Evince cannot open HTTP link in Google Chrome or chromium-browser

Bug #964510 reported by Jaromir Obr
152
This bug affects 30 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Low
Jamie Strandboge
Precise
Low
Unassigned
Quantal
Low
Jamie Strandboge

Bug Description

SRU Justification:

Impact: when chromium-browser or Google Chrome are set as the default browser, the user is unable to open links via PDF files

Development fix: the fix will be applied to Quantal via pocket copy of this SRU.

Stable fix: this was fixed in r2039 by adding the following to /etc/apparmor.d/abstractions/ubuntu-helpers:
  # While the chromium and chrome sandboxes are setuid root, they only link
  # in limited libraries so glibc's secure execution should be enough to not
  # require the santized_helper (ie, LD_PRELOAD will only use standard system
  # paths (man ld.so)).
  /usr/lib/chromium-browser/chromium-browser-sandbox PUxr,
  /opt/google/chrome/chrome-sandbox PUxr,
  /opt/google/chrome/google-chrome Pixr,
  /opt/google/chrome/chrome Pixr,
  /opt/google/chrome/lib*.so{,.*} m,

TEST CASE:
1. Install chromium-browser and/or Google Chrome

2. Launch chromium-browser (or Chrome) and set it as the default web browser

3. Open a PDF with a link in it (attached) in evince and click on the link.

At this point, chromium-browser (or Chrome) should open to the link specified. Without the patch, it does not open and there are AppArmor denials in /var/log/kern.log.

Regression potential: the regression potential is considered low. Launching chromium-browser and Chrome via evince is currently broken, so there is no regression potential there, however ubuntu-helpers is included by the (disable by default) firefox profile so a mistake in the added policy could prevent firefox policy from loading.

Revision history for this message
Jaromir Obr (jaromir-obr) wrote :
tags: added: apparmor
Changed in apparmor (Ubuntu):
status: New → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and filing a bug. This is actually a bug in the ubuntu-helpers abstraction. It currently allows:
  # Allow exec of anything, but under this profile. Allow transition
  # to other profiles if they exist.
  /bin/* Pixr,
  /sbin/* Pixr,
  /usr/bin/* Pixr,
  /usr/sbin/* Pixr,

As you can see, /opt is not listed in there. The ubuntu-helpers abstraction needs to be adjusted accordingly.

Changed in apparmor (Ubuntu):
importance: Undecided → Low
Revision history for this message
Antoine-terracol (antoine-terracol) wrote :

With Chromium instead of Chrome, I get the same bug with

terminal:
/usr/lib/chromium-browser/chromium-browser-sandbox: error while loading shared libraries: libpthread.so.0: failed to map segment from shared object: Permission denied

syslog:
Apr 23 18:23:22 OptiPlex-980 kernel: [25018.266914] type=1400 audit(1335198202.707:92): apparmor="DENIED" operation="file_mmap" parent=15910 profile="/usr/bin/evince//sanitized_helper" name="/lib/x86_64-linux-gnu/libpthread-2.15.so" pid=15914 comm="chromium-browse" requested_mask="m" denied_mask="m" fsuid=0 ouid=0
Apr 23 18:23:30 OptiPlex-980 kernel: [25026.429571] type=1400 audit(1335198210.883:93): apparmor="DENIED" operation="file_mmap" parent=15917 profile="/usr/bin/evince//sanitized_helper" name="/lib/x86_64-linux-gnu/libpthread-2.15.so" pid=15921 comm="chromium-browse" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

Revision history for this message
tnhh (tnhh) wrote :

I also have the same problem with chromium. /var/log/syslog says

May 1 12:17:13 theakston kernel: [100752.649693] type=1400 audit(1335871033.942:36): apparmor="DENIED" operation="file_mmap" parent=28630 profile="/usr/bin/evince//sanitized_helper" name="/lib/x86_64-linux-gnu/libpthread-2.15.so" pid=28635 comm="chromium-browse" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

For now I have just done

ln -s /etc/apparmor.d/usr.bin.evince /etc/apparmor.d/disable/usr.bin.evince

Revision history for this message
Antoine-terracol (antoine-terracol) wrote :

As a workaround for Chromium, I edited /etc/apparmor.d/abstractions/ubuntu-browsers by commenting the line
/usr/bin/chromium-browser Cx -> sanitized_helper,

and adding the line

/usr/bin/chromium-browser Ux,

I then ran

sudo apparmor_parser -T -W -r /etc/apparmor.d/usr.bin.evince

and http links now open in Chromium as expected

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

tnhh, yours is a different problem. Can you please file a new bug with 'ubuntu-bug apparmor-profiles' and attach your /var/log/kern.log if ubuntu-bug doesn't do it for you?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

tnhh, actually, nevermind, it is different than google chrome, but will try to fix it in the same place.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :
description: updated
Changed in apparmor (Ubuntu Precise):
status: New → Triaged
importance: Undecided → Low
summary: - Evince cannot open HTTP link in Google Chrome
+ Evince cannot open HTTP link in Google Chrome or chromium-browser
Changed in apparmor (Ubuntu Precise):
milestone: none → precise-updates
Revision history for this message
tnhh (tnhh) wrote :

Fix works for me. Thanks.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Debdiff for quantal is attached.

Changed in apparmor (Ubuntu Quantal):
assignee: nobody → Steve Beattie (sbeattie)
milestone: none → quantal-alpha-3
tags: added: patch
Changed in apparmor (Ubuntu Quantal):
status: Triaged → In Progress
assignee: Steve Beattie (sbeattie) → Jamie Strandboge (jdstrand)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.0-0ubuntu1

---------------
apparmor (2.8.0-0ubuntu1) quantal; urgency=low

  * New upstream release
    - Drop the following patches, now included upstream:
      0003-add-aa-easyprof.patch
      0005-clean-common-from-vim.patch
      0006-use-linux-capability-h.patch
      0008-apparmor-lp963756.patch
      0009-apparmor-lp959560-part1.patch
      0010-apparmor-lp959560-part2.patch
      0011-apparmor-lp872446.patch
      0012-apparmor-lp978584.patch
      0013-apparmor-lp800826.patch
      0014-apparmor-lp979095.patch
      0015-apparmor-lp963756.patch
      0016-apparmor-lp968956.patch
      0017-apparmor-lp979135.patch
      0018-lp990931.patch
  * Rename 0007-ubuntu-manpage-updates.patch to 0003
  * debian/patches/0005-lp1019274.patch: add python3 support. Patch based
    on work from Dmitrijs Ledkovs. (LP: #1019274)
  * debian/patches/0006-cap-epollwakeup.patch: adjust severity.db for
    CAP_EPOLLWAKEUP
  * debian/patches/0007-setuptools-python3.patch: adjust setuptools-python3 to
    adjust scripts to use PYTHON if it is defined
  * debian/patches/0008-libapparmor-layout-deb.patch: use --install-layout=deb
    when calling setup.py
  * enable python3 in the build:
    - debian/rules:
      + use python3 as default PYTHON
      + build libapparmor with both python2 and python3
    - debian/control:
      + Build-Depends on python3-all-dev and python3
      + adjust apparmor to Depends on ${python3:Depends}
      + adjust apparmor-utils to Depends on ${python3:Depends}
      + add python3-libapparmor package
    - add debian/python3-libapparmor.install
    - debian/python-libapparmor.install: adjust to use python2 and
      dist-packages
  * debian/patches/0009-lp1003856.patch: update ubuntu-browsers.d/java for
    IcedTea 7 (LP: #1003856)
  * debian/patches/0010-lp972367.patch: allow software center to work again
    from browsers (LP: #972367)
  * debian/patches/0011-lp1013887.patch: let sanitized helper work with
    /usr/local. Patch based on work by Reuben Thomas. (LP: #1013887)
  * debian/patches/0012-lp964510.patch: allow Google Chrome and
    chromium-browser to work under sanitized helper (LP: #964510)
  * debian/patches/0013-lp987578.patch: ubuntu-integration does not work
    properly with exo-open. Fix thanks to Mark Ramsell (LP: #987578)
  * debian/patches/0014-lp933440.patch: update skype example profile to work
    with latest skype. Based on work by Ivan Frederiks (LP: #933440)
 -- Jamie Strandboge <email address hidden> Thu, 05 Jul 2012 10:53:17 -0500

