#949450 thunderbird: apparmor="DENIED" operation="file_inherit" profile="thunderbird//gpg" name="/dev/shm/org.chromium.*" #949450
- Package:
- thunderbird
- Source:
- thunderbird
- Description:
- mail/news client with RSS, chat and integrated spam filter support
- Submitter:
- Dmitry Smirnov
- Date:
- 2026-06-22 20:45:07 UTC
- Severity:
- minor
While Thunderbird is being used, kernel repeatedly logs the following:
```
audit: type=1400 audit(1579563490.921:660): apparmor="DENIED"
operation="file_inherit" profile="thunderbird//gpg" name="/dev/shm/
org.chromium.9d3eJz" pid=23349 comm="gpg" requested_mask="r" denied_mask="r"
fsuid=1001 ouid=1001
```
Please advise.
---
Belief is the death of intelligence.
-- Robert Anton Wilson
Hi Vincas, do we need to adjust the TB profile once again? Do you have any advice? Am 21.01.20 um 00:49 schrieb Dmitry Smirnov:
hey, i think severity should be raised to important or even grave. thunderbird/enigmail is unusable with default apparmor profile enabled.. this particular message is one of many, makes encrypt/decrypt/signing completely unusable. tried to add exceptions to apparmor, but new DENIED msgs rise.. and not just for thunderbird/gpg. eg. /OfflineCache/index.sqlite DENIED, filterlog.html DENIED.. atm, i've disabled apparmor profile and got back to a usable tb/enigmail. i could send more details/messages if needed or a new bug report(?). thanks, d.
Hello Dimitry, Am 27.01.20 um 12:16 schrieb dimitris@stinpriza.org: feel free to increase the severity to important. I disagree with grave or serious as the profile is disabled by default. Normally we handle AA issues as wishlist. Logs are always fine and helpful. Also diffs from te modified configuration files. And they are needed to fix the problems. I added the Apparmor people into the loop, they know better what they maybe need more than the usual log from dmesg. @Intri and Vincas Coukd have a look at this issue here. Dimitry added some logging information within his first email. Thanks!
hey,
you're right, enabled the profile myself at some point (=removed
disable symlink ...), so please nevermind the severity thing.
just reinstalled thunderbird, and enabled apparmor profile.
strangely, enigmail works now and tb is behaving normally.. (diff from
previous active profile doesn't show anything ?!).
( sorry for the fuzz :( )
anyway, apart from the last message (original bug report) that indeed
spams dmesg/logs, there are 3 more DENIED msgs at tb start :
[Thu Jan 30 2020] audit: type=1400 audit(1580374356.699:35):
apparmor="DENIED" operation="capable" profile="thunderbird" pid=23563
comm="thunderbird" capability=21 capname="sys_admin"
[Thu Jan 30 2020] audit: type=1400 audit(1580374356.923:36):
apparmor="DENIED" operation="open"
profile="thunderbird//sanitized_helper"
name="/tmp/clearsigned.message.pycT1r" pid=23600 comm="apt-cache"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[Thu Jan 30 2020] audit: type=1400 audit(1580374357.943:37):
apparmor="DENIED" operation="open" profile="thunderbird"
name="/etc/mate/defaults.list" pid=23563 comm="thunderbird"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
concerning original report msg, added this to profile :
owner /dev/shm/org.chromium.* r,
and it goes away, but then new msgs pop :
audit: type=1400 audit(1580377190.735:2835): apparmor="DENIED"
operation="file_inherit" profile="thunderbird//gpg"
name="/home/user/.icedove/profile.default/Mail/Feeds/filterlog.html"
pid=13850 comm="gpg" requested_mask="a" denied_mask="a" fsuid=1000 ouid=1000
&
audit: type=1400 audit(1580379917.195:2937): apparmor="DENIED"
operation="file_perm" profile="thunderbird//gpg"
name="/home/user/.icedove/profile.default/ImapMail/account1/filterlog.html"
pid=32149 comm="thunderbird" requested_mask="w" denied_mask="w"
fsuid=1000 ouid=1000
one for every filterlog.html in all accounts.. used this in profile to
go away:
owner /home/*/{.icedove,.thunderbird}/*/*/*/filterlog.html w,
but maybe there's a better way.
