Evince cannot open HTTP link in Google Chrome or chromium-browser

Bug #964510 reported by Jaromir Obr on 2012-03-25
This bug affects 30 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Jamie Strandboge
Jamie Strandboge

Bug Description

SRU Justification:

Impact: when chromium-browser or Google Chrome are set as the default browser, the user is unable to open links via PDF files

Development fix: the fix will be applied to Quantal via pocket copy of this SRU.

Stable fix: this was fixed in r2039 by adding the following to /etc/apparmor.d/abstractions/ubuntu-helpers:
  # While the chromium and chrome sandboxes are setuid root, they only link
  # in limited libraries so glibc's secure execution should be enough to not
  # require the santized_helper (ie, LD_PRELOAD will only use standard system
  # paths (man ld.so)).
  /usr/lib/chromium-browser/chromium-browser-sandbox PUxr,
  /opt/google/chrome/chrome-sandbox PUxr,
  /opt/google/chrome/google-chrome Pixr,
  /opt/google/chrome/chrome Pixr,
  /opt/google/chrome/lib*.so{,.*} m,

1. Install chromium-browser and/or Google Chrome

2. Launch chromium-browser (or Chrome) and set it as the default web browser

3. Open a PDF with a link in it (attached) in evince and click on the link.

At this point, chromium-browser (or Chrome) should open to the link specified. Without the patch, it does not open and there are AppArmor denials in /var/log/kern.log.

Regression potential: the regression potential is considered low. Launching chromium-browser and Chrome via evince is currently broken, so there is no regression potential there, however ubuntu-helpers is included by the (disable by default) firefox profile so a mistake in the added policy could prevent firefox policy from loading.

Jaromir Obr (jaromir-obr) wrote :
tags: added: apparmor
Changed in apparmor (Ubuntu):
status: New → Triaged
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and filing a bug. This is actually a bug in the ubuntu-helpers abstraction. It currently allows:
  # Allow exec of anything, but under this profile. Allow transition
  # to other profiles if they exist.
  /bin/* Pixr,
  /sbin/* Pixr,
  /usr/bin/* Pixr,
  /usr/sbin/* Pixr,

As you can see, /opt is not listed in there. The ubuntu-helpers abstraction needs to be adjusted accordingly.

Changed in apparmor (Ubuntu):
importance: Undecided → Low

With Chromium instead of Chrome, I get the same bug with

/usr/lib/chromium-browser/chromium-browser-sandbox: error while loading shared libraries: libpthread.so.0: failed to map segment from shared object: Permission denied

Apr 23 18:23:22 OptiPlex-980 kernel: [25018.266914] type=1400 audit(1335198202.707:92): apparmor="DENIED" operation="file_mmap" parent=15910 profile="/usr/bin/evince//sanitized_helper" name="/lib/x86_64-linux-gnu/libpthread-2.15.so" pid=15914 comm="chromium-browse" requested_mask="m" denied_mask="m" fsuid=0 ouid=0
Apr 23 18:23:30 OptiPlex-980 kernel: [25026.429571] type=1400 audit(1335198210.883:93): apparmor="DENIED" operation="file_mmap" parent=15917 profile="/usr/bin/evince//sanitized_helper" name="/lib/x86_64-linux-gnu/libpthread-2.15.so" pid=15921 comm="chromium-browse" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

tnhh (tnhh) wrote :

I also have the same problem with chromium. /var/log/syslog says

May 1 12:17:13 theakston kernel: [100752.649693] type=1400 audit(1335871033.942:36): apparmor="DENIED" operation="file_mmap" parent=28630 profile="/usr/bin/evince//sanitized_helper" name="/lib/x86_64-linux-gnu/libpthread-2.15.so" pid=28635 comm="chromium-browse" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

For now I have just done

ln -s /etc/apparmor.d/usr.bin.evince /etc/apparmor.d/disable/usr.bin.evince

As a workaround for Chromium, I edited /etc/apparmor.d/abstractions/ubuntu-browsers by commenting the line
/usr/bin/chromium-browser Cx -> sanitized_helper,

and adding the line

/usr/bin/chromium-browser Ux,

I then ran

sudo apparmor_parser -T -W -r /etc/apparmor.d/usr.bin.evince

and http links now open in Chromium as expected

Jamie Strandboge (jdstrand) wrote :

tnhh, yours is a different problem. Can you please file a new bug with 'ubuntu-bug apparmor-profiles' and attach your /var/log/kern.log if ubuntu-bug doesn't do it for you?

Jamie Strandboge (jdstrand) wrote :

tnhh, actually, nevermind, it is different than google chrome, but will try to fix it in the same place.

Jamie Strandboge (jdstrand) wrote :
description: updated
Changed in apparmor (Ubuntu Precise):
status: New → Triaged
importance: Undecided → Low
summary: - Evince cannot open HTTP link in Google Chrome
+ Evince cannot open HTTP link in Google Chrome or chromium-browser
Changed in apparmor (Ubuntu Precise):
milestone: none → precise-updates
tnhh (tnhh) wrote :

Fix works for me. Thanks.

Jamie Strandboge (jdstrand) wrote :

Debdiff for quantal is attached.

