evince apparmor profile prevents movies from opening

Thank you for your bug report, those common software should probably be allowed from apparmor for all desktop profiles there

Thank you for using Ubuntu and taking the time to report a bug. Can you attach the PDF that is causing the issue as well as the output of:
$ grep audit /var/log/kern.log

This bug affects me, too (Karmic Koala). Links to external files in a PDF document cannot be opened by evince due to permission problems. I generated a minimal example pdf using latex (see attachments movie.pdf, movie.mp4, movie.tex). The movie is required to be in the same directory as the PDF document.

The command
$ grep audit /var/log/kern.log
reveals:

Nov 9 12:02:26 dell-xps kernel: [ 7516.169972] type=1503 audit(1257764546.009:31): operation="exec" pid=3890 parent=1 profile="/usr/bin/evince" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/usr/bin/totem"

best regards
   Patrick

Here is the hand-edited /etc/apparmor.d/abstractions/evince which fixes the problem. Basically, you need to add a line for totem and vlc.

Unfortunatelly, this did not solve the problem. Comparing my /etc/apparmor.d/abstractions/evince with yours showed that you added the following two lines (in the supported archivers paragraph)

  /usr/bin/vlc ixr,
  /usr/bin/totem ixr,

I also added the lines to my evince file and rebooted. However, this didn't resolve the problem. In /var/log/kern.log I found another entry that could be related to this problem. After clicking on the movie link in my pdf file, the following lines appear in /var/log/kern.log

Nov 10 11:37:05 dell-xps kernel: [ 468.494963] type=1503 audit(1257849425.550:24): operation="open" pid=2009 parent=1981 profile="/usr/bin/evince" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/etc/gnome/defaults.list"
Nov 10 11:37:05 dell-xps kernel: [ 468.499915] type=1503 audit(1257849425.554:25): operation="exec" pid=2013 parent=1 profile="/usr/bin/evince" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/usr/bin/totem"

I think, evince first tries to figure out which is the default video player by accessing /etc/gnome/defaults.list (mask="::r" means ready only, I guess?) - it fails, but evince then uses totem anyways, which is indeed the default on my almost fresh install of karmic. However, that fails too. I'm not sure about those masks - but I'm trying to enable read access to /etc/gnome/defaults.list and report back in a few minutes.

In order to allow the access to the defaults.list, I added

  /etc/gnome/defaults.list r,

but nothing changed. Guess I should stop fishing in this muddy water and let the pros fix it.

nZain: did you reload the evince apparmor policy after you hand edited /etc/apparmor.d/abstractions/evince or /etc/apparmor.d/usr.bin.evince via 'sudo apparmor_parser --reload /etc/apparmor.d/usr.bin.evince'? Your changes won't take effect until you've reloaded the evince policy into the kernel, either by using the parser or rebooting.

I rebooted, since I didn't know, how to reload apparmor. I didn't modify /etc/apparmor.d/usr.bin.evince - maybe this file overrides the other one?

On Wed, Nov 11, 2009 at 09:28:43AM -0000, nZain wrote:
> I rebooted, since I didn't know, how to reload apparmor.

Okay, that will have update the policy in the kernel as well.

> I didn't modify /etc/apparmor.d/usr.bin.evince - maybe this file
> overrides the other one?

Nope, that's fine if you modified /etc/apparmor.d/abstractions/evince;
it gets pulled into the policies defined in
/etc/apparmor.d/usr.bin.evince.

Can you attach your modified version of
/etc/apparmor.d/abstractions/evince to the bug report? I'm quite
confused as to why adding '/usr/bin/totem ixr,' results in an apparmor
rejection that's preventing /ubr/bin/totem from executing (the '::x' bit
listed in your kern.log). Can you also verify that the rejections that
are showing up in kern.log are the same?

Thanks for your patience in troubleshooting this!

--
Steve Beattie
<email address hidden>
http://NxNW.org/~steve/

For my previous postings, my file was the same as the one posted by Pausanias on 2009-11-10. The attached file is the current one (no time for a diff, its lunchtime - sry).

Just to prevent confusion - today I got some evince-related updates from the update-manager, and thus the /etc/apparmor.d/abstractions/evince file changed. It asked me to keep my modified version or to get the current upstream version. I accepted the current upstream version, so my current file is not the same as posted by Pausanias on 2009-11-10. However, the changes were related to browsers and other stuff - totem, vlc, and videos were not involved. Consequently the problem remains unsolved. The current upstream version gives me the same errors as before. I'll now try to add the mystical two lines, again, and reload apparmor.

