Evince cannot open HTTP link in Google Chrome or chromium-browser

Status changed to 'Confirmed' because the bug affects multiple users.

The same bug is happening on Ubuntu 14.04, chromium configured as default browser, just the error message is slightly different:

/usr/lib/chromium-browser/chrome-sandbox: error while loading shared libraries: libpthread.so.0: failed to map segment from shared object: Permission denied

and here is the relevant part from kern.log - also from Ubuntu 14.04:

[33753.328021] type=1400 audit(1400324186.273:72): apparmor="DENIED" operation="file_mmap" profile="/usr/bin/evince//sanitized_helper" name="/lib/x86_64-linux-gnu/libpthread-2.19.so" pid=30773 comm="chrome-sandbox" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

Radek, your denial seems odd since the sanitized_helper should allow this. Can you attach the output of 'apparmor_parser -p /etc/apparmor.d/usr.bin.evince'?

Jamie, what do you think about updating the ubuntu-helpers sanitized_helper profile with the newer paths to chromium-browser? I think it'd be best to avoid the Chromium-browser sandbox or Chrome browser sandbox executing in the sanitized_helper profile.

Thanks

Hi Jamie and Seth,

thanks a lot for looking into this. I am attaching the output of "apparmor_parser -p /etc/apparmor.d/usr.bin.evince" and also "dpkg -L chromium-browser". I hope it will be helpfull. Let me know, if I can provide something additional to help you with the debugging.

Thanks,
Radek

Thanks Radek,

can you try modifying your /etc/apparmor.d/abstractions/ubuntu-helper file like this?

=== modified file 'profiles/apparmor.d/abstractions/ubuntu-helpers'
--- profiles/apparmor.d/abstractions/ubuntu-helpers 2014-02-14 02:11:54 +0000
+++ profiles/apparmor.d/abstractions/ubuntu-helpers 2014-05-20 21:55:05 +0000
@@ -61,6 +61,7 @@
   # require the santized_helper (ie, LD_PRELOAD will only use standard system
   # paths (man ld.so)).
   /usr/lib/chromium-browser/chromium-browser-sandbox PUxr,
+ /usr/lib/chromium-browser/chrome-sandbox PUxr,
   /opt/google/chrome/chrome-sandbox PUxr,
   /opt/google/chrome/google-chrome Pixr,
   /opt/google/chrome/chrome Pixr,

Once you have added the new line, run "sudo service apparmor reload", then see if evince can start your browser as you expect.

Thanks

Hi Seth,

Thanks a lot for getting back to me, the provided patch is fixing the problem! I tested following two cases: chromium already running + chromium not yet started and clicking on a link in evince works as expected in both.

Regarding your patch you may want to consider removing line with chromium-browser-sandbox as there is no such file installed, but you may also want to keep it in just in case and for compatibility with older versions. Up to you.

Thank you one more time for fixing this,
Radek

Even it works, there are still some errors printed out.

Console from which evince is started:
ATTENTION: default value of option force_s3tc_enable overridden by environment.
[26538:26538:0521/230059:ERROR:data_type_manager_impl.cc(39)] Passwords cryptographer error was encountered:
[26538:26538:0521/230059:ERROR:account_tracker.cc(238)] OnGetTokenFailure: Invalid credentials.
[26538:26589:0521/230100:ERROR:download.cc(109)] PostClientToServerMessage() failed during GetUpdates

kernel log:
[66833.965996] type=1400 audit(1400706206.532:141): apparmor="DENIED" operation="signal" profile="/usr/bin/evince//sanitized_helper" pid=26771 comm="Chrome_ProcessL" requested_mask="send" denied_mask="send" signal=term peer="unconfined"
[66833.969048] type=1400 audit(1400706206.536:142): apparmor="DENIED" operation="signal" profile="/usr/bin/evince//sanitized_helper" pid=26771 comm="Chrome_ProcessL" requested_mask="send" denied_mask="send" signal=term peer="unconfined"

They seem to have no effect on the functionality, but it may be worth to quickly review them just in case.

Thanks,
Radek

Seth, I have exactly the same problem adding this line:

/usr/lib/chromium-browser/chrome-sandbox PUxr

I have attached the output of "apparmor_parser -p /etc/apparmor.d/usr.bin.evince", I'm not an expert, hope it helps.

excuse me, this is the right otput, I directly pipe the command into a txt without waiting a bit... :)

Pietrod, which problem are you having?

Thanks

When I post it I have the same issue described in the bug description but now it solves I don't know how by itself... I know, I do something but I don't remember, thanks a lot anyway! :)

This was fixed in r2515 as included in 14.10.

How do I check if this will be fixed in 14.04 LTS?

Still a problem in 16.04

Adnan, can you provide proof in form of logs, error messages/output? Your one-liner is not any help so noone can look into it. AND, if it differs from the informations provided by OP, you should file a new bug.

I am using Ubuntu Gnome with the stock PDF reader (Evince) and Google Chrome as default browser. I cannot open any links from PDF files.

lsb-release output

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS"

kern.log output

Oct 23 21:27:39 dev kernel: [10012.099164] audit: type=1400 audit(1477247259.765:55): apparmor="DENIED" operation="capable" profile="/usr/bin/evince//sanitized_helper" pid=21492 comm="chrome" capability=21 capname="sys_admin"
Oct 23 21:27:39 dev kernel: [10012.099507] traps: chrome[21492] trap invalid opcode ip:55990222a4bb sp:7ffce994cbd0 error:0 in chrome[559901235000+6432000]
Oct 23 21:27:42 dev kernel: [10015.098185] traps: chrome[21504] trap invalid opcode ip:55e6bd6534bb sp:7ffdee85ccf0 error:0 in chrome[55e6bc65e000+6432000]
Oct 23 21:30:46 dev kernel: [10198.708592] traps: chrome[21673] trap invalid opcode ip:5583c57c84bb sp:7fff5b4ff080 error:0 in chrome[5583c47d3000+6432000]
Oct 23 21:30:48 dev kernel: [10201.013470] traps: chrome[21685] trap invalid opcode ip:562b1206d4bb sp:7ffcbeac8fa0 error:0 in chrome[562b11078000+6432000]
Oct 23 21:30:51 dev kernel: [10204.013148] traps: chrome[21699] trap invalid opcode ip:5613a275f4bb sp:7fff86a2c010 error:0 in chrome[5613a176a000+6432000]
Oct 23 21:33:14 dev kernel: [10346.865919] traps: chrome[21859] trap invalid opcode ip:5616dad2d4bb sp:7ffecc283b00 error:0 in chrome[5616d9d38000+6432000]
Oct 23 21:33:22 dev kernel: [10355.114458] traps: chrome[21889] trap invalid opcode ip:55dcb355c4bb sp:7ffd302201a0 error:0 in chrome[55dcb2567000+6432000]
Oct 23 21:33:24 dev kernel: [10356.599456] traps: chrome[21901] trap invalid opcode ip:55f75674c4bb sp:7fff89283ba0 error:0 in chrome[55f755757000+6432000]

This is still broken in 16.04.

This bugs me since some years now, and I see the following here in the log:

[278340.119805] audit: type=1400 audit(1487338252.143:543): apparmor="DENIED" operation="capable" profile="/usr/bin/evince//sanitized_helper" pid=20653 comm="chromium-browse" capability=21 capname="sys_admin"

Additionally, I get a crash report opened up with some more details, I add an excerpt here as attachment.

Related bugs with some more discussion and thoughts are:
#1447345
#1471645

The capable request comes from chrome after it has setup a user namespace. However apparmor can not currently detect the difference between the system namespace and the user namespace.

Unfortunately the only solution at this time it to allow
  capable sys_admin,

in the /usr/bin/evince//sanitized_helper profile

Still a problem in 17.04. I don't see how to turn comment #21 into a fix.