Evince is not allowed to use exo-open

Bug #987578 reported by Wannes Rombouts on 2012-04-24
72
This bug affects 12 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Low
Unassigned
Precise
Undecided
Unassigned
evince (Ubuntu)
Low
Jamie Strandboge
Precise
Undecided
Unassigned

Bug Description

Applications aren't able to use exo-open in Xubuntu with apparmor profiles enabled.

Test case (apparmor):
sudo aa-enforce /etc/apparmor.d/usr.bin.firefox
Launch firefox
Download a file in Firefox
Tools -> Downloads
Right Click and open the downloaded file, should fail with the old version and open with the new

Test case (evince):
Open PDF with a link in it under Xubuntu
Click the link
Should fail with the current versions of evince/apparmor and work with the new versions

---------------------------------------------

Regression potential:
minimal as this should just enable exo usage with apparmor profiles

----------------------------------------------

Using a fresh install of Xubuntu 12.04 beta, I can not open links from within evince.

A red bar appears on top and says :
"Unable to open external link"
"Failed to execute child process "exo-open" (Permission denied)"

I suppose this is due to a bad configuration of AppArmor.

ProblemType: BugDistroRelease: Ubuntu 12.04
Package: evince 3.4.0-0ubuntu1
ProcVersionSignature: Ubuntu 3.2.0-23.36-generic 3.2.14
Uname: Linux 3.2.0-23-generic x86_64
ApportVersion: 2.0.1-0ubuntu5
Architecture: amd64
Date: Tue Apr 24 02:40:31 2012
EcryptfsInUse: Yes
InstallationMedia: Xubuntu 12.04 LTS "Precise Pangolin" - Beta amd64 (20120328)
KernLog:
 Apr 24 02:22:50 box kernel: [349882.938280] type=1400 audit(1335226970.303:28): apparmor="DENIED" operation="exec" parent=13156 profile="/usr/bin/evince" name="/usr/bin/exo-open" pid=13157 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
 Apr 24 02:23:01 box kernel: [349894.110102] type=1400 audit(1335226981.475:29): apparmor="DENIED" operation="exec" parent=13158 profile="/usr/bin/evince" name="/usr/bin/exo-open" pid=13159 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
 Apr 24 02:29:40 box kernel: [350293.526127] type=1400 audit(1335227380.890:30): apparmor="DENIED" operation="exec" parent=13225 profile="/usr/bin/evince" name="/usr/bin/exo-open" pid=13226 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
ProcEnviron:
 TERM=xterm
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bashSourcePackage: evince
UpgradeStatus: No upgrade log present (probably fresh install)

Wannes Rombouts (wapiflapi) wrote :
affects: evince (Ubuntu) → apparmor (Ubuntu)
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and filing a bug. Can you add the following to /etc/apparmor.d/local/usr.bin.evince:
/usr/bin/exo-open ixr,

Then do:
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.evince

and report back if this fixes the issue for you?

Changed in apparmor (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Incomplete
importance: Undecided → Low
affects: apparmor (Ubuntu) → evince (Ubuntu)
Wannes Rombouts (wapiflapi) wrote :

Hi, Thanks for your help.

This did not fix the issue. But it certainly changed things !

I no longer have the red bar saying "Failed to execute child process "exo-open" (Permission denied)", instead I have an alert saying :

"""
Failed to launch preferred application for category 'WebBrowser'.
Failed to execute child process '/usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1' (Permission denied).
"""

So I figured I only needed to add "usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1 ixr," to /etc/apparmor.d/local/usr.bin.evince

But that didn't work as expected, I don't have the alert anymore but it segfaults right after that. (I can include the additional information for that if you want.) But I am not sure adding that second line to apparmor's configuration was the right thing to do in the first place.

Jamie Strandboge (jdstrand) wrote :

Can you attach the output of the following command:
$ grep DENIED /var/log/kern.log

Wannes Rombouts (wapiflapi) wrote :

Sure, here it is.

Jamie Strandboge (jdstrand) wrote :

Thanks, it looks like the exo-open command is going to need a child profile (or something) as it is pulling in a lot of new stuff that it didn't used to.

Changed in evince (Ubuntu):
status: Incomplete → Triaged
Changed in apparmor (Ubuntu):
status: New → Triaged
importance: Undecided → Low
Changed in evince (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → nobody
Jamie Strandboge (jdstrand) wrote :

Adding an apparmor task as we will likely need to fix the abstraction as well as the evince profile.

summary: - Evince is not allowed to open links from a pdf
+ Evince is not allowed to use exo-open
tnhh (tnhh) wrote :

I have the same problem with Ubuntu and chromium-browser. /var/log/syslog says

May 1 12:17:13 theakston kernel: [100752.649693] type=1400 audit(1335871033.942:36): apparmor="DENIED" operation="file_mmap" parent=28630 profile="/usr/bin/evince//sanitized_helper" name="/lib/x86_64-linux-gnu/libpthread-2.15.so" pid=28635 comm="chromium-browse" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

For now I have just done

ln -s /etc/apparmor.d/usr.bin.evince /etc/apparmor.d/disable/usr.bin.evince

Jamie Strandboge (jdstrand) wrote :

tnhh, your problem is bug #964510

tnhh (tnhh) wrote :

Thanks Jamie! I foolishly searched under "evince" rather than "apparmor". Ignore my off-topic comment.

