[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
@Jamie, given your recent work on the evince apparmor profile, should that be assigned to you? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Tags added: snap ** Changed in: evince (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
Note that this works with the evince snap, only the deb package is affected. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
I can "fix" the issue if I add the following two lines to /etc/apparmor.d/abstractions/ubuntu-browsers and reload the evince profile: /usr/bin/env rmix, /usr/bin/snap Cx -> sanitized_helper, Probably not acceptable as is because this would allow executing any snap, not just chromium. And snaps are not guaranteed to be strictly confined (e.g. classic/devmode). But a rule on /snap/bin/chromium is not good enough as /snap/bin/chromium is a symlink to /usr/bin/snap. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
I went through this the other day with a personal profile. We probably
can do something along the lines of:
/{,snap/core/[0-9]*/}usr/bin/snap mrCx -> snap_browser,
profile snap_browser {
#include
/etc/passwd r,
/etc/group r,
/etc/nsswitch.conf r,
/dev/tty rw,
# noisy
deny network inet stream,
deny network inet6 stream,
deny owner /run/user/[0-9]*/gdm/Xauthority r, # not needed on Ubuntu
/{,snap/core/[0-9]*/}usr/bin/snap mrix, # re-exec
/etc/fstab r,
@{PROC}/sys/net/core/somaxconn r,
@{PROC}/sys/kernel/seccomp/actions_avail r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{HOME}/.snap/auth.json r, # if exists, required
/run/snapd.socket rw,
/snap/core/[0-9]*/usr/lib/snapd/info r,
/snap/core/[0-9]*/usr/lib/snapd/snapd r,
/var/lib/snapd/system-key r,
/{,snap/core/*/}usr/lib/snapd/snap-confine Pix,
/sys/kernel/security/apparmor/features/ r,
# allow launching official browser snaps. This could be abstracted into an
#include or tunable
/snap/chromium/*/meta/snap.yaml r,
/snap/firefox/*/meta/snap.yaml r,
# ...
}
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1794064
Title:
Clicking a hyperlink in a PDF fails to open it if the default browser
is a snap
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Bug watch added: Debian Bug tracker #923345 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923345 ** Also affects: evince (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923345 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Changed in: evince (Debian) Status: Unknown => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
This has come up again, now that the default browser in impish is the firefox snap (see https://discourse.ubuntu.com/t/feature-freeze- exception-seeding-the-official-firefox-snap-in-ubuntu- desktop/24210/107). Jamie, IĀ assume this should be unassigned, as you're not actively working on this, are you? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: apparmor (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
Also I'm not sure I agree with jdstrand's apparmor profile which includes: /run/snapd.socket rw, which I don't think we want to grant to any PDF file opened with evince? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Changed in: evince (Ubuntu) Assignee: Jamie Strandboge (jdstrand) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
Olivier, yes, I shouldn't be assigned. Ian, you're right the profile is
suboptimal (it's also old so likely needs updating).
Do note that this is a separate named profile and evince (and if this is
put in an abstraction, anything that uses the abstraction) only has the
`/{,snap/core/[0-9]*/}usr/bin/snap mrCx -> snap_browser,` rule which
means that it is able to run the 'snap' command (needed since everything
in /snap/bin points to /usr/bin/snap) which at the time I wrote the
profile meant that access to this socket was needed as part of snap run.
IIRC, snapd should be protecting certain actions by uid connecting to it
(eg, you are root or not), but it has been a while since I've looked at
that. Evince is not a snap though so if snapd does any checks on 'is the
client a snap' then those would fail and evince would be able to do
whatever a non-root user could do with the 'snap' command via the
socket.
For snap run, we can see that the snap_browser profile limits what can
be used with 'run' since (at the time I wrote the comment) 'snap run'
required being able to look at the meta/snap.yaml of the specific snap.
This 'works' (worked?) but is brittle since if snap run changed to lift
this requirement (eg, 'snap run' just passed the name of the unresolved
symlink to snapd over the socket and let snapd start the snap, perhaps
via userd, etc) then this falls apart.
The profile was put up as an example as what could be done at the time without
any help from snapd. I never particularly cared for it cause it was brittle and
not designed. I'm not sure how to fix this, but here are some thoughts:
* evince is just executing stuff from /snap/bin (probably via the system's
xdg-open). Assuming xdg-open, the system's xdg-open (or whatever evince is
using to decide and launch the default browser) could itself be fixed in Ubuntu
to launch a different command that behaved better. This wouldn't necessarily
fix other distros (though this is the evince profile in Debian and Ubuntu, so
*technically*, if you got this change (to presumably xdg-open) into them, you
could update the evince profile in them accordingly)
* In lieu of that, if the profile still worked as intended, snapd could be
hardened to look to check more than if the connecting process is root or a
snap; it could also see if it is running under a non-snap profile, then limit
access to the socket API accordingly. This has drawbacks and could break people
who have written custom profiles similar to what I presented.
* I suppose an alternative approach would be to have symlinks in /snap/bin for
things that are registered as browsers (or just the default browser) point to a
designed snap command. Eg:
/snap/bin/firefox -> /usr/bin/snap # keep the
existing one too
/snap/bin/default-browser-is-a-snap -> /usr/bin/snap-browser # name is
illustrative, TBD
Now firefox, chromium, opera, brave, etc snaps registers themselves as
being capable of being a default browser with snapd, then snapd
registers with the system that /snap/bin/default-browser-is-a-snap is
the default browser (so system utilities like xdg-open don't need to
change) and /usr/bin/snap-browser is written to be safe (eg, only able
to 'snap run' the configured default browser, nothing else) and apparmor
profiles are adjusted to have `/{,snap/core/[0-9]*/}usr/bin/snap-browser
Uxr,` (or similar). The /snap/bin/default-browser-is-a-snap path is
illustrative and there isn't really a need for it at all. Could simply
perhaps have snapd register /usr/bin/snap-browser as the default browser
on the system (it now needs to know what snapd configured as the default
browser snap though) and forego the symlink.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1794064
Title:
Clicking a hyperlink in a PDF fails to open it if the default browser
is a snap
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Changed in: evince (Ubuntu) Assignee: (unassigned) => Georgia Garcia (georgiag) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
I was able to reproduce this issue on focal and bionic but not on impish. I'm still investigating why, since I don't see any changes in policies that might affect this issue, but I could have missed something. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
@Georgia, thanks for the work! Is anyone from the security team going to sponsor the apparmor updates for you? Also in the evince debdiff, you added apparmor to the Build-Depends but is that needed? If the intend is to ensure a recent enough apparmor is available on the sytem then the Depends should be enough? Also evince didn't depends on apparmor before, it's probably fine to change that but I still want to raise the question. What would be the outcome of installing the new evince with an old apparmor? would the missing rules just be ignored or would they create issues? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Also affects: evince (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Jammy) Importance: Undecided Status: New ** Tags removed: rls-jj-incoming -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
@Sebastien, yes, I asked people from the security team to sponsor it but we are still reviewing the snap_browsers abstraction. We are denying access to /run/user/[0-9]*/gdm/Xauthority in the policy but if that was the case, then the browser should not have been able to open, but it does open so we are investigating if there's an issue. Regarding the evince debdiff, even though it looks like the dependency is on Build-Depends on the debdiff, it is actually under Depends. If we don't set this dependency, then the snap_browsers abstraction might not be available. So if the new evince is installed with an old apparmor, then the evince apparmor policy will fail to load and evince will run unconfined. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
@georgiag we could move the abstraction include to "include if exists" to take care of the depends. Generally speaking evince shouldn't depend on apparmor, but of course make use of it if it is available. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: apparmor (Ubuntu Jammy) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: evince (Ubuntu Jammy) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Tags added: rls-jj-incoming -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
I'm running Jammy, upgraded from Focal, and this bug bites me: (evince:56279): dbind-WARNING **: 12:05:26.897: Couldn't connect to accessibility bus: Failed to connect to socket /run/user/1000/at-spi/bus: Permission denied ... then /var/log/syslog: [...] audit: type=1400 audit(1649153341.153:384): apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/usr/bin/snap" pid=56653 comm="env" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Tags added: desktop-lts-wishlist -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Changed in: evince (Ubuntu) Assignee: Georgia Garcia (georgiag) => James Henstridge (jamesh) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
> Is there any option to do this via portals - ie can evince use > org.freedesktop.portal.OpenURI to open the URI? Would then this > allow to avoid going via xdg-open? Evince is using g_app_info_launch_default_for_uri(), which can use the portal interface: https://gitlab.gnome.org/GNOME/evince/-/blob/main/shell/ev- window.c#L6775-6778 However, it only does this as a fallback if no desktop file supports the URI. This is intended to allow a confined app to handle some file types within the sandbox before falling back to portals for everything else. In the case of Evince running on the host system and seeing all the desktop files in /usr/share/applications and other locations, it likely won't ever call the portal API. It'd be possible to code in explicit portal API calls, but it isn't something that Evince packaged as a flatpak or snap would need. So it might end up as a distro patch we'd be on the hook to maintain forever. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
it sounds like something that we should fix one way or another at least for the LTS, maybe in the futur we will have evince as a snap instead and the situation will be different. Could you suggest a patch for review with the change you described? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