Changed in apparmor (Ubuntu Quantal):
status: In Progress → Fix Released
Revision history for this message
Neal McBurnett (nealmcb) wrote :

Since the SRU fix for precise seems low on the priority queue, I boldly did this on my precise machine, based on the apparmor_2.7.102-0ubuntu6.debdiff patch and the advice from Antoine-terracol. I'm no expert, but it seems to work now, without even restarting evince.

Add these lines to /etc/apparmor.d/abstractions/ubuntu-helpers after the line "/usr/lib*/{,**/}* Pixr,":

  # From https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/964510/comments/12
  # While the chromium and chrome sandboxes are setuid root, they only link
  # in limited libraries so glibc's secure execution should be enough to not
  # require the santized_helper (ie, LD_PRELOAD will only use standard system
  # paths (man ld.so)).
  /usr/lib/chromium-browser/chromium-browser-sandbox PUxr,
  /opt/google/chrome/chrome-sandbox PUxr,
  /opt/google/chrome/google-chrome Pixr,
  /opt/google/chrome/chrome Pixr,
  /opt/google/chrome/lib*.so{,.*} m,

Run `sudo apparmor_parser -T -W -r /etc/apparmor.d/usr.bin.evince`

Revision history for this message
Sergio Benjamim (sergio-br2) wrote :

Neal McBurnett trick works with me!

I am in Ubuntu 12.04

Revision history for this message
Alad Wenter (the-changing-side) wrote :

On Precise applying the patch or upgrading to 2.8 apparmor fixed it. However, now pepflash complains on opening flash links:

kernel: [50532.870550] type=1400 audit(1388377116.233:633): apparmor="DENIED" operation="file_mmap" parent=29097 profile="/usr/bin/evince//sanitized_helper" name="/opt/google/chrome/PepperFlash/libpepflashplayer.so" pid=29144 comm="chrome" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0

though flash does load (click-to-play)

Revision history for this message
Scott Kostyshak (scott-kostyshak) wrote :

I'm on 13.10 with apparmor package 2.8.0 and I still have this issue.

$ apt-cache policy apparmor
apparmor:
  Installed: 2.8.0-0ubuntu31.1
  Candidate: 2.8.0-0ubuntu31.1

from kern.log:
Dec 31 17:55:33 UltraLap kernel: [ 8117.771299] audit_printk_skb: 135 callbacks suppressed
Dec 31 17:55:33 UltraLap kernel: [ 8117.771302] type=1400 audit(1388530533.377:121): apparmor="DENIED" operation="file_mmap" parent=10834 profile="/usr/bin/evince//sanitized_helper" name="/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.18" pid=10840 comm="chrome-sandbox" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

I do not have a problem if Firefox is my default browser.

Revision history for this message
Tim Abell (tim-abell) wrote :

Re: comment #15

I've reported this as a separate bug as I think it's a separate issue. See bug #1282314

Revision history for this message
Adnan Hodzic (fooctrl) wrote :

This problem is still present 4 years later in 16.04

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Adnan, this old bug describes an issue that was fixed several years ago. Please file a new bug with ubuntu-bug evince if you're experiencing similar symptoms. Be sure to include the output of grep DEN /var/log/syslog or grep DEN /var/log/audit/audit.log (if you're using auditd).

Thanks

Revision history for this message
Cerin (chrisspen) wrote :

This is still broken in 16.04.

Revision history for this message
Raffi Khatchadourian (rkhatchadourian) wrote :

And in 17.04.

Revision history for this message
Neal McBurnett (nealmcb) wrote :

Adnan, Cerin, Raffi - please note the message above from Seth, and gather the evidence as he describes, and file a new bug.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers