" name="/usr/bin/systemctl" pid=27106
comm="brave" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
[ 1868.534045] audit: type=1400 audit(1679304154.342:3214): apparmor="DENIED"
operation="open" profile="/usr/bin/evince"
name="/snap/brave/216/meta/snap.yaml" pid=27098 comm="brave" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=0
At that point, it became clear that there's something serious, rather than a
couple of lines missed in configs.
** Also affects: snap (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/1891338
Title:
apparmor misconfigured for evince
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1891338/+subscriptions
--
desktop-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