Changed in apparmor (Ubuntu Quantal):
assignee: nobody → Steve Beattie (sbeattie)
milestone: none → quantal-alpha-3
tags: added: patch
Changed in apparmor (Ubuntu Quantal):
status: Triaged → In Progress
assignee: Steve Beattie (sbeattie) → Jamie Strandboge (jdstrand)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.0-0ubuntu1

apparmor (2.8.0-0ubuntu1) quantal; urgency=low

  * New upstream release
    - Drop the following patches, now included upstream:
  * Rename 0007-ubuntu-manpage-updates.patch to 0003
  * debian/patches/0005-lp1019274.patch: add python3 support. Patch based
    on work from Dmitrijs Ledkovs. (LP: #1019274)
  * debian/patches/0006-cap-epollwakeup.patch: adjust severity.db for
  * debian/patches/0007-setuptools-python3.patch: adjust setuptools-python3 to
    adjust scripts to use PYTHON if it is defined
  * debian/patches/0008-libapparmor-layout-deb.patch: use --install-layout=deb
    when calling setup.py
  * enable python3 in the build:
    - debian/rules:
      + use python3 as default PYTHON
      + build libapparmor with both python2 and python3
    - debian/control:
      + Build-Depends on python3-all-dev and python3
      + adjust apparmor to Depends on ${python3:Depends}
      + adjust apparmor-utils to Depends on ${python3:Depends}
      + add python3-libapparmor package
    - add debian/python3-libapparmor.install
    - debian/python-libapparmor.install: adjust to use python2 and
  * debian/patches/0009-lp1003856.patch: update ubuntu-browsers.d/java for
    IcedTea 7 (LP: #1003856)
  * debian/patches/0010-lp972367.patch: allow software center to work again
    from browsers (LP: #972367)
  * debian/patches/0011-lp1013887.patch: let sanitized helper work with
    /usr/local. Patch based on work by Reuben Thomas. (LP: #1013887)
  * debian/patches/0012-lp964510.patch: allow Google Chrome and
    chromium-browser to work under sanitized helper (LP: #964510)
  * debian/patches/0013-lp987578.patch: ubuntu-integration does not work
    properly with exo-open. Fix thanks to Mark Ramsell (LP: #987578)
  * debian/patches/0014-lp933440.patch: update skype example profile to work
    with latest skype. Based on work by Ivan Frederiks (LP: #933440)
 -- Jamie Strandboge <email address hidden> Thu, 05 Jul 2012 10:53:17 -0500

Changed in apparmor (Ubuntu Quantal):
status: In Progress → Fix Released
Neal McBurnett (nealmcb) wrote :

Since the SRU fix for precise seems low on the priority queue, I boldly did this on my precise machine, based on the apparmor_2.7.102-0ubuntu6.debdiff patch and the advice from Antoine-terracol. I'm no expert, but it seems to work now, without even restarting evince.

Add these lines to /etc/apparmor.d/abstractions/ubuntu-helpers after the line "/usr/lib*/{,**/}* Pixr,":

  # From https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/964510/comments/12
  # While the chromium and chrome sandboxes are setuid root, they only link
  # in limited libraries so glibc's secure execution should be enough to not
  # require the santized_helper (ie, LD_PRELOAD will only use standard system
  # paths (man ld.so)).
  /usr/lib/chromium-browser/chromium-browser-sandbox PUxr,
  /opt/google/chrome/chrome-sandbox PUxr,
  /opt/google/chrome/google-chrome Pixr,
  /opt/google/chrome/chrome Pixr,
  /opt/google/chrome/lib*.so{,.*} m,

Run `sudo apparmor_parser -T -W -r /etc/apparmor.d/usr.bin.evince`

Sergio Benjamim (sergio-br2) wrote :

Neal McBurnett trick works with me!

I am in Ubuntu 12.04

On Precise applying the patch or upgrading to 2.8 apparmor fixed it. However, now pepflash complains on opening flash links:

kernel: [50532.870550] type=1400 audit(1388377116.233:633): apparmor="DENIED" operation="file_mmap" parent=29097 profile="/usr/bin/evince//sanitized_helper" name="/opt/google/chrome/PepperFlash/libpepflashplayer.so" pid=29144 comm="chrome" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0

though flash does load (click-to-play)

I'm on 13.10 with apparmor package 2.8.0 and I still have this issue.

$ apt-cache policy apparmor
  Installed: 2.8.0-0ubuntu31.1
  Candidate: 2.8.0-0ubuntu31.1

from kern.log:
Dec 31 17:55:33 UltraLap kernel: [ 8117.771299] audit_printk_skb: 135 callbacks suppressed
Dec 31 17:55:33 UltraLap kernel: [ 8117.771302] type=1400 audit(1388530533.377:121): apparmor="DENIED" operation="file_mmap" parent=10834 profile="/usr/bin/evince//sanitized_helper" name="/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.18" pid=10840 comm="chrome-sandbox" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

I do not have a problem if Firefox is my default browser.

Tim Abell (tim-abell) wrote :

Re: comment #15

I've reported this as a separate bug as I think it's a separate issue. See bug #1282314

Adnan Hodzic (fooctrl) wrote :

This problem is still present 4 years later in 16.04

Seth Arnold (seth-arnold) wrote :

Adnan, this old bug describes an issue that was fixed several years ago. Please file a new bug with ubuntu-bug evince if you're experiencing similar symptoms. Be sure to include the output of grep DEN /var/log/syslog or grep DEN /var/log/audit/audit.log (if you're using auditd).


Cerin (chrisspen) wrote :

This is still broken in 16.04.

And in 17.04.

Neal McBurnett (nealmcb) wrote :

Adnan, Cerin, Raffi - please note the message above from Seth, and gather the evidence as he describes, and file a new bug.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers