"Unable to open external link" in Evince when google-chrome-unstable is the default browser

Bug #1730536 reported by Paul Natsuo Kishimoto on 2017-11-07
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Undecided
Unassigned
apparmor (Debian)
Confirmed
Undecided
Unassigned
apparmor (Ubuntu)
Undecided
Unassigned

Bug Description

TO REPRODUCE:

I attempt to open a URL from a PDF document in Evince.

EXPECTED:

The browser opens the URL.

OBSERVED:

I'm shown an error message:

Unable to open external link
Failed to execute child process “/usr/bin/google-chrome-unstable” (Permission denied)

journalctl shows:

Nov 06 19:19:18 khaeru-laptop audit[22110]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/opt/google/chrome-unstable/google-chrome-unstable" pid=22110 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Nov 06 19:19:18 khaeru-laptop kernel: audit: type=1400 audit(1510013958.773:590): apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/opt/google/chrome-unstable/google-chrome-unstable" pid=22110 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

EXTRA INFORMATION:

- As the messages imply, I'm using Google Chrome "unstable".
- The file
  /usr/bin/google-chrome-unstable
  …is symlinked to:
  /opt/google/chrome-unstable/google-chrome-unstable
- I note that previous bugs, eg. bug #964510, resulted in lines being added to
  /etc/apparmor.d/abstractions/ubuntu-helpers that refer to paths in
  /opt/google/chrome/. This directory does not exist on my system.

$ lsb_release -rd && apt-cache policy apparmor evince google-chrome-unstable
Description: Ubuntu 17.10
Release: 17.10
apparmor:
  Installed: 2.11.0-2ubuntu17
  Candidate: 2.11.0-2ubuntu17
  Version table:
 *** 2.11.0-2ubuntu17 500
        500 http://us.archive.ubuntu.com/ubuntu artful/main amd64 Packages
        100 /var/lib/dpkg/status
evince:
  Installed: 3.26.0-1
  Candidate: 3.26.0-1
  Version table:
 *** 3.26.0-1 500
        500 http://us.archive.ubuntu.com/ubuntu artful/main amd64 Packages
        100 /var/lib/dpkg/status
google-chrome-unstable:
  Installed: 64.0.3251.0-1
  Candidate: 64.0.3253.3-1
  Version table:
     64.0.3253.3-1 500
        500 http://dl.google.com/linux/chrome/deb stable/main amd64 Packages
 *** 64.0.3251.0-1 100
        100 /var/lib/dpkg/status

ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: apparmor 2.11.0-2ubuntu17
ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4
Uname: Linux 4.13.0-16-generic x86_64
ApportVersion: 2.20.7-0ubuntu3.1
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Mon Nov 6 19:20:34 2017
EcryptfsInUse: Yes
InstallationDate: Installed on 2017-10-11 (26 days ago)
InstallationMedia: Ubuntu 17.04 "Zesty Zapus" - Release amd64 (20170412)
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.13.0-16-generic.efi.signed root=UUID=39ca3c53-0313-4699-a5da-403522e2ff14 ro quiet splash vt.handoff=7
SourcePackage: apparmor
Syslog:

UpgradeStatus: Upgraded to artful on 2017-10-19 (18 days ago)

Paul Natsuo Kishimoto (khaeru) wrote :
intrigeri (intrigeri) wrote :

This should be easy to fix with something very similar to https://gitlab.com/apparmor/apparmor/merge_requests/7. While I'm at it I'll check that google-chrome-stable works too.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Changed in apparmor (Debian):
status: New → Confirmed
Changed in apparmor:
status: New → Confirmed
summary: - "Unable to open external link" in evince
+ "Unable to open external link" in Evince when google-chrome-unstable is
+ the default browser
tags: added: aa-policy
intrigeri (intrigeri) wrote :

https://gitlab.com/apparmor/apparmor/merge_requests/9 fixes this bug on my Debian sid test VM.

Paul Natsuo Kishimoto (khaeru) wrote :

I can confirm that the changes from that merge request, when manually applied on my system, fix the problem. Thanks!

intrigeri (intrigeri) on 2017-11-15
Changed in apparmor:
status: Confirmed → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.12-4ubuntu1

---------------
apparmor (2.12-4ubuntu1) bionic; urgency=medium

  [ Tyler Hicks ]
  * Merge from Debian to get gbp-pq related packaging improvements. Thanks to
    intrigeri for making those improvements! Remaining Ubuntu changes:
    - debian/gbp.conf: Use ubuntu/master as the debian-branch
    - Update package maintainer to be Ubuntu Developers in the control file
    - Call handle_system_policy_package_updates in apparmor.init.
      This is needed for snappy and system-images. Note that this prevents
      using a remove /var.
    - Apply Ubuntu-specific patches
      + parser-include-usr-share-apparmor.patch
      + profiles-grant-access-to-systemd-resolved.patch
      + add-chromium-browser.patch
    - Install Ubuntu chromium-browser profile and abstraction
    - Feature pinning is not used in Ubuntu

  [ intrigeri ]
  * Adjust the Vcs-{Browser,Git} control fields to reflect the branch where
    the Ubuntu packaging is maintained.

apparmor (2.12-4) unstable; urgency=medium

  * Migrate patch handling to gbp-pq (Closes: #888244).
  * Merge 2.12-3ubuntu1 (dropping the Ubuntu delta):
    - upstream-commit-46f88f5-properly-identify-empty-ouid-fsuid-fields.patch:
      new patch, properly identify empty ouid/fsuid fields in logs.
    - upstream-commit-130958a-allow-shell-helper-read-locale.patch:
      new patch, allow the shell helper regression test program read
      the locale.

 -- Tyler Hicks <email address hidden> Mon, 19 Mar 2018 16:24:57 +0000

Changed in apparmor (Ubuntu):
status: Confirmed → Fix Released
Christian Boltz (cboltz) wrote :

Fixed in AppArmor 2.12

Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers