- Package:
- thunderbird
- Source:
- thunderbird
- Description:
- mail/news client with RSS, chat and integrated spam filter support
- Submitter:
- Philipp Kern
- Date:
- 2026-06-22 20:45:03 UTC
- Severity:
- minor
- Tags:
I turned on AppArmor and Thunderbird stopped opening links for me. dmesg has the following denial message: [ 3795.153239] audit: type=1400 audit(1509283418.100:64): apparmor="DENIED" operation="exec" profile="thunderbird" name="/opt/google/chrome-beta/google-chrome-beta" pid=31896 comm="thunderbird" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 I think there needs to be some kind of defined way for browsers to be allowed to be executed. I understand that I use a browser that is not in the distribution, which makes this even more important. In this case the browser is literally set as the xdg default: $ xdg-settings get default-web-browser google-chrome-beta.desktop /etc/apparmor.d/abstractions/ubuntu-browsers includes the regular google-chrome: /opt/google/chrome/google-chrome Cx -> sanitized_helper, Literally the only browser Thunderbird should be able to execute is the one configured as the default, not some set of ancient and potentially exploitable other browsers (like some compiled against old webkit versions), looking at the current list in the abstraction. I suppose one way would be to always launch some kind of sensible-browser binary and let that call out to the default browser only. Which might be what sanitized_helper is already trying to accomplish. Except that the abstraction leaks into the... abstraction. :) Another way would be to let browser packages ship a file that allows their execution and then the installed ones are automatically available to Thunderbird (or another browser-spawning program). In this case Chrome would need to start shipping such a file. Kind regards and thanks Philipp Kern
[...] Note that this extends to generic URL handlers as well: [95946.493507] audit: type=1400 audit(1509454207.986:185): apparmor="DENIED" operation="exec" profile="thunderbird" name="/usr/bin/gobby-0.5" pid=6205 comm="thunderbird" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 (From an infinote:// URL in an email.) And I'd be surprised if Thunderbird were the only application with this problem. Kind regards Philipp Kern
Hi, Philipp Kern: I think this is (technically, not in terms of UX) closer to #855346 which is fixed in the Vcs-Git already: https://anonscm.debian.org/cgit/pkg-mozilla/thunderbird.git/tree/debian/apparmor/usr.bin.thunderbird Cheers,
Hi Philipp, first of all, thanks for your report; I particularly appreciate that you've put quite some thought into the problem and its various potential long-term solutions :) Philipp Kern: trivially be fixed without blocking on a solution to the general one. I agree, see below. I agree this would be ideal but: - While dynamic generation of ad-hoc strict AppArmor profiles is doable for services that run as root (e.g. that's what libvirt does), I'm not aware of any existing solution for non-root apps, and it looks like it would require lots of work, so let's not count on it. - I think this is better solved by a broker design i.e. the sandboxed app asks some privileged helper, outside the sandbox, to open a URL. This is certainly doable with AppArmor (iirc Ubuntu Phone and snaps have something like this) but I doubt it'll be nicely integrated soon and it requires the app to cooperate so that's not something we'll get in Thunderbird on the short term (see Simon's post on debian-devel@ about how it can be done for modern GTK/Glib apps). - Arguably it's the distro's responsibility to avoid shipping/leaving exploitable browsers around on users' systems. Indeed, if Thunderbird was using xdg-open, sensible-browsers and similar it would be much easier to come up with an AppArmor policy that's better both in terms of security and UX. When working on this 1-2 years ago Ulrike noticed this isn't the case. I haven't checked recently though. If we can't find a simpler solution I'm open to checking with Mozilla why they do it their way. I think we can totaly do this: the #include directive can take a directory (e.g. something.d) as an argument so for example abstractions/ubuntu-browsers could include a .d directory where each browser (e.g. google-chrome-beta) could drop its snippet. Given the above, this is likely the only solution that would be flexible enough for your needs, while being doable on the short term without major changes. I've started a discussion about this upstream: https://bugs.launchpad.net/apparmor/+bug/1730220 Cheers,
Once AppArmor profile for Thunderbird is disabled by default (#882672), this bug will only affect users who opt-in.
i have the same problem with opening links in Vivaldi (1.13.1008.34 (Stable channel) (64-bit)) via Thunderbird (52.4.0 (64-bit)). $uname -a Linux sun 4.13.0-1-amd64 #1 SMP Debian 4.13.13-1 (2017-11-16) x86_64 GNU/Linux. Vivaldi is set systemwide as my preferred browser. Thunderbird has it as the preferred action to open http/https links with my standard browser. I`ve tried also with the path to the browser (/opt/vivaldi/vivaldi) in the config of Thunderbird, but it didn't work. I've checked with $tail -f /var/log/messages: Dec 6 09:19:09 sun kernel: [17764.341411] audit: type=1400 audit(1512548349.389:549): apparmor="DENIED" operation="exec" profile="thunderbird" name="/opt/vivaldi/vivaldi" pid=10791 comm="thunderbird" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 This comes up, when i click on links in Thunderbird to open it with Vivaldi. When i change my standard browser i.e. to Chrome or Firefox, it works. It is possible to open links in mails with my standard browser. When i go back to Vivaldi as my standard browser the apparmor message comes up and it is not possible to open links in mails. When i boot my system with Kernel 4.12 it works normal $uname -a Linux sun 4.12.0-2-amd64 #1 SMP Debian 4.12.13-1 (2017-09-19) x86_64 GNU/Linux regards Michael
We believe that the bug you reported is fixed in the latest version of
thunderbird, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 880424@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Carsten Schoenert <c.schoenert@t-online.de> (supplier of updated thunderbird package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 22 Jun 2026 21:41:06 +0200
Source: thunderbird
Architecture: source
Version: 1:152.0-1
Distribution: experimental
Urgency: medium
Maintainer: Carsten Schoenert <c.schoenert@t-online.de>
Changed-By: Carsten Schoenert <c.schoenert@t-online.de>
Closes: 880424 882218 883245 900210 909281 914403 917613 928178 949450 949649 955380 961269 1127710 1128672 1128876 1138513
Changes:
thunderbird (1:152.0-1) experimental; urgency=medium
.
