Bug#923345: (no subject)

Philippe SWARTVAGHER phil.swart at gmx.fr
Sun May 15 19:59:29 BST 2022 

Hello,

I encounter this bug too (XFCE and Firefox-ESR on Sid), for instance
with the PDF produced from these LaTeX sources:

```

\documentclass[12pt,a4paper]{article}
\usepackage{hyperref}

\begin{document}

The \href{https://debian.org}{Debian project}

\end{document}

```

Once built and opened in Evince, if I click on the link, I get an error
and in the logs:

```

May 15 20:17:14 PHILIPPE-PC-DEBIAN kernel: [26008.845553] audit:
type=1400 audit(1652638634.237:25): apparmor="DENIED" operation="exec"
profile="/usr/bin/evince" name="/usr/bin/xfce4-mime-helper" pid=37094
comm="exo-open" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

```

For the record, if I disable the AppArmor profile, the logs are:

```

May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.589686] audit:
type=1400 audit(1652638941.976:34): apparmor="ALLOWED" operation="exec"
profile="/usr/bin/evince" name="/usr/bin/xfce4-mime-helper" pid=38034
comm="exo-open" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
target="/usr/bin/evince//null-/usr/bin/xfce4-mime-helper"
May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.589975] audit:
type=1400 audit(1652638941.976:35): apparmor="ALLOWED"
operation="file_inherit"
profile="/usr/bin/evince//null-/usr/bin/xfce4-mime-helper"
name="/dev/null" pid=38034 comm="xfce4-mime-help" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=0
May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.589983] audit:
type=1400 audit(1652638941.976:36): apparmor="ALLOWED"
operation="file_mmap"
profile="/usr/bin/evince//null-/usr/bin/xfce4-mime-helper"
name="/usr/bin/xfce4-mime-helper" pid=38034 comm="xfce4-mime-help"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.589994] audit:
type=1400 audit(1652638941.976:37): apparmor="ALLOWED"
operation="file_mmap"
profile="/usr/bin/evince//null-/usr/bin/xfce4-mime-helper"
name="/usr/lib/x86_64-linux-gnu/ld-2.33.so" pid=38034
comm="xfce4-mime-help" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.590059] audit:
type=1400 audit(1652638941.976:38): apparmor="ALLOWED" operation="open"
profile="/usr/bin/evince//null-/usr/bin/xfce4-mime-helper"
name="/etc/ld.so.cache" pid=38034 comm="xfce4-mime-help"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.590070] audit:
type=1400 audit(1652638941.976:39): apparmor="ALLOWED" operation="open"
profile="/usr/bin/evince//null-/usr/bin/xfce4-mime-helper"
name="/usr/lib/x86_64-linux-gnu/libexo-2.so.0.1.0" pid=38034
comm="xfce4-mime-help" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.590080] audit:
type=1400 audit(1652638941.976:40): apparmor="ALLOWED"
operation="file_mmap"
profile="/usr/bin/evince//null-/usr/bin/xfce4-mime-helper"
name="/usr/lib/x86_64-linux-gnu/libexo-2.so.0.1.0" pid=38034
comm="xfce4-mime-help" requested_mask="rm" denied_mask="rm" fsuid=1000
ouid=0
May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.590099] audit:
type=1400 audit(1652638941.976:41): apparmor="ALLOWED" operation="open"
profile="/usr/bin/evince//null-/usr/bin/xfce4-mime-helper"
name="/usr/lib/x86_64-linux-gnu/libgtk-3.so.0.2404.29" pid=38034
comm="xfce4-mime-help" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.590106] audit:
type=1400 audit(1652638941.976:42): apparmor="ALLOWED"
operation="file_mmap"
profile="/usr/bin/evince//null-/usr/bin/xfce4-mime-helper"
name="/usr/lib/x86_64-linux-gnu/libgtk-3.so.0.2404.29" pid=38034
comm="xfce4-mime-help" requested_mask="rm" denied_mask="rm" fsuid=1000
ouid=0
May 15 20:22:21 PHILIPPE-PC-DEBIAN kernel: [26316.590137] audit:
type=1400 audit(1652638941.976:43): apparmor="ALLOWED" operation="open"
profile="/usr/bin/evince//null-/usr/bin/xfce4-mime-helper"
name="/usr/lib/x86_64-linux-gnu/libgdk-3.so.0.2404.29" pid=38034
comm="xfce4-mime-help" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

```

I managed to fix the error by adding

```

/usr/bin/xfce4-mime-helper Cx -> sanitized_helper,

```

in /etc/apparmor.d/usr.bin.evince (so here :
https://salsa.debian.org/gnome-team/evince/-/blob/debian/master/debian/apparmor-profile#L73),
but I have no idea if this the correct way to fix it.


Philippe.

More information about the pkg-gnome-maintainers mailing list