apparmor issue with evince {Ubuntu Bionic}



  • When I click a link in evince with Vivaldi being the default browser on my bionic system, I get an error "Failed to execute child process “/usr/bin/vivaldi-stable” (Permission denied)". The following entry shows in syslog confirming that this is an apparmor issue:

    Sep 15 14:28:29 work kernel: [46946.748450] audit: type=1400 audit(1600172909.617:244): apparmor="DENIED" operation="create" profile="/usr/bin/evince//sanitized_helper" pid=4709 comm="pool" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
    Sep 15 14:28:53 work kernel: [46970.973331] audit: type=1400 audit(1600172933.841:256): apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/opt/vivaldi/vivaldi" pid=5390 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
    

  • Moderator

    @leggewie That happens on some Ubuntu versions with apparmor. Not a Vivaldi fault.
    You need to fix a apparmor rule.
    Wait i will check how…

    https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1813339?comments=all
    What a shame for Ubuntu. They say Vivaldi is not from their repo and that's why it is not their fault for the envice block.

    But that may fix it: https://forum.vivaldi.net/post/356988


  • Moderator

    @leggewie Why a need of external PDF viewer? Has Vivaldi's internal PDF Viewer (to be activated at Settings → Webpages) not enough features?


  • Moderator

    @leggewie On Ubuntu 20.04.1 LTS (Focal) i have no issue with apparmor opening PDF external evince-previewer (3.36.7).



  • @Gwen-Dragon Really? PDF viewer in chromium is pure ***. I'd never use the internal viewer over evince or others, it's the first thing to deactivate for me...


  • Moderator

    @jumpsq Why so rude? I never told you to use internal PDF. I was only interested.
    Other people need more help and i can invest my time for friendly users.

    Check and fix your problems on your own. 👋



  • @Gwen-Dragon said in apparmor issue with evince {Ubuntu Bionic}:

    Why so rude?

    1. I don’t see any special level of impoliteness in the post (maybe it’s just me, but I really don’t)
    2. Please pay attention to nicknames. Will you really not help @leggewie just because @jumpsq has (from your point of view) been rude?

  • Moderator

    @potmeklecbohdan said in apparmor issue with evince {Ubuntu Bionic}:

    Please pay attention to nicknames.

    Yes, i see. I reverted my changes.


  • Moderator

    @leggewie On Ubuntu 20 LTS i do not get any syslog messages with Vivaldi and evince.

    I checked apparmor settings on my Ubuntu 20 LTS:

    test@ute:~$ grep -iR sanitized_helper /etc/apparmor* | grep evince
    /etc/apparmor.d/abstractions/ubuntu-browsers.d/productivity:  /usr/bin/evince Cxr -> sanitized_helper,
    /etc/apparmor.d/abstractions/evince:  /usr/bin/mktexpk Cx -> sanitized_helper,
    /etc/apparmor.d/abstractions/evince:  /usr/bin/mktextfm Cx -> sanitized_helper,
    /etc/apparmor.d/abstractions/evince:  /usr/bin/dvipdfm Cx -> sanitized_helper,
    /etc/apparmor.d/abstractions/evince:  /usr/bin/dvipdfmx Cx -> sanitized_helper,
    /etc/apparmor.d/usr.bin.evince:  /usr/bin/yelp Cx -> sanitized_helper,
    /etc/apparmor.d/usr.bin.evince:  /usr/bin/nautilus Cx -> sanitized_helper, # Gnome
    /etc/apparmor.d/usr.bin.evince:  /usr/bin/pcmanfm Cx -> sanitized_helper,  # LXDE
    /etc/apparmor.d/usr.bin.evince:  /usr/bin/krusader Cx -> sanitized_helper, # KDE
    /etc/apparmor.d/usr.bin.evince:  /usr/bin/thunar Cx -> sanitized_helper,   # XFCE
    /etc/apparmor.d/usr.bin.evince:  /usr/bin/nautilus-sendto Cx -> sanitized_helper,
    /etc/apparmor.d/usr.bin.evince:  /usr/bin/yelp Cx -> sanitized_helper,
    /etc/apparmor.d/usr.bin.evince:  # sanitized_helper, we don't want all those perms in the thumbnailer
    

    But i am no really a pro in checking which rule for apparmor fixed the broken Ubuntu 18 with Vivaldi.


