Clicking a hyperlink in a PDF fails to open it if the default browser is a snap

Bug #1794064 reported by Olivier Tilloy on 2018-09-24
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
evince (Ubuntu)
High
Unassigned

Bug Description

This is related to bug #1792648. After fixing that one (see discussion at https://salsa.debian.org/gnome-team/evince/merge_requests/1), clicking a hyperlink in a PDF opens it correctly if the default browser is a well-known application (such as /usr/bin/firefox), but it fails to do so if the default browser is a snap (e.g. the chromium snap).

This is not a recent regression, it's not working on bionic either.

ProblemType: Bug
DistroRelease: Ubuntu 18.10
Package: evince 3.30.0-2
ProcVersionSignature: Ubuntu 4.18.0-7.8-generic 4.18.5
Uname: Linux 4.18.0-7-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.10-0ubuntu11
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Mon Sep 24 12:28:06 2018
EcryptfsInUse: Yes
InstallationDate: Installed on 2016-07-02 (813 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
SourcePackage: evince
UpgradeStatus: Upgraded to cosmic on 2018-09-14 (9 days ago)
modified.conffile..etc.apparmor.d.abstractions.evince: [modified]
mtime.conffile..etc.apparmor.d.abstractions.evince: 2018-09-24T11:35:41.904158

Olivier Tilloy (osomon) wrote :
Olivier Tilloy (osomon) wrote :

Note that this works with the evince snap, only the deb package is affected.

Olivier Tilloy (osomon) wrote :

I can "fix" the issue if I add the following two lines to /etc/apparmor.d/abstractions/ubuntu-browsers and reload the evince profile:

  /usr/bin/env rmix,
  /usr/bin/snap Cx -> sanitized_helper,

Probably not acceptable as is because this would allow executing any snap, not just chromium. And snaps are not guaranteed to be strictly confined (e.g. classic/devmode).

But a rule on /snap/bin/chromium is not good enough as /snap/bin/chromium is a symlink to /usr/bin/snap.

Jamie Strandboge (jdstrand) wrote :

I went through this the other day with a personal profile. We probably can do something along the lines of:

/{,snap/core/[0-9]*/}usr/bin/snap mrCx -> snap_browser,

profile snap_browser {
    #include <abstractions/base>

    /etc/passwd r,
    /etc/group r,
    /etc/nsswitch.conf r,
    /dev/tty rw,

    # noisy
    deny network inet stream,
    deny network inet6 stream,
    deny owner /run/user/[0-9]*/gdm/Xauthority r, # not needed on Ubuntu

    /{,snap/core/[0-9]*/}usr/bin/snap mrix, # re-exec
    /etc/fstab r,
    @{PROC}/sys/net/core/somaxconn r,
    @{PROC}/sys/kernel/seccomp/actions_avail r,
    owner @{PROC}/@{pid}/mountinfo r,
    owner @{HOME}/.snap/auth.json r, # if exists, required
    /run/snapd.socket rw,
    /snap/core/[0-9]*/usr/lib/snapd/info r,
    /snap/core/[0-9]*/usr/lib/snapd/snapd r,
    /var/lib/snapd/system-key r,

    /{,snap/core/*/}usr/lib/snapd/snap-confine Pix,
    /sys/kernel/security/apparmor/features/ r,

    # allow launching official browser snaps. This could be abstracted into an #include or tunable
    /snap/chromium/*/meta/snap.yaml r,
    /snap/firefox/*/meta/snap.yaml r,
    # ...
  }

Olivier Tilloy (osomon) wrote :

@Jamie, given your recent work on the evince apparmor profile, should that be assigned to you?

tags: added: snap
Changed in evince (Ubuntu):
importance: Undecided → High
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers