Join Log in
Score:7
avatar Ubuntu

permission denied when Evince tries to use Chrome to open link

jp flag
user1951615

I know there are existing questions about problems with Evince opening links, but this looks like a new error. This is in 21.04 but I think the error is very recent, i.e. the links worked earlier in 21.04. So I started evince from the command line and when I tried to open a link in the document, I got this error:

[205689:205689:0812/101716.420196:FATAL:double_fork_and_exec.cc(131)] execv /opt/google/chrome/crashpad_handler: Permission denied (13)

This is evince 40.1 and Chrome 92.0.4515.131

I submitted an evince issue about this: https://gitlab.gnome.org/GNOME/evince/-/issues/1646 and determined that the problem is AppArmor, which is preventing evince from invoking Chrome (but allows it to use Firefox). So I need to modify the AppArmor profile for evince. I have no idea how to do this. I tried using aa-logprof, but I clearly need instructions that I can understand. I would appreciate any pointers that show step-by-step, how to make the necessary modification to the evince profile.

Update: Success. I added this line to the sanitized_helper profile in abstractions/ubuntu_helpers:

/opt/google/chrome/crashpad_handler Pixr,

and reloaded the evince profile. Now I get these errors when clicking on the link:

[20036:20069:0813/075235.070369:ERROR:address_tracker_linux.cc(195)] Could not create NETLINK socket: Permission denied (13)
[20036:20065:0813/075235.071590:ERROR:udev_watcher.cc(52)] Failed to initialize a udev monitor.
Opening in existing browser session.

And the link opened successfully in a new chrome tab.

823
1 + 3
pdf
ru flag
Thomas Ward
Start by running `tail -f /var/log/syslog | grep -i apparmor` in the terminal. Then try and open the link. Share the output of the apparmor denials so we can start pointing you where you need to go for fixing this, as it'll state the specific policy that's impacting and then we can update the policy later.
1
Reply
jp flag
user1951615
Aug 13 05:38:20 ratel kernel: [52504.309148] audit: type=1400 audit(1628858300.725:61): apparmor="DENIED" operation="exec" profile="/usr/bin/evince//sanitized_helper" name="/opt/google/chrome/crashpad_handler" pid=16475 comm="chrome" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 It was suggested by a comment to my gitlab report that the problem seems to be the fact that the chrome executables are in /opt/google/chrome rather than a "normal" place like /usr/bin.
0
Reply
jp flag
user1951615
The sanitized_helper profile, defined in ubuntu_helpers, included indirectly from the evince profile, seems to allow execution of things under /opt/google/chrome, but not crashpad_handler.
0
Reply
Gert Willems avatar
cn flag
Gert Willems
I also had to use the chrome_ prefix on my ubuntu 20.04, chrome Version 96.0.4664.45 (Official Build) (64-bit)
0
Reply
Score:10
avatar Ubuntu
jp flag
user1951615

Edit the file ubuntu-helpers:
sudo gedit /etc/apparmor.d/abstractions/ubuntu-helpers
Under profile sanitized_helper {,
find lines beginning /opt/google/chrome.
Add this line:
/opt/google/chrome/crashpad_handler Pixr,
Save the file.
Reload the evince profile (while in /etc/apparmor.d):
sudo apparmor_parser -r usr.bin.evince

0 + 1
cn flag
Yvan
Thanks a lot! Worked under Debian 11 too. For the last part, you may just run `sudo service apparmor restart`.
2
Reply
cn flag
ssi-anik
I used `/opt/google/chrome/chrome_crashpad_handler Pixr,` as there was nothing in that path with that name `/opt/google/chrome/crashpad_handler` and solution worked. Then I changed back to your solution, it stopped working. Then I reverted back to my solution. :|
4
Reply
jp flag
user1951615
On my system, it is still `chrome_crashpad_handler`. This is chrome Version 94.0.4606.61 (Official Build) (64-bit). Very odd that the name would be different on your system.
2
Reply
cn flag
Yvan
I second @ssi-anik that for example Debian 11 (Bullseye) has a `chrome` prefix in front of `crashpad_handler`, so @ssi-anik's answer is good for some cases.
0
Reply
Rob Rutten avatar
ru flag
Rob Rutten
I also second needing the chrome_ prefix. Works in my Ubuntu 18,04!
0
Reply
ng flag
Thomas Guyot-Sionnest
You can lookup the paths with `$ dpkg -S <path>`. I have the standard Chrome from Google (not chromium or some other alternative). For the answer's path: `dpkg-query: no path found matching pattern /opt/google/chrome/crashpad_handler`. With the `chrome_` prefix: `google-chrome-stable: /opt/google/chrome/chrome_crashpad_handler`.
0
Reply
ng flag
Thomas Guyot-Sionnest
Adding this line instead covers both cases: `/opt/google/chrome{,-beta,-unstable}/{,chrome_}crashpad_handler Pixr,`
0
Reply
water stone avatar
in flag
water stone
I also only have /opt/google/chrome/chrome_crashpad_handler, no /opt/google/chrome/crashpad_handler (the former filename is clearer)
0
Reply
water stone avatar
in flag
water stone
Reload the evince profile from any dir: sudo apparmor_parser -r /etc/apparmor.d/usr.bin.evince
0
Reply
Score:2
Cristiano Fraga G. Nunes avatar Ubuntu
jp flag
Cristiano Fraga G. Nunes

I've created the merge request on AppArmor to fix this problem:

https://gitlab.com/apparmor/apparmor/-/merge_requests/830

0 + 0
David avatar
cn flag
David
What about later when the link is not there? If there is important info in the link include it in the answer.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.