Evince cannot open HTTP link in Google Chrome or chromium-browser

Thank you for using Ubuntu and filing a bug. This is actually a bug in the ubuntu-helpers abstraction. It currently allows:
  # Allow exec of anything, but under this profile. Allow transition
  # to other profiles if they exist.
  /bin/* Pixr,
  /sbin/* Pixr,
  /usr/bin/* Pixr,
  /usr/sbin/* Pixr,

As you can see, /opt is not listed in there. The ubuntu-helpers abstraction needs to be adjusted accordingly.

With Chromium instead of Chrome, I get the same bug with

terminal:
/usr/lib/chromium-browser/chromium-browser-sandbox: error while loading shared libraries: libpthread.so.0: failed to map segment from shared object: Permission denied

syslog:
Apr 23 18:23:22 OptiPlex-980 kernel: [25018.266914] type=1400 audit(1335198202.707:92): apparmor="DENIED" operation="file_mmap" parent=15910 profile="/usr/bin/evince//sanitized_helper" name="/lib/x86_64-linux-gnu/libpthread-2.15.so" pid=15914 comm="chromium-browse" requested_mask="m" denied_mask="m" fsuid=0 ouid=0
Apr 23 18:23:30 OptiPlex-980 kernel: [25026.429571] type=1400 audit(1335198210.883:93): apparmor="DENIED" operation="file_mmap" parent=15917 profile="/usr/bin/evince//sanitized_helper" name="/lib/x86_64-linux-gnu/libpthread-2.15.so" pid=15921 comm="chromium-browse" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

I also have the same problem with chromium. /var/log/syslog says

May 1 12:17:13 theakston kernel: [100752.649693] type=1400 audit(1335871033.942:36): apparmor="DENIED" operation="file_mmap" parent=28630 profile="/usr/bin/evince//sanitized_helper" name="/lib/x86_64-linux-gnu/libpthread-2.15.so" pid=28635 comm="chromium-browse" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

For now I have just done

ln -s /etc/apparmor.d/usr.bin.evince /etc/apparmor.d/disable/usr.bin.evince

As a workaround for Chromium, I edited /etc/apparmor.d/abstractions/ubuntu-browsers by commenting the line
/usr/bin/chromium-browser Cx -> sanitized_helper,

and adding the line

/usr/bin/chromium-browser Ux,

I then ran

sudo apparmor_parser -T -W -r /etc/apparmor.d/usr.bin.evince

and http links now open in Chromium as expected

tnhh, yours is a different problem. Can you please file a new bug with 'ubuntu-bug apparmor-profiles' and attach your /var/log/kern.log if ubuntu-bug doesn't do it for you?

tnhh, actually, nevermind, it is different than google chrome, but will try to fix it in the same place.

Fix works for me. Thanks.

Debdiff for quantal is attached.

This bug was fixed in the package apparmor - 2.8.0-0ubuntu1

---------------
apparmor (2.8.0-0ubuntu1) quantal; urgency=low

  * New upstream release
    - Drop the following patches, now included upstream:
      0003-add-aa-easyprof.patch
      0005-clean-common-from-vim.patch
      0006-use-linux-capability-h.patch
      0008-apparmor-lp963756.patch
      0009-apparmor-lp959560-part1.patch
      0010-apparmor-lp959560-part2.patch
      0011-apparmor-lp872446.patch
      0012-apparmor-lp978584.patch
      0013-apparmor-lp800826.patch
      0014-apparmor-lp979095.patch
      0015-apparmor-lp963756.patch
      0016-apparmor-lp968956.patch
      0017-apparmor-lp979135.patch
      0018-lp990931.patch
  * Rename 0007-ubuntu-manpage-updates.patch to 0003
  * debian/patches/0005-lp1019274.patch: add python3 support. Patch based
    on work from Dmitrijs Ledkovs. (LP: #1019274)
  * debian/patches/0006-cap-epollwakeup.patch: adjust severity.db for
    CAP_EPOLLWAKEUP
  * debian/patches/0007-setuptools-python3.patch: adjust setuptools-python3 to
    adjust scripts to use PYTHON if it is defined
  * debian/patches/0008-libapparmor-layout-deb.patch: use --install-layout=deb
    when calling setup.py
  * enable python3 in the build:
    - debian/rules:
      + use python3 as default PYTHON
      + build libapparmor with both python2 and python3
    - debian/control:
      + Build-Depends on python3-all-dev and python3
      + adjust apparmor to Depends on ${python3:Depends}
      + adjust apparmor-utils to Depends on ${python3:Depends}
      + add python3-libapparmor package
    - add debian/python3-libapparmor.install
    - debian/python-libapparmor.install: adjust to use python2 and
      dist-packages
  * debian/patches/0009-lp1003856.patch: update ubuntu-browsers.d/java for
    IcedTea 7 (LP: #1003856)
  * debian/patches/0010-lp972367.patch: allow software center to work again
    from browsers (LP: #972367)
  * debian/patches/0011-lp1013887.patch: let sanitized helper work with
    /usr/local. Patch based on work by Reuben Thomas. (LP: #1013887)
  * debian/patches/0012-lp964510.patch: allow Google Chrome and
    chromium-browser to work under sanitized helper (LP: #964510)
  * debian/patches/0013-lp987578.patch: ubuntu-integration does not work
    properly with exo-open. Fix thanks to Mark Ramsell (LP: #987578)
  * debian/patches/0014-lp933440.patch: update skype example profile to work
    with latest skype. Based on work by Ivan Frederiks (LP: #933440)
 -- Jamie Strandboge <email address hidden> Thu, 05 Jul 2012 10:53:17 -0500

Since the SRU fix for precise seems low on the priority queue, I boldly did this on my precise machine, based on the apparmor_2.7.102-0ubuntu6.debdiff patch and the advice from Antoine-terracol. I'm no expert, but it seems to work now, without even restarting evince.

Add these lines to /etc/apparmor.d/abstractions/ubuntu-helpers after the line "/usr/lib*/{,**/}* Pixr,":

  # From https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/964510/comments/12
  # While the chromium and chrome sandboxes are setuid root, they only link
  # in limited libraries so glibc's secure execution should be enough to not
  # require the santized_helper (ie, LD_PRELOAD will only use standard system
  # paths (man ld.so)).
  /usr/lib/chromium-browser/chromium-browser-sandbox PUxr,
  /opt/google/chrome/chrome-sandbox PUxr,
  /opt/google/chrome/google-chrome Pixr,
  /opt/google/chrome/chrome Pixr,
  /opt/google/chrome/lib*.so{,.*} m,

Run `sudo apparmor_parser -T -W -r /etc/apparmor.d/usr.bin.evince`

Neal McBurnett trick works with me!

I am in Ubuntu 12.04

On Precise applying the patch or upgrading to 2.8 apparmor fixed it. However, now pepflash complains on opening flash links:

kernel: [50532.870550] type=1400 audit(1388377116.233:633): apparmor="DENIED" operation="file_mmap" parent=29097 profile="/usr/bin/evince//sanitized_helper" name="/opt/google/chrome/PepperFlash/libpepflashplayer.so" pid=29144 comm="chrome" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0

though flash does load (click-to-play)

I'm on 13.10 with apparmor package 2.8.0 and I still have this issue.

$ apt-cache policy apparmor
apparmor:
  Installed: 2.8.0-0ubuntu31.1
  Candidate: 2.8.0-0ubuntu31.1

from kern.log:
Dec 31 17:55:33 UltraLap kernel: [ 8117.771299] audit_printk_skb: 135 callbacks suppressed
Dec 31 17:55:33 UltraLap kernel: [ 8117.771302] type=1400 audit(1388530533.377:121): apparmor="DENIED" operation="file_mmap" parent=10834 profile="/usr/bin/evince//sanitized_helper" name="/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.18" pid=10840 comm="chrome-sandbox" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

I do not have a problem if Firefox is my default browser.

Re: comment #15

I've reported this as a separate bug as I think it's a separate issue. See bug #1282314

This problem is still present 4 years later in 16.04

Adnan, this old bug describes an issue that was fixed several years ago. Please file a new bug with ubuntu-bug evince if you're experiencing similar symptoms. Be sure to include the output of grep DEN /var/log/syslog or grep DEN /var/log/audit/audit.log (if you're using auditd).

Thanks

This is still broken in 16.04.

And in 17.04.

Adnan, Cerin, Raffi - please note the message above from Seth, and gather the evidence as he describes, and file a new bug.

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release