VS (storvann) wrote :

Adding the following line to /etc/apparmor.d/local/usr.bin.evince seems to fix the bug:
/usr/bin/exo-open Ux,
(i.e. Ux instead of ixr)

I do not know the security implications of this, but at least links in evince seem to work again.

Jamie Strandboge (jdstrand) wrote :

The security implication of using '/usr/bin/exo-open Ux' is that if there is a flaw in evince, an attacker can execute anything via exo-open. This is not the proper fix.

Mark Ramsell (mramsell) wrote :

System is Linux 3.2.0-25-generic #40-Ubuntu SMP Wed May 23 20:33:05 UTC 2012 i686 i686 i386 GNU/Linux
Xubuntu 12.04
Stepped through all the DENIED errors and came up with this...

# Site-specific additions and overrides for usr.bin.evince.
# For more details, please see /etc/apparmor.d/local/README.
/usr/bin/exo-open ixr,
/usr/lib/i386-linux-gnu/xfce4/exo-1/exo-helper-1 ixr,
/etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
/etc/xdg/xfce4/helpers.rc r,

I believe this is restrictive enough but would like someone to confirm.

Jamie Strandboge (jdstrand) wrote :

Mark's update looks reasonable to me. Can others experiencing this issue confirm?

Anders Einar Hilden (kagee) wrote :

Modified fix to x64 (/usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1) and it appared to work, but hit bug #964510 before i could confirm. No comment/knowledge on security implications.

Changed in apparmor (Ubuntu):
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.0-0ubuntu1

---------------
apparmor (2.8.0-0ubuntu1) quantal; urgency=low

  * New upstream release
    - Drop the following patches, now included upstream:
      0003-add-aa-easyprof.patch
      0005-clean-common-from-vim.patch
      0006-use-linux-capability-h.patch
      0008-apparmor-lp963756.patch
      0009-apparmor-lp959560-part1.patch
      0010-apparmor-lp959560-part2.patch
      0011-apparmor-lp872446.patch
      0012-apparmor-lp978584.patch
      0013-apparmor-lp800826.patch
      0014-apparmor-lp979095.patch
      0015-apparmor-lp963756.patch
      0016-apparmor-lp968956.patch
      0017-apparmor-lp979135.patch
      0018-lp990931.patch
  * Rename 0007-ubuntu-manpage-updates.patch to 0003
  * debian/patches/0005-lp1019274.patch: add python3 support. Patch based
    on work from Dmitrijs Ledkovs. (LP: #1019274)
  * debian/patches/0006-cap-epollwakeup.patch: adjust severity.db for
    CAP_EPOLLWAKEUP
  * debian/patches/0007-setuptools-python3.patch: adjust setuptools-python3 to
    adjust scripts to use PYTHON if it is defined
  * debian/patches/0008-libapparmor-layout-deb.patch: use --install-layout=deb
    when calling setup.py
  * enable python3 in the build:
    - debian/rules:
      + use python3 as default PYTHON
      + build libapparmor with both python2 and python3
    - debian/control:
      + Build-Depends on python3-all-dev and python3
      + adjust apparmor to Depends on ${python3:Depends}
      + adjust apparmor-utils to Depends on ${python3:Depends}
      + add python3-libapparmor package
    - add debian/python3-libapparmor.install
    - debian/python-libapparmor.install: adjust to use python2 and
      dist-packages
  * debian/patches/0009-lp1003856.patch: update ubuntu-browsers.d/java for
    IcedTea 7 (LP: #1003856)
  * debian/patches/0010-lp972367.patch: allow software center to work again
    from browsers (LP: #972367)
  * debian/patches/0011-lp1013887.patch: let sanitized helper work with
    /usr/local. Patch based on work by Reuben Thomas. (LP: #1013887)
  * debian/patches/0012-lp964510.patch: allow Google Chrome and
    chromium-browser to work under sanitized helper (LP: #964510)
  * debian/patches/0013-lp987578.patch: ubuntu-integration does not work
    properly with exo-open. Fix thanks to Mark Ramsell (LP: #987578)
  * debian/patches/0014-lp933440.patch: update skype example profile to work
    with latest skype. Based on work by Ivan Frederiks (LP: #933440)
 -- Jamie Strandboge <email address hidden> Thu, 05 Jul 2012 10:53:17 -0500

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
Changed in evince (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package evince - 3.5.3-0ubuntu5

---------------
evince (3.5.3-0ubuntu5) quantal; urgency=low

  * debian/apparmor-profile: allow evince to launch the browser on Xubuntu.
    Fix thanks to Mark Ramsell (LP: #987578)
 -- Jamie Strandboge <email address hidden> Thu, 05 Jul 2012 13:12:14 -0500

Changed in evince (Ubuntu):
status: In Progress → Fix Released
Gryllida (gryllida) wrote :

My default browser is SeaMonkey and I am still experiencing a permissions issue.

