Bug#923345: evince cannot start default browser due to AppArmor

[intrigeri]

Hi,

This bug report seems to be about 2 distinct problems:

1. Evince cannot start external applications on XFCE because the
   exo-open abstraction lacks permission to execute
   /usr/bin/xfce4-mime-helper.

   A cursory look at the sources suggests that recent exo-open
   needs to execute xfce4-mime-helper in some cases:
   https://sources.debian.org/src/exo/4.16.3-1/exo-open/main.c/?hl=265#L265
   →
   https://sources.debian.org/src/exo/4.16.3-1/exo/exo-execute.c/?hl=263#L86
   →
   https://sources.debian.org/src/exo/4.16.3-1/exo/exo-execute.c/?hl=263#L263

   This suggests it's a bug in the exo-open abstraction.

   Is this problem fixed by adding the following line to
   /etc/apparmor.d/abstractions/exo-open

      /{,usr/}bin/xfce4-mime-helper rix,

   ?

   If that's enough, I'm happy to submit the fix upstream.

2. The list of web browsers that applications can start is hard-coded
   and does not support, out of the box, browsers installed in
   arbitrary locations.

   This is an AppArmor design problem that affects all desktop apps
   that need to start a browser. I'm not aware of any plan to fix this
   on the short term. Ideally apps would use Portals instead of
   implicitly relying on being allowed to execute arbitrary programs.

   Meanwhile, the best I can suggest is that users add their preferred
   browser to /etc/apparmor.d/abstractions/ubuntu-browsers.

Cheers!