Unfortunately, nothing changed. The message in kern.log remains, telling

Nov 11 12:00:31 dell-xps kernel: [ 1098.989525] type=1503 audit(1257937231.565:30): operation="exec" pid=2418 parent=2417 profile="/usr/bin/evince" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/usr/bin/totem"

Furthermore evince is unable to read the /etc/gnome/defaults.list

Nov 11 11:59:38 dell-xps kernel: [ 1045.440625] type=1503 audit(1257937178.014:28): operation="open" pid=2408 parent=1 profile="/usr/bin/evince" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/etc/gnome/defaults.list"

Anyways, I'm not able to change the default video player.. tried system->preferences->preferred applications, but the menu only talks about multimedia in general. In nautilus I can change the applications, but this is for media-insertion (like cds).

nZain, I'm not sure what's wrong with your setup, because replacing /etc/apparmor.d/abstractions/evince with the file I attached worked flawlessly for me after restarting apparmor. Did you try using my exact file, rather than editing your own file? I did not modify usr.bin.evince.

Also, I rejected the most recent evince update with the newer apparmor profile.

To change default player, you have to do it by extension. Find and AVI file in nautilus. Right-click, properties, open with, select your media player (totem or vlc). You have to repeat this with each type of file (mp4, mpg, etc.)

And I still think the state of the evince apparmor profile has not been well thought out. You should not be restricting the helper applications that a user can call from evince. What if I want to make a presentation that views a .XYZ file with my special graphics program renderXYZ (not at all uncommon for scientific presentations)? I have to have root access so I can edit that abstraction file? This is a poor design choice.

Example has been posted, so changing this to confirmed.

Pausanias wrote:
> nZain, I'm not sure what's wrong with your setup, because replacing
> /etc/apparmor.d/abstractions/evince with the file I attached worked
> flawlessly for me after restarting apparmor. Did you try using my exact
> file, rather than editing your own file? I did not modify usr.bin.evince.

I used the exact same file, sorry for not beeing clear. I really appreciate your help. Too sad, it doesn't work for my system, mh.

> Also, I rejected the most recent evince update with the newer apparmor profile.

A diff of my current file (current upstream + totem&vlc entries) to your posted file shows the changes for tiff extensions:

patrick@dell-xps:launchpad$ diff /etc/apparmor.d/abstractions/evince evince
84d83
< /**.[tT][iI][fF] r,

> To change default player, you have to do it by extension. Find and
> AVI file in nautilus. Right-click, properties, open with, select your
> media player (totem or vlc). You have to repeat this with each type
> of file (mp4, mpg, etc.)

Thanks for the hint, I managed to change the default for mp4 (example posted above) to vlc. Although evince cannot access /etc/gnome/defaults.list it knows that vlc is now the default. However, the error remains. /var/log/kern.log says

Nov 12 10:44:04 dell-xps kernel: [ 1240.946766] type=1503 audit(1258019044.071:23): operation="exec" pid=2993 parent=2992 profile="/usr/bin/evince" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/usr/bin/vlc"

Thank you all!

The additions in /etc/apparmor.d/abstractions/evince
  /usr/bin/vlc ixr,
  /usr/bin/totem ixr,

Followed by

sudo apparmor_parser --reload /etc/apparmor.d/usr.bin.evince

Made it happen!

Everything works as desired... Hopefully I did not open an evil security-gap like that ;-)

tried this the x'th time now - doesn't work for me.

This will need an adjustment to the evince profile as well as the apparmor abstraction to fix for Lucid.

Same behavior as nZain. I modified /etc/apparmor.d/abstractions/evince and then

sudo apparmor_parser --reload /etc/apparmor.d/usr.bin.evince

but still can open a video from evince.

Sorry. Last line should read"

"but still can't open a video from evince"

(I couldn't find how to edit my previous comment).

The AppArmor portion of this bug was fixed in 2.5~pre+bzr1367-0ubuntu1.

This bug was fixed in the package evince - 2.29.91-0ubuntu2

---------------
evince (2.29.91-0ubuntu2) lucid; urgency=low

  * debian/apparmor-profile.abstraction: allow access to ubuntu-media-players
    (LP: #462419)
 -- Jamie Strandboge <email address hidden> Mon, 08 Mar 2010 15:41:42 -0600

Although the previous tricks didn't resolve my problem, it is now - due to several apparmor updates - fixed. However, running videos from evince doesn't work with totem (it just opens totem & exits before playing the video). It does work with VLC - maybe this helps Alejandro Weinstein. So I can finally confirm that this bug is fixed.

nZain: Do you remember when it did start working?

My system is up to date, and I still have the same problem.

Unfortunately, I can't say. I tried it today because Jamie said, it was
fixed... (again). Today it worked the first time for me.

Alejandro Weinstein wrote:
> nZain: Do you remember when it did start working?
>
> My system is up to date, and I still have the same problem.
>
>

nZain,

This was fixed in Lucid, and you need to have both the updated apparmor and evince package up to date. This bug is confirmed as fixed here with your reproducer. Please make sure your system is up to date, then if you are still having a problem, file a new bug with 'ubuntu-bug evince'. Thanks

> This was fixed in Lucid

That this mean that the bug is still present in Karmic?

Alejandro,

Correct. This is fixed in the Ubuntu development release (Lucid), not Ubuntu 9.10 (Karmic).

Pausanias wrote:
> I have been looking at all the "apparmor prevents" bugs that have been reported of late. DVI printing, chromium, etc...
> the package maintainers' strategy has been to add an exceptions to the apparmor profile as the bugs come in. May I
> comment that this is a ludicrous situation? There are going to be numerous helper applications that people might
> want to use within a PDF file... why is apparmor blocking them all?

and in another message added:
> And I still think the state of the evince apparmor profile has not been well thought out. You should not be restricting
> the helper applications that a user can call from evince. What if I want to make a presentation that views a .XYZ file
> with my special graphics program renderXYZ (not at all uncommon for scientific presentations)? I have to have root
> access so I can edit that abstraction file? This is a poor design choice.

I completely agree. I have this problem now with gmplayer, and I am quite amazed such a restriction was added without a non-root way of adding arbitrary helper apps. Or have apparmor pop up the question to the user of granting access to this or that. Is there still no other way around than editing /etc/apparmor.d/abstractions/evince as root and reloading ?

Nobody cares to comment on the point Pausanias made ?

There is the (now) obvious solution of removing the apparmor package altogether, which is what I did. I'll have apparmor back when this kind of issue has been resolved.

At this time AppArmor does not support per-user profiles, but this is a desired feature. If there are bugs in the profile (gmplayer was mentioned), these bugs need to be filed in Launchpad so that they can be corrected. Since this bug was not already reported, I have done so in bug #591421 and already committed a fix for it.

Adrian et al, the philosophy behind apparmor profiles in Ubuntu is to have the profiles just work in default and common configurations and not have the user have to worry about them generally. As mentioned, if there are specific examples of things that should be added to the profile, please file a bug so a developer can fix it.

Adrian, removing the apparmor package is not recommended. There are many profiles protecting you system that are not causing you any trouble. If the evince profile is causing you problems, then you may simply disable it by performing:
$ sudo touch /etc/apparmor.d/disable/usr.bin.evince

Hello everyone.

I've read the whole thread and I am experiencing a related bug.

My specific scenario is that I'm creating a PDF (by exporting from Emacs / Org-Mode) that contains a link to a local video. It may have been a recent change in an AppArmor that has resulted in the videos not opening anymore (or maybe a security patch?), but I'm not able to open either mp4 or webm videos like I could with mpv.

I read the /etc/apparmor.d/abstractions/evince file, and added the following to the /etc/apparmor.d/local/usr.bin.evince file:

    # vim:syntax=apparmor
    #
    # abstraction used by evince binaries
    #

      # supported archivers
      /usr/bin/mpv ixr,
      /usr/bin/totem ixr,
      /usr/bin/vlc ixr,

After performing:

    rolandog@computer:~$ sudo apparmor_parser --reload /etc/apparmor.d/usr.bin.evince

I get the following error:

    profile /usr/bin/evince: has merged rule /usr/bin/totem with conflicting x modifiers
    ERROR merging rules for profile /usr/bin/evince, failed to load

Playback with mpv (the player I had set as default) still doesn't work (is blocked by AppArmor), and, after running the following command, I get the messages shown in the attached file:

    rolandog@computer:~$ grep audit /var/log/kern.log

After removing the totem line I get a similar error, but for vlc. After removing both the totem line and the vlc line, I don't get an error (and I can launch mpv (the default I had set).

However, I'm torn because this worked for me, but there may be others that may have similar use-cases to mine that would prefer other players.

By the end of the previous comment I had experienced a weird bug. But I decided to post it here as a separate comment because this is still relevant to this thread.

I resolved the issues by:

1. changing the default player
2. opening a PDF document that contains a link to a local video
3. clicking the link to the video (and failing to open)
4. closing evince and opening the same document again
5. clicking the link to the video again (and succeeding this time)

I had to reproduce those steps for both totem and for vlc, ... but now, everything just works!

After that initial hurdle, changing default players results in opening the correct default video player.

I'm not really sure what happened, but the issue just fixed itself.

There are still some odd messages in the kernel log (see attached file).

I don't know if this is reproducible elsewhere, or if this bug should be marked as resolved or not, as I'm way past due to do a clean install of the newest Ubuntu:

    rolandog@computer:~$ lsb_release -rd
    Description: Ubuntu 20.10
    Release: 20.10

    rolandog@computer:~$ apt-cache policy evince
    evince:
      Installed: 3.38.0-1
      Candidate: 3.38.0-1
      Version table:
     *** 3.38.0-1 500
            500 http://nl.archive.ubuntu.com/ubuntu groovy/main amd64 Packages
            100 /var/lib/dpkg/status

I hope this helps out someone getting unexpected behavior.