  • Moderator

    @leggewie Did this help?

    @Chipy said in Vivaldi opening from a link in a PDF file:

    Finally, found a solution:

    Open /etc/apparmor.d/abstractions/ubuntu-browsers.
    Add a new line at the really end (# some unpackaged, but popular browsers):
    /usr/bin/vivaldi-snapshot -> sanitized_helper,
    Restart & Enjoy opening links within a PDF in Evince with Vivaldi.

    May be you run vivaldi-stable, then change vivaldi-snapshot to vivaldi-stable.



  • @Gwen-Dragon I don't consider my statement rude, I was merely suprised that you'd tell others to use a inferior software (at least I think it is). That being said, of course my comment was not constructive.
    But your fix is not a real solution for most users, also, even if it may help @leggewie.

    If possible, it would probably help most if vivaldi would just become part of ubuntu's repositories. How is this issue handled with google chrome? I'd suppose that it would create similar results.


  • Moderator

    @jumpsq said in apparmor issue with evince {Ubuntu Bionic}:

    But your fix is not a real solution for most users, also, even if it may help @leggewie.

    And i thought a apparmor rule could help to fix. Now i am confused
    And what would you propose for a fix?

    .



  • @Gwen-Dragon As I said, make ubuntu consider vivaldi in their apparmor rules. So maybe having a look at how it works with chromium and google chrome would be a first step, because I guess that google chrome is also not included in their default repo.


  • Moderator

    @jumpsq said in apparmor issue with evince {Ubuntu Bionic}:

    make ubuntu consider vivaldi in their apparmor rules

    Ubuntu rejected this in the past.
    If Ubuntu users do not take action and set some pressure on Ubuntu to change the app armor rules nothing can be done.



  • @leggewie said in apparmor issue with evince {Ubuntu Bionic}:

    When I click a link in evince with Vivaldi being the default browser on my bionic system, I get an error "Failed to execute child process “/usr/bin/vivaldi-stable” (Permission denied)". The following entry shows in syslog confirming that this is an apparmor issue:

    Sep 15 14:28:29 work kernel: [46946.748450] audit: type=1400 audit(1600172909.617:244): apparmor="DENIED" operation="create" profile="/usr/bin/evince//sanitized_helper" pid=4709 comm="pool" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
    Sep 15 14:28:53 work kernel: [46970.973331] audit: type=1400 audit(1600172933.841:256): apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/opt/vivaldi/vivaldi" pid=5390 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
    

    I'm assuming you can use Vivaldi ok, but the only problem is using Vivaldi as a helper to Evince (as per the error message). I don't have Evince installed, so I cannot test if this works, but nothing will blow up if you try 😁

    At the end of /etc/apparmor.d/abstractions/ubuntu-browsers you will find this:

    # some unpackaged, but popular browsers
    /usr/lib/icecat-*/icecat Cx -> sanitized_helper,
    /usr/bin/opera Cx -> sanitized_helper,
    /opt/google/chrome/google-chrome Cx -> sanitized_helper,
    

    At the end, just after the last entry (in this case google-chrome) add:

    /opt/vivaldi/vivaldi Cx -> sanitized_helper,
    

    Adjust the path and/or name of Vivaldi executable if needed and don't forget the comma at the end of the line.

    Save the file and restart apparmor:

    sudo systemctl restart apparmor
    

    Test. Did it help? Please report back.



  • I'm guessing this will work, since after making my post I went through Unread posts and found a thread where the same solution was posted in March by @Chipy:

    https://forum.vivaldi.net/post/356988

    Their post was much more concise though 👍 😁


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.