what a mess… disregard all of the above…
In a nutshell:
- enabled apparmor in template vm, installed apparmor-profiles-whonix
- any appVM based on that template (even with apparmor disabled in kernelopts) can not open jpg files in okular
Before changes to template vm, this issue was not present.
Solution: run kbuildsycoca4. No idea why. Something related to apparmor install modified /var/tmp/kdecache-user/ksycoca4.
Okular apparmor profile is fine.
While troubleshooting, discovered that aa-logprof wasn’t doing anything at all… AppArmor and Whonix - #4 by entr0py