I'm working on a SRU for apparmor and evince to introduce the snap_browsers abstraction on apparmor as a workaround for this issue. It is based on these two merge requests from upstream: https://gitlab.com/apparmor/apparmor/-/merge_requests/806 https://gitlab.com/apparmor/apparmor/-/merge_requests/877 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
@Georgia, great, should we assign the apparmor line of the bug to you? ** Changed in: apparmor (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => Georgia Garcia (georgiag) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Description changed: - This is related to bug #1792648. After fixing that one (see discussion - at https://salsa.debian.org/gnome-team/evince/merge_requests/1), - clicking a hyperlink in a PDF opens it correctly if the default browser - is a well-known application (such as /usr/bin/firefox), but it fails to - do so if the default browser is a snap (e.g. the chromium snap). + [Impact] - This is not a recent regression, it's not working on bionic either. + * Users cannot open a hyperlink in a PDF opened with evince when the default browser is a snap. + * The fix creates a snap_browsers abstraction on AppArmor which can be used in a transition for when the browser is executed. The snap_browsers abstraction provides the minimal amount of permissions required to execute a browser provided through snaps. This is a workaround since AppArmor currently does not provide mediation/filtering on enhanced environment variables. - ProblemType: Bug - DistroRelease: Ubuntu 18.10 - Package: evince 3.30.0-2 - ProcVersionSignature: Ubuntu 4.18.0-7.8-generic 4.18.5 - Uname: Linux 4.18.0-7-generic x86_64 - NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair - ApportVersion: 2.20.10-0ubuntu11 - Architecture: amd64 - CurrentDesktop: ubuntu:GNOME - Date: Mon Sep 24 12:28:06 2018 - EcryptfsInUse: Yes - InstallationDate: Installed on 2016-07-02 (813 days ago) - InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) - SourcePackage: evince - UpgradeStatus: Upgraded to cosmic on 2018-09-14 (9 days ago) - modified.conffile..etc.apparmor.d.abstractions.evince: [modified] - mtime.conffile..etc.apparmor.d.abstractions.evince: 2018-09-24T11:35:41.904158 + [Test Plan] + + * Make sure the default browser is provided through the snap store. + * Open a PDF that contains a hyperlink using evince and click on the URL. + * The browser should open the requested URL. + + [Where problems could occur] + + * If the browser or snap core update to have new requirements for + opening a browser, then the current policy could become obsolete and + will need to be updated again. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Patch added: "evince_42.1-3ubuntu1.debdiff" https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581877/+files/evince_42.1-3ubuntu1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Patch added: "evince_40.4-2ubuntu0.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581878/+files/evince_40.4-2ubuntu0.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Patch added: "evince_3.36.10-0ubuntu1.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581879/+files/evince_3.36.10-0ubuntu1.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Patch added: "evince_3.28.4-0ubuntu1.3.debdiff" https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581880/+files/evince_3.28.4-0ubuntu1.3.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Patch added: "apparmor_3.0.4-2ubuntu3.debdiff" https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581881/+files/apparmor_3.0.4-2ubuntu3.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Patch added: "apparmor_3.0.3-0ubuntu1.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581882/+files/apparmor_3.0.3-0ubuntu1.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Patch added: "apparmor_2.13.3-7ubuntu5.2.debdiff" https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581884/+files/apparmor_2.13.3-7ubuntu5.2.debdiff ** Patch removed: "apparmor_3.0.3-0ubuntu1.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581883/+files/apparmor_3.0.3-0ubuntu1.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Patch added: "apparmor_3.0.3-0ubuntu1.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581883/+files/apparmor_3.0.3-0ubuntu1.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Patch added: "apparmor_2.12-4ubuntu5.2.debdiff" https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+attachment/5581885/+files/apparmor_2.12-4ubuntu5.2.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
@Sebastien, yes, just did. Thank you! I also attached the debdiffs for evince and apparmor for bionic, focal, impish and jammy. They were also uploaded into the Security Proposed PPA: https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=apparmor https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=evince -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
After transition to snap the Chromium is not usable for me. I have a lot of PDFs with hyperlinks and they stopped working. Is there any workaround other then migrating to deb Chrome? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Changed in: evince (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
** Changed in: evince (Ubuntu) Status: Confirmed => Triaged ** Changed in: evince (Ubuntu) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
Is there any option to do this via portals - ie can evince use https://flatpak.github.io/xdg-desktop-portal/portal-docs.html#gdbus- org.freedesktop.portal.OpenURI to open the URI? Would then this allow to avoid going via xdg-open? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
I pulled the evince source and there does not appear to be any direct support for portals, and sandbox support is an untasked item on their roadmap. However it still may be possible via the gnome libs, or via dlopen. Those routes would need to be further investigated. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
