Ubuntu
apparmor package

  1. Bug #1891338
  2. Comment #8

Comment 8 for bug 1891338

Revision history for this message
Dmitriy Vakhrushev (kr41) wrote :

This bug appears again in the package evince 42.3-0ubuntu3 in Xubuntu 22.04.2

It looks the same as described by Kenneth Zadeck in the original report, except the message says:
'Failed to execute child process "/usr/bin/xfce4-mime-helper"(Permission denied).'

In the dmesg logs I see the following:

[ 804.143236] audit: type=1400 audit(1679303089.957:269): apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/usr/bin/xfce4-mime-helper" pid=16286 comm="exo-open" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

I edited /etc/apparmor.d/usr.bin.evince

  # For Xubuntu to launch the browser
  #include <abstractions/exo-open>
  /usr/bin/xfce4-mime-helper ixr, # <---- adding this line

A new message appeared in dmesg logs:

[ 838.828241] audit: type=1400 audit(1679303124.641:304): apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/usr/bin/snap" pid=16706 comm="xfce4-mime-help" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

I have two browsers Brave and Firefox; and both installed from snap. So I edited /etc/apparmor.d/usr.bin.evince again:

  # For Xubuntu to launch the browser
  #include <abstractions/exo-open>
  /usr/bin/xfce4-mime-helper ixr,
  /usr/bin/snap ixr, # <---- adding this line

And it complained again:

[ 1268.978351] audit: type=1400 audit(1679303554.790:432): apparmor="DENIED" operation="connect" profile="/usr/bin/evince" name="/run/snapd.socket" pid=20462 comm="brave" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0

And I edited /etc/apparmor.d/usr.bin.evince again:

  # For Xubuntu to launch the browser
  #include <abstractions/exo-open>
  /usr/bin/xfce4-mime-helper ixr,
  /usr/bin/snap ixr,
  /run/snapd.socket wr, # <---- adding this line

And then I was overwhelmed by the following messages.

[ 1817.693397] audit: type=1400 audit(1679304103.502:3198): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/snap/brave/216/meta/snap.yaml" pid=25949 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1822.942739] audit: type=1400 audit(1679304108.750:3199): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=26810 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1822.947632] audit: type=1400 audit(1679304108.754:3200): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/proc/cgroups" pid=26810 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1822.949047] audit: type=1400 audit(1679304108.758:3201): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/proc/cmdline" pid=26810 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1822.949070] audit: type=1400 audit(1679304108.758:3202): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/snap/snapd/18357/usr/lib/snapd/info" pid=26810 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1822.950430] audit: type=1400 audit(1679304108.758:3203): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/proc/sys/kernel/seccomp/actions_avail" pid=26810 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1822.950649] audit: type=1400 audit(1679304108.758:3204): apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/usr/lib/snapd/snap-seccomp" pid=26816 comm="brave" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
[ 1822.950883] audit: type=1400 audit(1679304108.758:3205): apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/usr/bin/systemctl" pid=26817 comm="brave" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
[ 1822.951929] audit: type=1400 audit(1679304108.758:3206): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/snap/brave/216/meta/snap.yaml" pid=26810 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1868.523506] audit: type=1400 audit(1679304154.330:3207): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=27098 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1868.528801] audit: type=1400 audit(1679304154.338:3208): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/proc/cgroups" pid=27098 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1868.530290] audit: type=1400 audit(1679304154.338:3209): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/proc/cmdline" pid=27098 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1868.530325] audit: type=1400 audit(1679304154.338:3210): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/snap/snapd/18357/usr/lib/snapd/info" pid=27098 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1868.531868] audit: type=1400 audit(1679304154.338:3211): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/proc/sys/kernel/seccomp/actions_avail" pid=27098 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 1868.532031] audit: type=1400 audit(1679304154.338:3212): apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/usr/lib/snapd/snap-seccomp" pid=27105 comm="brave" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
[ 1868.532331] audit: type=1400 audit(1679304154.342:3213): apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/usr/bin/systemctl" pid=27106 comm="brave" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
[ 1868.534045] audit: type=1400 audit(1679304154.342:3214): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/snap/brave/216/meta/snap.yaml" pid=27098 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

At that point, it became clear that there's something serious, rather than a couple of lines missed in configs.