I see the following in `/etc/apparmor.d/usr.bin.evince` with all includes commented, including `snap_browsers` line. Is that normal? Thanks
```
│ File: /etc/apparmor.d/usr.bin.evince
│ Size: 11.5 KB
───────┼────────────────────────────────────────────────────────────────────────
1 │ # vim:syntax=apparmor
2 │
3 │ # evince is not written with application confinement in mind and is designed to
4 │ # operate within a trusted desktop session where anything running within the
5 │ # user's session is trusted. That said, evince will often process untrusted
6 │ # input (PDFs, images, etc). Ideally evince would be written in such a way that
7 │ # image processing is separate from the main process and that processing
8 │ # happens in a restrictive sandbox, but unfortunately that is not currently the
9 │ # case. Because evince will process untrusted input, this profile aims to
10 │ # provide some hardening, but considering evince's design and other factors such
11 │ # as X, gsettings, accessibility, translations, DBus session and system
12 │ # services, etc, complete confinement is not possible.
13 │
14 │ #include <tunables/global>
15 │
16 │ /usr/bin/evince {
17 │ #include <abstractions/audio>
18 │ #include <abstractions/bash>
19 │ #include <abstractions/cups-client>
20 │ #include <abstractions/dbus-accessibility>
21 │ #include <abstractions/evince>
22 │ #include <abstractions/ibus>
23 │ #include <abstractions/nameservice>
24 │
25 │ #include <abstractions/ubuntu-browsers>
26 │ #include <abstractions/ubuntu-console-browsers>
27 │ #include <abstractions/ubuntu-email>
28 │ #include <abstractions/ubuntu-console-email>
29 │ #include <abstractions/ubuntu-media-players>
30 │
31 │ # allow evince to spawn browsers distributed as snaps (LP: #1794064)
32 │ #include if exists <abstractions/snap_browsers>
33 │
34 │ # For now, let evince talk to any session services over dbus. We can
35 │ # blacklist any problematic ones (but note, evince uses libsecret :\)
36 │ #include <abstractions/dbus-session>
37 │
38 │ #include <abstractions/dbus-strict>
39 │ dbus (receive) bus=system,
Hi, I'm on Ubuntu 23.10 using Brave browser SNAP and I still face the issue (cannot open links in evince -using Brave browser snap).
Here are the versions:
```console
❯ apt list --installed | rg 'evince|apparmor'
apparmor/mantic,now 4.0.0~alpha2- 0ubuntu5 amd64 [installed, automatic] common/ mantic, mantic, now 45.0-1 all [installed, automatic] mantic, now 4.0.0~alpha2- 0ubuntu5 amd64 [installed, automatic]
evince-
evince/mantic,now 45.0-1 amd64 [installed]
libapparmor1/
```
Brave Browser 120.1.61.101
`journalctl -f` log:
```console 7.044:3565) : apparmor="DENIED" operation="open" class="file" profile= "/usr/bin/ evince/ /snap_browsers" name="/ proc/cgroups" pid=1351803 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 desktop[ 1351803] : internal error, please report: running "brave" failed: open /snap/brave/ 323/meta/ snap.yaml: permission denied 7.052:3566) : apparmor="DENIED" operation="open" class="file" profile= "/usr/bin/ evince/ /snap_browsers" name="/ snap/brave/ 323/meta/ snap.yaml" pid=1351803 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Dec 20 12:18:37 laptop kernel: audit: type=1400 audit(170307111
Dec 20 12:18:37 laptop brave_brave.
Dec 20 12:18:37 laptop kernel: audit: type=1400 audit(170307111
```
I see the following in `/etc/apparmor. d/usr.bin. evince` with all includes commented, including `snap_browsers` line. Is that normal? Thanks
``` d/usr.bin. evince ┼────── ─────── ─────── ─────── ─────── ─────── ─────── ─────── ─────── ─────── ─── audio> cups-client> dbus-accessibil ity> evince> nameservice> ubuntu- browsers> ubuntu- console- browsers> ubuntu- email> ubuntu- console- email> ubuntu- media-players> snap_browsers> dbus-session> dbus-strict>
│ File: /etc/apparmor.
│ Size: 11.5 KB
───────
1 │ # vim:syntax=apparmor
2 │
3 │ # evince is not written with application confinement in mind and is designed to
4 │ # operate within a trusted desktop session where anything running within the
5 │ # user's session is trusted. That said, evince will often process untrusted
6 │ # input (PDFs, images, etc). Ideally evince would be written in such a way that
7 │ # image processing is separate from the main process and that processing
8 │ # happens in a restrictive sandbox, but unfortunately that is not currently the
9 │ # case. Because evince will process untrusted input, this profile aims to
10 │ # provide some hardening, but considering evince's design and other factors such
11 │ # as X, gsettings, accessibility, translations, DBus session and system
12 │ # services, etc, complete confinement is not possible.
13 │
14 │ #include <tunables/global>
15 │
16 │ /usr/bin/evince {
17 │ #include <abstractions/
18 │ #include <abstractions/bash>
19 │ #include <abstractions/
20 │ #include <abstractions/
21 │ #include <abstractions/
22 │ #include <abstractions/ibus>
23 │ #include <abstractions/
24 │
25 │ #include <abstractions/
26 │ #include <abstractions/
27 │ #include <abstractions/
28 │ #include <abstractions/
29 │ #include <abstractions/
30 │
31 │ # allow evince to spawn browsers distributed as snaps (LP: #1794064)
32 │ #include if exists <abstractions/
33 │
34 │ # For now, let evince talk to any session services over dbus. We can
35 │ # blacklist any problematic ones (but note, evince uses libsecret :\)
36 │ #include <abstractions/
37 │
38 │ #include <abstractions/
39 │ dbus (receive) bus=system,
```