Evince cannot open HTTP link in Google Chrome or chromium-browser

Bug #1282314 reported by Tim Abell on 2014-02-20
58
This bug affects 12 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Undecided
Unassigned

Bug Description

This is similar to bug #964510 but found on Ubuntu 13.10 Saucy which already has the patch for that bug, and with a different message:

    Feb 19 23:50:14 sammy kernel: [413602.643399] type=1400 audit(1392853814.794:89): apparmor="DENIED" operation="file_mmap" parent=28174 profile="/usr/bin/evince//sanitized_helper" name="/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.18" pid=28181 comm="chrome-sandbox" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

Symptoms are the same, evince fails to launch chromium when it's selected as the default.

Evince run from the command line outputs the following when you click a link:

    /usr/lib/chromium-browser/chrome-sandbox: error while loading shared libraries: libstdc++.so.6: failed to map segment from shared object: Permission denied

Another user reported the same issue https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/964510/comments/15 but received no response to date.

Tim Abell (tim-abell) on 2014-02-20
description: updated
description: updated
description: updated
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Radek Dostal (radekdostal) wrote :

The same bug is happening on Ubuntu 14.04, chromium configured as default browser, just the error message is slightly different:

/usr/lib/chromium-browser/chrome-sandbox: error while loading shared libraries: libpthread.so.0: failed to map segment from shared object: Permission denied

Radek Dostal (radekdostal) wrote :

and here is the relevant part from kern.log - also from Ubuntu 14.04:

[33753.328021] type=1400 audit(1400324186.273:72): apparmor="DENIED" operation="file_mmap" profile="/usr/bin/evince//sanitized_helper" name="/lib/x86_64-linux-gnu/libpthread-2.19.so" pid=30773 comm="chrome-sandbox" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

Jamie Strandboge (jdstrand) wrote :

Radek, your denial seems odd since the sanitized_helper should allow this. Can you attach the output of 'apparmor_parser -p /etc/apparmor.d/usr.bin.evince'?

Seth Arnold (seth-arnold) wrote :

Jamie, what do you think about updating the ubuntu-helpers sanitized_helper profile with the newer paths to chromium-browser? I think it'd be best to avoid the Chromium-browser sandbox or Chrome browser sandbox executing in the sanitized_helper profile.

Thanks

Radek Dostal (radekdostal) wrote :

Hi Jamie and Seth,

thanks a lot for looking into this. I am attaching the output of "apparmor_parser -p /etc/apparmor.d/usr.bin.evince" and also "dpkg -L chromium-browser". I hope it will be helpfull. Let me know, if I can provide something additional to help you with the debugging.

Thanks,
Radek

Seth Arnold (seth-arnold) wrote :

Thanks Radek,

can you try modifying your /etc/apparmor.d/abstractions/ubuntu-helper file like this?

=== modified file 'profiles/apparmor.d/abstractions/ubuntu-helpers'
--- profiles/apparmor.d/abstractions/ubuntu-helpers 2014-02-14 02:11:54 +0000
+++ profiles/apparmor.d/abstractions/ubuntu-helpers 2014-05-20 21:55:05 +0000
@@ -61,6 +61,7 @@
   # require the santized_helper (ie, LD_PRELOAD will only use standard system
   # paths (man ld.so)).
   /usr/lib/chromium-browser/chromium-browser-sandbox PUxr,
+ /usr/lib/chromium-browser/chrome-sandbox PUxr,
   /opt/google/chrome/chrome-sandbox PUxr,
   /opt/google/chrome/google-chrome Pixr,
   /opt/google/chrome/chrome Pixr,

Once you have added the new line, run "sudo service apparmor reload", then see if evince can start your browser as you expect.

Thanks

Radek Dostal (radekdostal) wrote :

Hi Seth,

Thanks a lot for getting back to me, the provided patch is fixing the problem! I tested following two cases: chromium already running + chromium not yet started and clicking on a link in evince works as expected in both.

Regarding your patch you may want to consider removing line with chromium-browser-sandbox as there is no such file installed, but you may also want to keep it in just in case and for compatibility with older versions. Up to you.

Thank you one more time for fixing this,
Radek

Radek Dostal (radekdostal) wrote :

Even it works, there are still some errors printed out.

Console from which evince is started:
ATTENTION: default value of option force_s3tc_enable overridden by environment.
[26538:26538:0521/230059:ERROR:data_type_manager_impl.cc(39)] Passwords cryptographer error was encountered:
[26538:26538:0521/230059:ERROR:account_tracker.cc(238)] OnGetTokenFailure: Invalid credentials.
[26538:26589:0521/230100:ERROR:download.cc(109)] PostClientToServerMessage() failed during GetUpdates

kernel log:
[66833.965996] type=1400 audit(1400706206.532:141): apparmor="DENIED" operation="signal" profile="/usr/bin/evince//sanitized_helper" pid=26771 comm="Chrome_ProcessL" requested_mask="send" denied_mask="send" signal=term peer="unconfined"
[66833.969048] type=1400 audit(1400706206.536:142): apparmor="DENIED" operation="signal" profile="/usr/bin/evince//sanitized_helper" pid=26771 comm="Chrome_ProcessL" requested_mask="send" denied_mask="send" signal=term peer="unconfined"

They seem to have no effect on the functionality, but it may be worth to quickly review them just in case.

Thanks,
Radek

Pietrod (pietrodcof) wrote :

Seth, I have exactly the same problem adding this line:

/usr/lib/chromium-browser/chrome-sandbox PUxr

I have attached the output of "apparmor_parser -p /etc/apparmor.d/usr.bin.evince", I'm not an expert, hope it helps.

Pietrod (pietrodcof) wrote :

excuse me, this is the right otput, I directly pipe the command into a txt without waiting a bit... :)

Seth Arnold (seth-arnold) wrote :

Pietrod, which problem are you having?

Thanks

Pietrod (pietrodcof) wrote :

When I post it I have the same issue described in the bug description but now it solves I don't know how by itself... I know, I do something but I don't remember, thanks a lot anyway! :)

Jamie Strandboge (jdstrand) wrote :

This was fixed in r2515 as included in 14.10.

Changed in apparmor (Ubuntu):
status: Confirmed → Fix Released
positivek (anonyhole) wrote :

How do I check if this will be fixed in 14.04 LTS?

Adnan Hodzic (fooctrl) wrote :

Still a problem in 16.04

Dionysius (dionysius) wrote :

Adnan, can you provide proof in form of logs, error messages/output? Your one-liner is not any help so noone can look into it. AND, if it differs from the informations provided by OP, you should file a new bug.

Stefanos Kariotidis (iccode) wrote :

I am using Ubuntu Gnome with the stock PDF reader (Evince) and Google Chrome as default browser. I cannot open any links from PDF files.

lsb-release output

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS"

kern.log output

Oct 23 21:27:39 dev kernel: [10012.099164] audit: type=1400 audit(1477247259.765:55): apparmor="DENIED" operation="capable" profile="/usr/bin/evince//sanitized_helper" pid=21492 comm="chrome" capability=21 capname="sys_admin"
Oct 23 21:27:39 dev kernel: [10012.099507] traps: chrome[21492] trap invalid opcode ip:55990222a4bb sp:7ffce994cbd0 error:0 in chrome[559901235000+6432000]
Oct 23 21:27:42 dev kernel: [10015.098185] traps: chrome[21504] trap invalid opcode ip:55e6bd6534bb sp:7ffdee85ccf0 error:0 in chrome[55e6bc65e000+6432000]
Oct 23 21:30:46 dev kernel: [10198.708592] traps: chrome[21673] trap invalid opcode ip:5583c57c84bb sp:7fff5b4ff080 error:0 in chrome[5583c47d3000+6432000]
Oct 23 21:30:48 dev kernel: [10201.013470] traps: chrome[21685] trap invalid opcode ip:562b1206d4bb sp:7ffcbeac8fa0 error:0 in chrome[562b11078000+6432000]
Oct 23 21:30:51 dev kernel: [10204.013148] traps: chrome[21699] trap invalid opcode ip:5613a275f4bb sp:7fff86a2c010 error:0 in chrome[5613a176a000+6432000]
Oct 23 21:33:14 dev kernel: [10346.865919] traps: chrome[21859] trap invalid opcode ip:5616dad2d4bb sp:7ffecc283b00 error:0 in chrome[5616d9d38000+6432000]
Oct 23 21:33:22 dev kernel: [10355.114458] traps: chrome[21889] trap invalid opcode ip:55dcb355c4bb sp:7ffd302201a0 error:0 in chrome[55dcb2567000+6432000]
Oct 23 21:33:24 dev kernel: [10356.599456] traps: chrome[21901] trap invalid opcode ip:55f75674c4bb sp:7fff89283ba0 error:0 in chrome[55f755757000+6432000]

Cerin (chrisspen) wrote :

This is still broken in 16.04.

This bugs me since some years now, and I see the following here in the log:

[278340.119805] audit: type=1400 audit(1487338252.143:543): apparmor="DENIED" operation="capable" profile="/usr/bin/evince//sanitized_helper" pid=20653 comm="chromium-browse" capability=21 capname="sys_admin"

Additionally, I get a crash report opened up with some more details, I add an excerpt here as attachment.

Related bugs with some more discussion and thoughts are:
#1447345
#1471645

John Johansen (jjohansen) wrote :

The capable request comes from chrome after it has setup a user namespace. However apparmor can not currently detect the difference between the system namespace and the user namespace.

Unfortunately the only solution at this time it to allow
  capable sys_admin,

in the /usr/bin/evince//sanitized_helper profile

Still a problem in 17.04. I don't see how to turn comment #21 into a fix.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers