I've logged in to my Google account in the Ubuntu 22.04 settings. A link to my Google drive appears in Nautilus. I'm able to open photos and doc files, but when I try to open PDFs I receive an error message, "Unable to open document "[file:// etc.] ... Error opening file ... Permission denied.
How can I fix this problem? I've looked online and mostly am finding information regarding the Google desktop version of google drive.
I would not recommend messing with the AppArmor settings as it's a safety-critical feature of Linux kernel and it's a workaround rather than providing a lasting solution.
I solved this by re-installing the Document Viewer (Evince) but instead of using the Ubuntu .deb distribution, installing as a Flatpak (from Flathub). The sandbox distribution design of Flatpak seems not to suffer from this issue with AppArmor permissions.
sudo apt-get remove evince
sudo apt install flatpak
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
flatpak install flathub org.gnome.Evince
This is problem with the Document Viewer(Evince) not Nautilus
Disable One Profile
sudo ln -s /etc/apparmor.d/usr.bin.evince /etc/apparmor.d/disable/
If this doesn't work, you can install atril document viewer and set that as your default, it should work.
It's, effectively, an apparmor problem, as spotted by Devansh. Still here in 24.04. I personally would not disable the protection completely, evince is heavily used, and you never know...
So what I did is: try to see why it doesn't work. I issued (you need to install apparmor-utils for that) the command to put the specific profile in complain mode, so that it permits the operation but log it on the journal.
sudo aa-complain usr-bin.evince
And yep, it works. The logs (see with journalctl) says (edited for privacy)
audit: type=1400 audit(1724748978.556:314): apparmor="ALLOWED" operation="connect" class="file" profile="/usr/bin/evince" name="/run/user/1001/gvfsd/socket-MqrSttuD" pid=31918 comm="evince" requested_mask="wr" denied_mask="wr" fsuid=1001 ouid=1001
audit: type=1400 audit(1724748978.571:316): apparmor="ALLOWED" operation="open" class="file" profile="/usr/bin/evince" name="/run/user/1001/gvfs/google-drive:host=gmail.com,user=xxx.yyy/0ANkkkkkkJaUk9PVA/llllll
So ok, it was denying the access to the /run/user/... directories.
My solution was to edit (as root) /etc/apparmor.d/local/usr.bin.evince (in principle should be there, empty, and should survive updates, but we'll see) adding
# allow access to google drive and other shared files
owner /run/user//gvfs/* rw,
owner /run/user//gvfsd/* rw,
and then you should reload the profiles:
sudo service apparmor reload
and enforce it again
sudo aa-enforce usr.bin.evince
...and in principle everything works as expected, maintaining the protections AppArmor provides for other files.
Notice that this is probably a configuration bug: I think the directories under `/run/user/UID/ should be permitted by default.
This also happens with a fresh Ubuntu 24.04 installation.
As @Omid Khalili pointed out in a comment, you can just reinstall evince with snap:
sudo apt remove evince
sudo snap install evince
This fixes "permission denied" for Google Drive, but not for Cryptomator, in case you use this, too.
update: sudo snap install evince only seems to fix it on Ubuntu 24.04 until you restart, at least he error comes back after a few days.
I experienced this issue, where opening PDFs in led to permission denied. I upgraded evince to the latest version (evince-common all 46.3.1-0ubuntu1, evince amd64 46.3.1-0ubuntu1), and that did the trick!
So in practice I did this:
sudo apt update
sudo apt upgrade evince evince-common