~$ cat /etc/apparmor.d/local/usr.bin.evince
# Site-specific additions and overrides for usr.bin.evince.
# For more details, please see /etc/apparmor.d/local/README.

/usr/bin/exo-open ixr,
/usr/lib/i386-linux-gnu/xfce4/exo-1/exo-helper-1 ixr,
/etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
/etc/xdg/xfce4/helpers.rc r,
~$

Clicking a hyperlink in evince get this error.

Failed to execute default Web Browser.
Failed to execute child process "seamonkey" (Permission denied).

Micah Gersten (micahg) on 2013-01-24
Changed in evince (Ubuntu Precise):
status: New → In Progress
assignee: nobody → Micah Gersten (micahg)
milestone: none → ubuntu-12.04.2
Changed in apparmor (Ubuntu Precise):
milestone: none → ubuntu-12.04.2
status: New → In Progress
Steve Beattie (sbeattie) wrote :

Attached is a debdiff for this issue and for bug 982619 and bug 1091642 for an SRU for precise. I've confirmed that the package rebuilds correctly via sbuild and that the result passes the apparmor tests from lp:qa-regression-testing.

Micah Gersten (micahg) on 2013-01-25
description: updated
Changed in apparmor (Ubuntu Precise):
assignee: nobody → Micah Gersten (micahg)
description: updated
Micah Gersten (micahg) on 2013-01-25
description: updated
Micah Gersten (micahg) on 2013-01-25
Changed in apparmor (Ubuntu Precise):
assignee: Micah Gersten (micahg) → nobody
Changed in evince (Ubuntu Precise):
assignee: Micah Gersten (micahg) → nobody
Micah Gersten (micahg) wrote :

These are uploaded, but since they're not critical for 12.04.2, they'll be reviewed after 12.04.2 is done with.

Changed in apparmor (Ubuntu Precise):
milestone: ubuntu-12.04.2 → none
Changed in evince (Ubuntu Precise):
milestone: ubuntu-12.04.2 → none

Hello Wannes, or anyone else affected,

Accepted evince into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/evince/3.4.0-0ubuntu1.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in evince (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Kip Warner (kip) wrote :

Brian. Thank you so much. From what I can see here, it seems to work now. Links launch successfully.

b3nmore (b3nmore) wrote :

I can confirm, that evince 3.4.0-0ubuntu1.5 from precise-proposed fixes the issue for me.

Miklos Juhasz (mjuhasz) on 2013-02-25
tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package evince - 3.4.0-0ubuntu1.5

---------------
evince (3.4.0-0ubuntu1.5) precise-proposed; urgency=low

  * debian/apparmor-profile: allow evince to launch the browser on Xubuntu.
    Fix thanks to Mark Ramsell (LP: #987578)
 -- Micah Gersten <email address hidden> Thu, 24 Jan 2013 22:40:48 -0600

Changed in evince (Ubuntu Precise):
status: Fix Committed → Fix Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Hello Wannes, or anyone else affected,

Accepted apparmor into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/apparmor/2.7.102-0ubuntu3.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in apparmor (Ubuntu Precise):
status: In Progress → Fix Committed
tags: removed: verification-done
tags: added: verification-needed
Seth Arnold (seth-arnold) wrote :

Can someone verify this on precise?

I can't replicate the failure of the AppArmor test case here.

I installed the xfce4 package. I logged in using the xfce4 environment.

I downloaded a PDF and a PNG in Firefox, double-clicked them from the Downloads window (right-click no longer contains "open"), and they both opened without any trouble.

I replaced the PDF viewer "application helper" setting in Firefox with exo-open, and the PDF still opened without any trouble.

How exactly do you get this to break?

Thanks

Seth Arnold (seth-arnold) wrote :

I have re-tested this problem with the benefit of clarity of time. :)

I have verified that the AppArmor policy changes in the apparmor package in precise-proposed behave as desired, without DENIED entries, for using exo-open as the application helper.

I have verified that evince is able to open links with the new apparmor package in precise-proposed.

Thanks

tags: added: verification-done
removed: verification-needed
Seth Arnold (seth-arnold) wrote :

apparmor 2.7.102-0ubuntu3.8 has been superceded by apparmor 2.7.102-0ubuntu3.9 in -proposed and needs new verification.

tags: added: verification-needed
removed: verification-done
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.7.102-0ubuntu3.8

---------------
apparmor (2.7.102-0ubuntu3.8) precise-proposed; urgency=low

  * 0022-aa-logprof-PUx_rewrite_fix-lp982619.patch: fix aa-logprof
    rewrite of PUx modes (LP: #982619)
  * 0023-lp1091642-parser-reset_matchflags.patch: prevent reuse of
    matchflags in parser dfa backend and add testcase demonstrating
    the problem (LP: #1091642)
  * 0024-profiles-allow_exo-open-lp987578.patch: allow exo-open to work
    within ubuntu-integration (LP: #987578)
 -- Steve Beattie <email address hidden> Thu, 24 Jan 2013 11:40:48 -0800

Changed in apparmor (Ubuntu Precise):
status: Fix Committed → Fix Released
tags: added: verification-done
removed: verification-needed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers