Ubuntu
apparmor package

"Unable to open external link" in Evince when google-chrome-unstable is the default browser

Bug #1730536 reported by Paul Natsuo Kishimoto
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Undecided
Unassigned
apparmor (Debian)
Confirmed
Undecided
Unassigned
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

TO REPRODUCE:

I attempt to open a URL from a PDF document in Evince.

EXPECTED:

The browser opens the URL.

OBSERVED:

I'm shown an error message:

Unable to open external link
Failed to execute child process “/usr/bin/google-chrome-unstable” (Permission denied)

journalctl shows:

Nov 06 19:19:18 khaeru-laptop audit[22110]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/opt/google/chrome-unstable/google-chrome-unstable" pid=22110 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Nov 06 19:19:18 khaeru-laptop kernel: audit: type=1400 audit(1510013958.773:590): apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/opt/google/chrome-unstable/google-chrome-unstable" pid=22110 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

EXTRA INFORMATION:

- As the messages imply, I'm using Google Chrome "unstable".
- The file
  /usr/bin/google-chrome-unstable
  …is symlinked to:
  /opt/google/chrome-unstable/google-chrome-unstable
- I note that previous bugs, eg. bug #964510, resulted in lines being added to
  /etc/apparmor.d/abstractions/ubuntu-helpers that refer to paths in
  /opt/google/chrome/. This directory does not exist on my system.

$ lsb_release -rd && apt-cache policy apparmor evince google-chrome-unstable
Description: Ubuntu 17.10
Release: 17.10
apparmor:
  Installed: 2.11.0-2ubuntu17
  Candidate: 2.11.0-2ubuntu17
  Version table:
 *** 2.11.0-2ubuntu17 500
        500 http://us.archive.ubuntu.com/ubuntu artful/main amd64 Packages
        100 /var/lib/dpkg/status
evince:
  Installed: 3.26.0-1
  Candidate: 3.26.0-1
  Version table:
 *** 3.26.0-1 500
        500 http://us.archive.ubuntu.com/ubuntu artful/main amd64 Packages
        100 /var/lib/dpkg/status
google-chrome-unstable:
  Installed: 64.0.3251.0-1
  Candidate: 64.0.3253.3-1
  Version table:
     64.0.3253.3-1 500
        500 http://dl.google.com/linux/chrome/deb stable/main amd64 Packages
 *** 64.0.3251.0-1 100
        100 /var/lib/dpkg/status

ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: apparmor 2.11.0-2ubuntu17
ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4
Uname: Linux 4.13.0-16-generic x86_64
ApportVersion: 2.20.7-0ubuntu3.1
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Mon Nov 6 19:20:34 2017
EcryptfsInUse: Yes
InstallationDate: Installed on 2017-10-11 (26 days ago)
InstallationMedia: Ubuntu 17.04 "Zesty Zapus" - Release amd64 (20170412)
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.13.0-16-generic.efi.signed root=UUID=39ca3c53-0313-4699-a5da-403522e2ff14 ro quiet splash vt.handoff=7
SourcePackage: apparmor
Syslog:

UpgradeStatus: Upgraded to artful on 2017-10-19 (18 days ago)

Revision history for this message
Paul Natsuo Kishimoto (khaeru) wrote :
Revision history for this message
intrigeri (intrigeri) wrote :

This should be easy to fix with something very similar to https://gitlab.com/apparmor/apparmor/merge_requests/7. While I'm at it I'll check that google-chrome-stable works too.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Changed in apparmor (Debian):
status: New → Confirmed
Changed in apparmor:
status: New → Confirmed
summary: - "Unable to open external link" in evince
+ "Unable to open external link" in Evince when google-chrome-unstable is
+ the default browser
tags: added: aa-policy
Revision history for this message
intrigeri (intrigeri) wrote :

https://gitlab.com/apparmor/apparmor/merge_requests/9 fixes this bug on my Debian sid test VM.

Revision history for this message
Paul Natsuo Kishimoto (khaeru) wrote :

I can confirm that the changes from that merge request, when manually applied on my system, fix the problem. Thanks!

intrigeri (intrigeri)
Changed in apparmor:
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.12-4ubuntu1

---------------
apparmor (2.12-4ubuntu1) bionic; urgency=medium

  [ Tyler Hicks ]
  * Merge from Debian to get gbp-pq related packaging improvements. Thanks to
    intrigeri for making those improvements! Remaining Ubuntu changes:
    - debian/gbp.conf: Use ubuntu/master as the debian-branch
    - Update package maintainer to be Ubuntu Developers in the control file
    - Call handle_system_policy_package_updates in apparmor.init.
      This is needed for snappy and system-images. Note that this prevents
      using a remove /var.
    - Apply Ubuntu-specific patches
      + parser-include-usr-share-apparmor.patch
      + profiles-grant-access-to-systemd-resolved.patch
      + add-chromium-browser.patch
    - Install Ubuntu chromium-browser profile and abstraction
    - Feature pinning is not used in Ubuntu

  [ intrigeri ]
  * Adjust the Vcs-{Browser,Git} control fields to reflect the branch where
    the Ubuntu packaging is maintained.

apparmor (2.12-4) unstable; urgency=medium

  * Migrate patch handling to gbp-pq (Closes: #888244).
  * Merge 2.12-3ubuntu1 (dropping the Ubuntu delta):
    - upstream-commit-46f88f5-properly-identify-empty-ouid-fsuid-fields.patch:
      new patch, properly identify empty ouid/fsuid fields in logs.
    - upstream-commit-130958a-allow-shell-helper-read-locale.patch:
      new patch, allow the shell helper regression test program read
      the locale.

 -- Tyler Hicks <email address hidden> Mon, 19 Mar 2018 16:24:57 +0000

Changed in apparmor (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Christian Boltz (cboltz) wrote :

Fixed in AppArmor 2.12

Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.