Ubuntu
apparmor package

  1. Jammy (22.04)
  2. Bug #1794064
  3. Comment #80

Comment 80 for bug 1794064

Revision history for this message
Gerard (gbosch) wrote :

Hi, I'm on Ubuntu 23.10 using Brave browser SNAP and I still face the issue (cannot open links in evince -using Brave browser snap).

Here are the versions:

```console
❯ apt list --installed | rg 'evince|apparmor'

apparmor/mantic,now 4.0.0~alpha2-0ubuntu5 amd64 [installed,automatic]
evince-common/mantic,mantic,now 45.0-1 all [installed,automatic]
evince/mantic,now 45.0-1 amd64 [installed]
libapparmor1/mantic,now 4.0.0~alpha2-0ubuntu5 amd64 [installed,automatic]
```
Brave Browser 120.1.61.101

`journalctl -f` log:

```console
Dec 20 12:18:37 laptop kernel: audit: type=1400 audit(1703071117.044:3565): apparmor="DENIED" operation="open" class="file" profile="/usr/bin/evince//snap_browsers" name="/proc/cgroups" pid=1351803 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Dec 20 12:18:37 laptop brave_brave.desktop[1351803]: internal error, please report: running "brave" failed: open /snap/brave/323/meta/snap.yaml: permission denied
Dec 20 12:18:37 laptop kernel: audit: type=1400 audit(1703071117.052:3566): apparmor="DENIED" operation="open" class="file" profile="/usr/bin/evince//snap_browsers" name="/snap/brave/323/meta/snap.yaml" pid=1351803 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

```

I see the following in `/etc/apparmor.d/usr.bin.evince` with all includes commented, including `snap_browsers` line. Is that normal? Thanks

```
       │ File: /etc/apparmor.d/usr.bin.evince
       │ Size: 11.5 KB
───────┼────────────────────────────────────────────────────────────────────────
   1 │ # vim:syntax=apparmor
   2 │
   3 │ # evince is not written with application confinement in mind and is designed to
   4 │ # operate within a trusted desktop session where anything running within the
   5 │ # user's session is trusted. That said, evince will often process untrusted
   6 │ # input (PDFs, images, etc). Ideally evince would be written in such a way that
   7 │ # image processing is separate from the main process and that processing
   8 │ # happens in a restrictive sandbox, but unfortunately that is not currently the
   9 │ # case. Because evince will process untrusted input, this profile aims to
  10 │ # provide some hardening, but considering evince's design and other factors such
  11 │ # as X, gsettings, accessibility, translations, DBus session and system
  12 │ # services, etc, complete confinement is not possible.
  13 │
  14 │ #include <tunables/global>
  15 │
  16 │ /usr/bin/evince {
  17 │ #include <abstractions/audio>
  18 │ #include <abstractions/bash>
  19 │ #include <abstractions/cups-client>
  20 │ #include <abstractions/dbus-accessibility>
  21 │ #include <abstractions/evince>
  22 │ #include <abstractions/ibus>
  23 │ #include <abstractions/nameservice>
  24 │
  25 │ #include <abstractions/ubuntu-browsers>
  26 │ #include <abstractions/ubuntu-console-browsers>
  27 │ #include <abstractions/ubuntu-email>
  28 │ #include <abstractions/ubuntu-console-email>
  29 │ #include <abstractions/ubuntu-media-players>
  30 │
  31 │ # allow evince to spawn browsers distributed as snaps (LP: #1794064)
  32 │ #include if exists <abstractions/snap_browsers>
  33 │
  34 │ # For now, let evince talk to any session services over dbus. We can
  35 │ # blacklist any problematic ones (but note, evince uses libsecret :\)
  36 │ #include <abstractions/dbus-session>
  37 │
  38 │ #include <abstractions/dbus-strict>
  39 │ dbus (receive) bus=system,

```