[ Carsten Schoenert ]
* [5097e09] d/control: Bump B-D for libnss3-dev
* [5350030] New upstream version 152.0
(Closes: #1138513)
* [92962df] Rebuild patch queue from patch-queue branch
Removed patch (included upstream):
fixes/Fix-conflicting-types-for-once_flag-and-call_once-with-gl.patch
fixes/Fix-math_private.h-for-i386-FTBFS.patch
fixes/Fix-sandbox-to-build-with-glibc-2.43.patch
* [46de392] d/mozconfig.default: Remove option --enable-av1
.
[ Christoph Goehre ]
* [5308430] rebuild patch queue from patch-queue branch (Closes: #1128876)
.
[ intrigeri ]
* [77d16c3] Don't install AppArmor policy anymore
(Closes: #1128672, #1127710, #928178, #909281, #955380, #882218, #900210,
#914403, #917613, #949450, #880424, #883245, #961269, #949649)
Checksums-Sha1:
1e9bca601d3dab684f2c1e34bbd107712eb17f8e 8402 thunderbird_152.0-1.dsc
5ed145d0f72ee7e539f3f0d40cea83ed62b1499f 12403192 thunderbird_152.0.orig-thunderbird-l10n.tar.xz
dbef2f6a94cec7b667931b222bdd6f0aaf9a4810 931861244 thunderbird_152.0.orig.tar.xz
6fc9531bd0e3c27e7908228227a542966eb827f8 537512 thunderbird_152.0-1.debian.tar.xz
41476b21bed4090bcf2c148b0178ef52d0e2f2e7 40158 thunderbird_152.0-1_amd64.buildinfo
Checksums-Sha256:
8d348b506605fc73d56722d5a55ed9dae8af623989312e5c039786edfbe4f0f2 8402 thunderbird_152.0-1.dsc
f4afa9846377239357e485da027035fe53762cc8100ced5cf5abca87fca7a1f8 12403192 thunderbird_152.0.orig-thunderbird-l10n.tar.xz
64f02562f1f4a18e39c67b07255feb5828acde86327f55b1ebe45e3ac63963ea 931861244 thunderbird_152.0.orig.tar.xz
52abff98afbeb3859791f46e5602bbbf6982f38876f7e223d0ff1ac7bb77c778 537512 thunderbird_152.0-1.debian.tar.xz
38ab10bf14449c38f7233f8d883b1a6ffbe412606232763f9bcaa5dcda320c03 40158 thunderbird_152.0-1_amd64.buildinfo
Files:
cddc168c5e8bdb4c051a11b4e56831b8 8402 mail optional thunderbird_152.0-1.dsc
27c69983d0063061996fc52794377743 12403192 mail optional thunderbird_152.0.orig-thunderbird-l10n.tar.xz
f49e9b967f1a1fdceec316060aef4959 931861244 mail optional thunderbird_152.0.orig.tar.xz
d435a5b441fa39456dfa21b01881fdf3 537512 mail optional thunderbird_152.0-1.debian.tar.xz
20c10b422095bf9f1d461c01e152c30e 40158 mail optional thunderbird_152.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtw38bxNP7PwBHmKqgwFgFCUdHbAFAmo5mL4ACgkQgwFgFCUd
HbCPqw/+LEBi5TrBqIfSUOoosSHHufs3R4FzJrZ6vNsK4ur6EVNNhR1u0Gc4VtEG
JIaiGg7fCDf3mgAowEIKSQpVHnqMPKpqZemfIWHNT0exdKp1RXlh9OuwGdOqg0Og
5MWrhKzrDVr7p9LmB7ilQ2V0I+xHx1zh/cG58Ar2Pp9Wn8YDlpIQmO0vp6sX2ex5
GTUYHvVrssW4L/hOAsbMu9YUnGPRiHPvj94JF7XT2JFC6mndXtiqvEOH5Oo1UluK
FcM8Xz1GsANmwB4gR7/g0f06RWEjAsOMXPU98ESaY85kRTJ4VlVvGWOknGa0Sptv
frrEG893xRFXFmnrDR7dLH8Ux1cnsGy5wpNCZeLVViuT6Pv4OIm83jijKqaGHvp3
jdD8OWx7YGbYdm+INBBnff5Y/IEEni7EIuX17/S3ZNqlLYJGPbL6OWG+pMK52+xZ
0dMFXCrSMc+xMMUHBQ/aUw3up5t4B5de51tX9kWTFv3W/qIiLdA+PpH2EGiJJJIF
Jgm9q0sAlXLC2GZW55MTbk2/jhewQOcShIRrEKFJUPzpPgeXZAAN/I47uKAzoUAW
0x/Hb0+b72NKBlK8jurZfKYBDPyxLnHSUcCbVCPj8SyzxcCHBZ12jsVhIEjUwMEH
cyFP/Ep5MDC7yo9XX+Xt4na47jktwLRJ5jRpySaIV9RfhvBHPNQ=
=jjF1
-----END PGP SIGNATURE-----