> Do we need evince to be reuploaded for jammy there since the previous
upload was rejected by Steve?
I'm trying to see what type of error we get if we load a profile with
such a rule and the target profile does not exist:
/{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/bin/snap mrCx ->
snap_browsers,
Will it be worse than what we have now?
Will evince's postinst fail when it reloads the profile with the above line,
and snap_browsers is not defined?
Will it crash when a link in a pdf is clicked?
It's taking a bit to setup a jammy desktop vm to try this, and I have
other SRUs to process. Georgia, could you elaborate on what would happen
if the new evince were to be installed with an old apparmor that knows
nothing about the snap_browsers profile?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1794064
Title:
Clicking a hyperlink in a PDF fails to open it if the default browser
is a snap
Status in apparmor package in Ubuntu:
Fix Released
Status in evince package in Ubuntu:
Fix Released
Status in apparmor source package in Jammy:
Fix Committed
Status in evince source package in Jammy:
In Progress
Status in apparmor source package in Lunar:
Fix Released
Status in evince source package in Lunar:
Fix Committed
Status in evince package in Debian:
Confirmed
Bug description:
[Impact]
* Users cannot open a hyperlink in a PDF opened with evince when the default
browser is a snap.
* The fix creates a snap_browsers abstraction on AppArmor which can be used
in a transition for when the browser is executed. The snap_browsers abstraction
provides the minimal amount of permissions required to execute a browser
provided through snaps. This is a workaround since AppArmor currently does not
provide mediation/filtering on enhanced environment variables.
[Test Plan]
* Make sure the default browser is provided through the snap store.
* Open a PDF that contains a hyperlink using evince and click on the URL.
* The browser should open the requested URL.
[Where problems could occur]
* If the browser or snap core update to have new requirements for
opening a browser, then the current policy could become obsolete and
will need to be updated again.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
