9

While viewing a PDF document in evince, clicking on a hyperlink (a web link in this case) causes the cursor to change to a rotating 'busy' symbol and the browser is not launched. Using dmesg to view errors, I see the errors below. This began about a month ago. I'm not aware I have changed anything in my configuration. Ubuntu 21.10 fully updated. Brave browser (1.32.113) is default.

[32979.539575] audit: type=1400 audit(1638841732.708:94): apparmor="DENIED" operation="exec" profile="/usr/bin/evince//sanitized_helper" name="/opt/brave.com/brave/chrome_crashpad_handler" pid=39499 comm="brave" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
[32979.539807] traps: brave[39499] trap int3 ip:5616e1a1c3c1 sp:7ffe260ee8a0 error:0 in brave[5616dd77b000+9d5e000]
Zanna
  • 70,465
David
  • 101

5 Answers5

8

The answer by Riyan produced an error for me, but the following command worked:

sudo ln -s /etc/apparmor.d/usr.bin.evince /etc/apparmor.d/disable/ 
sudo apparmor_parser -R /etc/apparmor.d/disable/usr.bin.evince

, see https://linuxconfig.org/how-to-disable-apparmor-on-ubuntu-20-04-focal-fossa-linux.

Kvothe
  • 635
3

This is a known issue with apparmor and evince, and the gnome devs believe that since it is a problem with apparmor, it doesn't fall within their responsibilites. So it's upto the users/distros to set the apparmor profiles correctly.

See this issue on gnome's gitlab: https://gitlab.gnome.org/GNOME/evince/-/issues/1090

I had the same problem and either this post fixed it: https://askubuntu.com/a/1214362/1554738

or because I disabled the apparmor profile for evince https://help.ubuntu.com/community/AppArmor

I used the following command from there to disable the apparmor profile:

Disable one profile


sudo ln -s /etc/apparmor.d/usr.bin.evince /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/profile.name

You have to restart your computer after.

Riyan_Ahmed
  • 39
  • I get File /etc/apparmor.d/profile.name not found, skipping... (Ubuntu 20.04) – Kvothe Mar 21 '22 at 11:36
  • The following worked for me: sudo ln -s /etc/apparmor.d/usr.bin.evince /etc/apparmor.d/disable/ sudo apparmor_parser -R /etc/apparmor.d/disable/usr.bin.evince, see https://linuxconfig.org/how-to-disable-apparmor-on-ubuntu-20-04-focal-fossa-linux. – Kvothe Mar 21 '22 at 11:45
2

You can use the apparmor-utils to debug and disable profiles. This package is available in Ubuntu 20.04 and also in some Debian releases such as Bulleye (where I'm testing).

sudo apt install apparmor-utils
sudo aa-complain /usr/bin/evince

Test the link in the PDF again. Rather than blocking the operation this time, it should open the link in your browser while logging to /var/log/syslog. This works for me and evince now fires URLs as expected.

Complain mode means that "violations to the policy will only be logged" (https://wiki.debian.org/AppArmor/HowToUse). You can also disable the policy for the application:

sudo aa-disable /usr/bin/evince

URLs should now fire without logging messages appearing in /var/log/syslog. Or you can re-enable the policy:

sudo aa-enforce /usr/bin/evince

I had to reload the PDF in evince for policy to be enforced again (URLs to be blocked).

You can check status of apparmor profiles and processes currently running with enforced or complain profiles (at any time during your testing) using:

sudo aa-status

More information: https://wiki.debian.org/AppArmor/HowToUse

hgb
  • 146
  • 4
  • 1
    Thanks @hgb. That looks like a good solution. What I had finally done was remove the instance of evince shipped with Ubuntu and installed the flatpak version. I don't believe it's been a problem since. – David Jul 08 '22 at 02:43
1

add the lines

  /usr/local/bin/** rix,
  /usr/local/lib/** rix,

around line 55 in /etc/apparmor.d/abstractions/evince (let's say, before # supported archivers)

Then apparmor_parser -R /etc/apparmor.d

am70
  • 133
0

(This answer is based on my understanding after researching the matter for about 20 min.)

Most answers here effectively disable AppArmor for Evince. But AppArmor is software that enforces an applications permissions on your system. Since pdfs that you open in Evince can contain all kinds of scripting, this is possibly unwise.

@am70's answer is more specific: it gives Evince the following permissions over all files in the given paths:

  • Reading (r),
  • Execution with inherited permissions (ix), i.e. Evince can call the apps living there and they will inherit Evince's permissions.

However, this answer did not work for me because those paths are not where my browser lives. I did which firefox (because Firefox is my default browser) and got the answer /usr/bin/firefox so after quitting Evince, I added the permission

  # allow firefox
  /usr/bin/firefox ixr,

to the file /etc/apparmor.d/abstractions/evince (after # supported archivers although I guess it does not matter) and then reloaded all the AppArmor policy files (I assume that's what they are) using

sudo apparmor_parser -R /etc/apparmor.d

Evince now opens links in Firefox when I click them.

dremodaris
  • 321