apparmor issue with evince {Ubuntu Bionic}
-
When I click a link in evince with Vivaldi being the default browser on my bionic system, I get an error "Failed to execute child process “/usr/bin/vivaldi-stable” (Permission denied)". The following entry shows in syslog confirming that this is an apparmor issue:
Sep 15 14:28:29 work kernel: [46946.748450] audit: type=1400 audit(1600172909.617:244): apparmor="DENIED" operation="create" profile="/usr/bin/evince//sanitized_helper" pid=4709 comm="pool" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create" Sep 15 14:28:53 work kernel: [46970.973331] audit: type=1400 audit(1600172933.841:256): apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/opt/vivaldi/vivaldi" pid=5390 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
-
@Gwen-Dragon Really? PDF viewer in chromium is pure ***. I'd never use the internal viewer over evince or others, it's the first thing to deactivate for me...
-
@Gwen-Dragon said in apparmor issue with evince {Ubuntu Bionic}:
Why so rude?
-
@Gwen-Dragon I don't consider my statement rude, I was merely suprised that you'd tell others to use a inferior software (at least I think it is). That being said, of course my comment was not constructive.
But your fix is not a real solution for most users, also, even if it may help @leggewie.If possible, it would probably help most if vivaldi would just become part of ubuntu's repositories. How is this issue handled with google chrome? I'd suppose that it would create similar results.
-
@Gwen-Dragon As I said, make ubuntu consider vivaldi in their apparmor rules. So maybe having a look at how it works with chromium and google chrome would be a first step, because I guess that google chrome is also not included in their default repo.
-
@leggewie said in apparmor issue with evince {Ubuntu Bionic}:
When I click a link in evince with Vivaldi being the default browser on my bionic system, I get an error "Failed to execute child process “/usr/bin/vivaldi-stable” (Permission denied)". The following entry shows in syslog confirming that this is an apparmor issue:
Sep 15 14:28:29 work kernel: [46946.748450] audit: type=1400 audit(1600172909.617:244): apparmor="DENIED" operation="create" profile="/usr/bin/evince//sanitized_helper" pid=4709 comm="pool" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create" Sep 15 14:28:53 work kernel: [46970.973331] audit: type=1400 audit(1600172933.841:256): apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/opt/vivaldi/vivaldi" pid=5390 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
I'm assuming you can use Vivaldi ok, but the only problem is using Vivaldi as a helper to Evince (as per the error message). I don't have Evince installed, so I cannot test if this works, but nothing will blow up if you try
At the end of /etc/apparmor.d/abstractions/ubuntu-browsers you will find this:
# some unpackaged, but popular browsers /usr/lib/icecat-*/icecat Cx -> sanitized_helper, /usr/bin/opera Cx -> sanitized_helper, /opt/google/chrome/google-chrome Cx -> sanitized_helper,
At the end, just after the last entry (in this case google-chrome) add:
/opt/vivaldi/vivaldi Cx -> sanitized_helper,
Adjust the path and/or name of Vivaldi executable if needed and don't forget the comma at the end of the line.
Save the file and restart apparmor:
sudo systemctl restart apparmor
Test. Did it help? Please report back.
-
I'm guessing this will work, since after making my post I went through Unread posts and found a thread where the same solution was posted in March by @Chipy:
https://forum.vivaldi.net/post/356988
Their post was much more concise though
-