Evince is not allowed to use exo-open

Thank you for using Ubuntu and filing a bug. Can you add the following to /etc/apparmor.d/local/usr.bin.evince:
/usr/bin/exo-open ixr,

Then do:
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.evince

and report back if this fixes the issue for you?

Hi, Thanks for your help.

This did not fix the issue. But it certainly changed things !

I no longer have the red bar saying "Failed to execute child process "exo-open" (Permission denied)", instead I have an alert saying :

"""
Failed to launch preferred application for category 'WebBrowser'.
Failed to execute child process '/usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1' (Permission denied).
"""

So I figured I only needed to add "usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1 ixr," to /etc/apparmor.d/local/usr.bin.evince

But that didn't work as expected, I don't have the alert anymore but it segfaults right after that. (I can include the additional information for that if you want.) But I am not sure adding that second line to apparmor's configuration was the right thing to do in the first place.

Can you attach the output of the following command:
$ grep DENIED /var/log/kern.log

Sure, here it is.

Thanks, it looks like the exo-open command is going to need a child profile (or something) as it is pulling in a lot of new stuff that it didn't used to.

Adding an apparmor task as we will likely need to fix the abstraction as well as the evince profile.

I have the same problem with Ubuntu and chromium-browser. /var/log/syslog says

May 1 12:17:13 theakston kernel: [100752.649693] type=1400 audit(1335871033.942:36): apparmor="DENIED" operation="file_mmap" parent=28630 profile="/usr/bin/evince//sanitized_helper" name="/lib/x86_64-linux-gnu/libpthread-2.15.so" pid=28635 comm="chromium-browse" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

For now I have just done

ln -s /etc/apparmor.d/usr.bin.evince /etc/apparmor.d/disable/usr.bin.evince

tnhh, your problem is bug #964510

Thanks Jamie! I foolishly searched under "evince" rather than "apparmor". Ignore my off-topic comment.

Adding the following line to /etc/apparmor.d/local/usr.bin.evince seems to fix the bug:
/usr/bin/exo-open Ux,
(i.e. Ux instead of ixr)

I do not know the security implications of this, but at least links in evince seem to work again.

The security implication of using '/usr/bin/exo-open Ux' is that if there is a flaw in evince, an attacker can execute anything via exo-open. This is not the proper fix.

System is Linux 3.2.0-25-generic #40-Ubuntu SMP Wed May 23 20:33:05 UTC 2012 i686 i686 i386 GNU/Linux
Xubuntu 12.04
Stepped through all the DENIED errors and came up with this...

# Site-specific additions and overrides for usr.bin.evince.
# For more details, please see /etc/apparmor.d/local/README.
/usr/bin/exo-open ixr,
/usr/lib/i386-linux-gnu/xfce4/exo-1/exo-helper-1 ixr,
/etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
/etc/xdg/xfce4/helpers.rc r,

I believe this is restrictive enough but would like someone to confirm.

Mark's update looks reasonable to me. Can others experiencing this issue confirm?

Modified fix to x64 (/usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1) and it appared to work, but hit bug #964510 before i could confirm. No comment/knowledge on security implications.

This bug was fixed in the package apparmor - 2.8.0-0ubuntu1

---------------
apparmor (2.8.0-0ubuntu1) quantal; urgency=low

  * New upstream release
    - Drop the following patches, now included upstream:
      0003-add-aa-easyprof.patch
      0005-clean-common-from-vim.patch
      0006-use-linux-capability-h.patch
      0008-apparmor-lp963756.patch
      0009-apparmor-lp959560-part1.patch
      0010-apparmor-lp959560-part2.patch
      0011-apparmor-lp872446.patch
      0012-apparmor-lp978584.patch
      0013-apparmor-lp800826.patch
      0014-apparmor-lp979095.patch
      0015-apparmor-lp963756.patch
      0016-apparmor-lp968956.patch
      0017-apparmor-lp979135.patch
      0018-lp990931.patch
  * Rename 0007-ubuntu-manpage-updates.patch to 0003
  * debian/patches/0005-lp1019274.patch: add python3 support. Patch based
    on work from Dmitrijs Ledkovs. (LP: #1019274)
  * debian/patches/0006-cap-epollwakeup.patch: adjust severity.db for
    CAP_EPOLLWAKEUP
  * debian/patches/0007-setuptools-python3.patch: adjust setuptools-python3 to
    adjust scripts to use PYTHON if it is defined
  * debian/patches/0008-libapparmor-layout-deb.patch: use --install-layout=deb
    when calling setup.py
  * enable python3 in the build:
    - debian/rules:
      + use python3 as default PYTHON
      + build libapparmor with both python2 and python3
    - debian/control:
      + Build-Depends on python3-all-dev and python3
      + adjust apparmor to Depends on ${python3:Depends}
      + adjust apparmor-utils to Depends on ${python3:Depends}
      + add python3-libapparmor package
    - add debian/python3-libapparmor.install
    - debian/python-libapparmor.install: adjust to use python2 and
      dist-packages
  * debian/patches/0009-lp1003856.patch: update ubuntu-browsers.d/java for
    IcedTea 7 (LP: #1003856)
  * debian/patches/0010-lp972367.patch: allow software center to work again
    from browsers (LP: #972367)
  * debian/patches/0011-lp1013887.patch: let sanitized helper work with
    /usr/local. Patch based on work by Reuben Thomas. (LP: #1013887)
  * debian/patches/0012-lp964510.patch: allow Google Chrome and
    chromium-browser to work under sanitized helper (LP: #964510)
  * debian/patches/0013-lp987578.patch: ubuntu-integration does not work
    properly with exo-open. Fix thanks to Mark Ramsell (LP: #987578)
  * debian/patches/0014-lp933440.patch: update skype example profile to work
    with latest skype. Based on work by Ivan Frederiks (LP: #933440)
 -- Jamie Strandboge <email address hidden> Thu, 05 Jul 2012 10:53:17 -0500

This bug was fixed in the package evince - 3.5.3-0ubuntu5

---------------
evince (3.5.3-0ubuntu5) quantal; urgency=low

  * debian/apparmor-profile: allow evince to launch the browser on Xubuntu.
    Fix thanks to Mark Ramsell (LP: #987578)
 -- Jamie Strandboge <email address hidden> Thu, 05 Jul 2012 13:12:14 -0500

My default browser is SeaMonkey and I am still experiencing a permissions issue.

~$ cat /etc/apparmor.d/local/usr.bin.evince
# Site-specific additions and overrides for usr.bin.evince.
# For more details, please see /etc/apparmor.d/local/README.

/usr/bin/exo-open ixr,
/usr/lib/i386-linux-gnu/xfce4/exo-1/exo-helper-1 ixr,
/etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
/etc/xdg/xfce4/helpers.rc r,
~$

Clicking a hyperlink in evince get this error.

Failed to execute default Web Browser.
Failed to execute child process "seamonkey" (Permission denied).

Attached is a debdiff for this issue and for bug 982619 and bug 1091642 for an SRU for precise. I've confirmed that the package rebuilds correctly via sbuild and that the result passes the apparmor tests from lp:qa-regression-testing.

These are uploaded, but since they're not critical for 12.04.2, they'll be reviewed after 12.04.2 is done with.

Hello Wannes, or anyone else affected,

Accepted evince into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/evince/3.4.0-0ubuntu1.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Brian. Thank you so much. From what I can see here, it seems to work now. Links launch successfully.

I can confirm, that evince 3.4.0-0ubuntu1.5 from precise-proposed fixes the issue for me.

This bug was fixed in the package evince - 3.4.0-0ubuntu1.5

---------------
evince (3.4.0-0ubuntu1.5) precise-proposed; urgency=low

  * debian/apparmor-profile: allow evince to launch the browser on Xubuntu.
    Fix thanks to Mark Ramsell (LP: #987578)
 -- Micah Gersten <email address hidden> Thu, 24 Jan 2013 22:40:48 -0600

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Hello Wannes, or anyone else affected,

Accepted apparmor into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/apparmor/2.7.102-0ubuntu3.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Can someone verify this on precise?

I can't replicate the failure of the AppArmor test case here.

I installed the xfce4 package. I logged in using the xfce4 environment.

I downloaded a PDF and a PNG in Firefox, double-clicked them from the Downloads window (right-click no longer contains "open"), and they both opened without any trouble.

I replaced the PDF viewer "application helper" setting in Firefox with exo-open, and the PDF still opened without any trouble.

How exactly do you get this to break?

Thanks

I have re-tested this problem with the benefit of clarity of time. :)

I have verified that the AppArmor policy changes in the apparmor package in precise-proposed behave as desired, without DENIED entries, for using exo-open as the application helper.

I have verified that evince is able to open links with the new apparmor package in precise-proposed.

Thanks

See also https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1214979

apparmor 2.7.102-0ubuntu3.8 has been superceded by apparmor 2.7.102-0ubuntu3.9 in -proposed and needs new verification.

This bug was fixed in the package apparmor - 2.7.102-0ubuntu3.8

---------------
apparmor (2.7.102-0ubuntu3.8) precise-proposed; urgency=low

  * 0022-aa-logprof-PUx_rewrite_fix-lp982619.patch: fix aa-logprof
    rewrite of PUx modes (LP: #982619)
  * 0023-lp1091642-parser-reset_matchflags.patch: prevent reuse of
    matchflags in parser dfa backend and add testcase demonstrating
    the problem (LP: #1091642)
  * 0024-profiles-allow_exo-open-lp987578.patch: allow exo-open to work
    within ubuntu-integration (LP: #987578)
 -- Steve Beattie <email address hidden> Thu, 24 Jan 2013 11:40:48 -0800

Hi,

This bug is back in Document Viewer/Evince(*) 3.36.7, at least under Linux Mint 20 Ulyana.

Apparently, evince does not try to use exo-open anymore, but launches firefox directly (or via a sh shell?!?!) :{
I get error: "sh: 1: exec: firefox: Operation not permitted"

I've tried the trick found here to modify /etc/apparmor.d/usr.bin.evince but with not success.

I used (NOTE: I have absolutely no idea what "ixr" could mean, thus what I'm doing...):
/usr/bin/firefox ixr, -> error about "option" x being in conflict
/usr/bin/firefox r, -> does not work
/usr/bin/sh r, -> seems very dangerous & does not work

(*) Life would be a LOT easier for bug reporters if only one name would be used for app, instead of one name in CLI (/usr/bin/evince) and another in GUI (Document Viewer)...

can you look in dmesg or kern.log for the actual apparmor denial?

> I have absolutely no idea what "ixr"

allow r (read) permission
allow ix == on eXecute inherit the current profile

an exec permission can specify different options that should be taken, inherit the current profile, transition to specific profile, transition based on the exec profile name, ...

> /usr/bin/firefox ixr, -> error about "option" x being in conflict

there is another exec rule that matches and it species that something else should be done. Hence they conflict.

> /usr/bin/firefox r, -> does not work
> /usr/bin/sh r, -> seems very dangerous & does not work