9

I know there are existing questions about problems with Evince opening links, but this looks like a new error. This is in 21.04 but I think the error is very recent, i.e. the links worked earlier in 21.04. So I started evince from the command line and when I tried to open a link in the document, I got this error:

[205689:205689:0812/101716.420196:FATAL:double_fork_and_exec.cc(131)] execv /opt/google/chrome/crashpad_handler: Permission denied (13)

This is evince 40.1 and Chrome 92.0.4515.131

I submitted an evince issue about this: https://gitlab.gnome.org/GNOME/evince/-/issues/1646 and determined that the problem is AppArmor, which is preventing evince from invoking Chrome (but allows it to use Firefox). So I need to modify the AppArmor profile for evince. I have no idea how to do this. I tried using aa-logprof, but I clearly need instructions that I can understand. I would appreciate any pointers that show step-by-step, how to make the necessary modification to the evince profile.

Update: Success. I added this line to the sanitized_helper profile in abstractions/ubuntu_helpers:

/opt/google/chrome/crashpad_handler Pixr,

and reloaded the evince profile. Now I get these errors when clicking on the link:

[20036:20069:0813/075235.070369:ERROR:address_tracker_linux.cc(195)] Could not create NETLINK socket: Permission denied (13)
[20036:20065:0813/075235.071590:ERROR:udev_watcher.cc(52)] Failed to initialize a udev monitor.
Opening in existing browser session.

And the link opened successfully in a new chrome tab.

user1951615
  • 411
  • 3
  • 11
  • 1
    Start by running tail -f /var/log/syslog | grep -i apparmor in the terminal. Then try and open the link. Share the output of the apparmor denials so we can start pointing you where you need to go for fixing this, as it'll state the specific policy that's impacting and then we can update the policy later. – Thomas Ward Aug 13 '21 at 02:15
  • Aug 13 05:38:20 ratel kernel: [52504.309148] audit: type=1400 audit(1628858300.725:61): apparmor="DENIED" operation="exec" profile="/usr/bin/evince//sanitized_helper" name="/opt/google/chrome/crashpad_handler" pid=16475 comm="chrome" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

    It was suggested by a comment to my gitlab report that the problem seems to be the fact that the chrome executables are in /opt/google/chrome rather than a "normal" place like /usr/bin.

     – user1951615 Aug 13 '21 at 12:40
  • The sanitized_helper profile, defined in ubuntu_helpers, included indirectly from the evince profile, seems to allow execution of things under /opt/google/chrome, but not crashpad_handler. – user1951615 Aug 13 '21 at 13:08
  • I also had to use the chrome_ prefix on my ubuntu 20.04, chrome Version 96.0.4664.45 (Official Build) (64-bit) – Gert Willems Nov 27 '21 at 06:57

2 Answers2

11

Edit the file ubuntu-helpers:
sudo gedit /etc/apparmor.d/abstractions/ubuntu-helpers
Under profile sanitized_helper {,
find lines beginning /opt/google/chrome.
Add this line:
/opt/google/chrome/crashpad_handler Pixr,
Save the file.
Reload the evince profile (while in /etc/apparmor.d):
sudo apparmor_parser -r usr.bin.evince

user1951615
  • 411
  • 3
  • 11
  • 2
    Thanks a lot! Worked under Debian 11 too. For the last part, you may just run sudo service apparmor restart. – Yvan Sep 01 '21 at 07:01
  • 4
    I used /opt/google/chrome/chrome_crashpad_handler Pixr, as there was nothing in that path with that name /opt/google/chrome/crashpad_handler and solution worked. Then I changed back to your solution, it stopped working. Then I reverted back to my solution. :| – ssi-anik Sep 30 '21 at 07:50
  • 2
    On my system, it is still chrome_crashpad_handler. This is chrome Version 94.0.4606.61 (Official Build) (64-bit). Very odd that the name would be different on your system. – user1951615 Oct 01 '21 at 12:14
  • I second @ssi-anik that for example Debian 11 (Bullseye) has a chrome prefix in front of crashpad_handler, so @ssi-anik's answer is good for some cases. – Yvan Oct 08 '21 at 03:41
  • I also second needing the chrome_ prefix. Works in my Ubuntu 18,04! – Rob Rutten Nov 09 '21 at 20:17
  • You can lookup the paths with $ dpkg -S <path>. I have the standard Chrome from Google (not chromium or some other alternative). For the answer's path: dpkg-query: no path found matching pattern /opt/google/chrome/crashpad_handler. With the chrome_ prefix: google-chrome-stable: /opt/google/chrome/chrome_crashpad_handler. – Thomas Guyot-Sionnest Nov 24 '21 at 05:51
  • Adding this line instead covers both cases: /opt/google/chrome{,-beta,-unstable}/{,chrome_}crashpad_handler Pixr, – Thomas Guyot-Sionnest Nov 24 '21 at 05:57
  • I also only have /opt/google/chrome/chrome_crashpad_handler, no /opt/google/chrome/crashpad_handler (the former filename is clearer) – water stone Feb 28 '22 at 19:42
  • Reload the evince profile from any dir: sudo apparmor_parser -r /etc/apparmor.d/usr.bin.evince – water stone Feb 28 '22 at 19:43
2

I've created the merge request on AppArmor to fix this problem:

https://gitlab.com/apparmor/apparmor/-/merge_requests/830

Cristiano Fraga G. Nunes
  • 21
  • 2
  • What about later when the link is not there? If there is important info in the link include it in the answer. – David Feb 03 '22 at 15:39