Steve, the snap_browsers abstractions needed an update because the
abstraction had not been updated in an year and the snap browsers now
required read and lock permissions to the file
/var/lib/snapd/inhibit/{browser-name}.lock, but this was also submitted,
approved and merged upstream:
https://gitlab.com/apparmor/apparmor/-/merge_requests/1045
Regarding the patch for evince, I kept the "Recommends" because, yes, the
include if exists checks if the abstraction is present and it only includes in
the case it is, but the actual rule which references the snap_browsers profile
could fail for apparmor versions for which snap_browsers does not exist.
/{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/bin/snap mrCx -> snap_browsers,
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1794064
Title:
Clicking a hyperlink in a PDF fails to open it if the default browser
is a snap
Status in apparmor package in Ubuntu:
Fix Released
Status in evince package in Ubuntu:
Fix Released
Status in apparmor source package in Jammy:
Fix Committed
Status in evince source package in Jammy:
In Progress
Status in apparmor source package in Lunar:
Incomplete
Status in evince source package in Lunar:
Fix Committed
Status in evince package in Debian:
Confirmed
Bug description:
[Impact]
* Users cannot open a hyperlink in a PDF opened with evince when the default
browser is a snap.
* The fix creates a snap_browsers abstraction on AppArmor which can be used
in a transition for when the browser is executed. The snap_browsers abstraction
provides the minimal amount of permissions required to execute a browser
provided through snaps. This is a workaround since AppArmor currently does not
provide mediation/filtering on enhanced environment variables.
[Test Plan]
* Make sure the default browser is provided through the snap store.
* Open a PDF that contains a hyperlink using evince and click on the URL.
* The browser should open the requested URL.
[Where problems could occur]
* If the browser or snap core update to have new requirements for
opening a browser, then the current policy could become obsolete and
will need to be updated again.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
