Page MenuHomePureOS Tracker

apparmor: blocks applications (Thunderbird, Document Viewer, etc.) from passing links to PureBrowser
Open, HighPublic

Description

Opened a PDF with a link in Document Viewer, clicked the link, saw the attached failure.

Event Timeline

todd created this task.Mar 11 2018, 16:27
jonas.smedegaard renamed this task from Purebrowser fails to launch from a link within Document Viewer to Document Viewer fails to have PureBrowser launched from a link.Apr 11 2018, 00:11
jonas.smedegaard removed jonas.smedegaard as the assignee of this task.
jonas.smedegaard triaged this task as High priority.
jonas.smedegaard added a subscriber: jonas.smedegaard.

That smells like a problem with AppArmor blocking too much for Document Viewer.

I believe "Document Viewer" is the package evince.

Ah, it seems AppAmor contains a hardcoded list of web browsers, and needs to be educated about the existence of PureBrowser in the file

/etc/apparmor.d/abstractions/ubuntu-browsers

I will fork apparmor with that change...

jonas.smedegaard renamed this task from Document Viewer fails to have PureBrowser launched from a link to apparmor: blocks applications (Thunderbird, Document Viewer, etc.) from passing links to PureBrowser.Apr 11 2018, 02:03

should be fixed in landing by now. Will keep this issue open until either someone using landing confirms, or it trickles into green and noone screams.

todd added a comment.Apr 12 2018, 08:28

Ah, it seems AppAmor contains a hardcoded list of web browsers, and needs to be educated about the existence of PureBrowser in the file

/etc/apparmor.d/abstractions/ubuntu-browsers

Could you also check if other areas within AppArmor require forks we use? Or if there are other applications that require browser specific tasks to include PureBrowser? (a simple grep maybe?)

The reason this was fixed by forking apparmor (not including an apparmor snippet with purebrowser package) was to address generally the need of application needing access to browser to also be granted that for PureBrowser.

I am unaware of any other current deviations of ours requiring modifications to AppArmor, but lack a complete picture yet of how exactly our system deviates from Debian: from our end we track only the parts we deviate _and_ lag behind (see T367#6535) and at from Debian end tracking is blocked by lack of funding for disk space (last - possibly incomplete - data is from 2018-01-05: http://deriv.debian.net/Purism/).

Yes, I will try locate issues unrelated to apparmor of packages hardcoding default browser being "firefox" (like T303 and T337). Will track such as separate issues, though.