also this msg :
audit: type=1400 audit(1580377190.735:2836): apparmor="DENIED"
operation="file_inherit" profile="thunderbird//gpg"
name=2F6XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXD6C
pid=13850 comm="gpg" requested_mask="a" denied_mask="a" fsuid=1000 ouid=1000
(replaced chars in between with Xs, since i don't know what this could
be..?)
thanks,
d.
well nope, after reboot, back to enigmail not working... (!?) had to disable profile again, to get it working.. apart from original and these messages, there are more following which cause tb to get unresponsive.. new messages emerging making tb/enigmail unusable : audit: type=1400 audit(1580465922.867:14): apparmor="DENIED" operation="capable" profile="thunderbird" pid=11974 comm="thunderbird" capability=21 capname="sys_admin" audit: type=1400 audit(1580465924.499:15): apparmor="DENIED" operation="open" profile="thunderbird" name="/etc/mate/defaults.list" pid=11974 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 audit: type=1400 audit(1580465929.463:16): apparmor="DENIED" operation="file_lock" profile="thunderbird" name="/home/user/.cache/thunderbird/profile.default/OfflineCache/index.sqlite" pid=11974 comm="thunderbird" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000 audit: type=1400 audit(1580465955.367:18): apparmor="DENIED" operation="file_inherit" profile="thunderbird//gpg" name="/home/user/.icedove/profile.default/ImapMail/account1/INBOX.sbd/folder" pid=13491 comm="gpg" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 audit: type=1400 audit(1580466665.275:19): apparmor="DENIED" operation="file_inherit" profile="thunderbird//gpg" name="/home/user/.icedove/profile.default/prefs-1.js" pid=20428 comm="gpg" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 audit: type=1400 audit(1580466665.279:20): apparmor="DENIED" operation="exec" profile="thunderbird//gpg" name="/usr/bin/gpg-agent" pid=20430 comm="gpg" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 thanks, d.
Hello,
I'm not the maintainer of the thunderbird profile nor using Debian, but
maybe I can give some helpful input nevertheless ;-)
(Updating the shipped profile has to be done by someone else.)
Am Freitag, 31. Januar 2020, 11:46:49 CET schrieb Dimitris:
...
That looks interesting[tm] - why would apt-cache want to access a
tempfile that looks like (wild guess based on the filename) a signed
message?
[...]
That's a hex-encoded filename - this encoding gets used in the log if a
filename contains for example a space or special characters.
You can decode it with
aa-decode 2F6....D6C
(obviously use the original name, not the X'ed out one)
From the X'ed out name, I can say that it starts with, surprise, "/"
(2F) and ends with "l" (6C)
sandboxing that needs this capability to initialize?
That translates to /etc/mate/defaults.list r, for the thunderbird
profile - or an abstraction. (We don't have a mate abstraction yet,
maybe it's time to start one? ;-)
k is for "file lock". The strictest-possible rule would be
/home/*/.cache/thunderbird/profile.default/OfflineCache/index k,
These two look like a case of thunderbird not closing files when
executing gpg. You can probably ignore or deny that.
Ah, gpg wants to execute gpg-agent. That makes sense.
The easiest solution would be to add
/usr/bin/gpg-agent mrix,
to the gpg subprofile.
A more strict version would be
/usr/bin/gpg-agent mrPx -> thunderbird//gpg-agent,
to the gpg subprofile, and then to create a child profile called
gpg-agent:
profile gpg-agent {
# TODO
}
As a sidenote - soneone in the #apparmor IRC channel (on OFTC) spent
some work on creating a profile for thunderbird a few weeks ago.
Unfortunately the pastebin links have expired, but if you are
interested, I can try to get it uploaded somewhere again.
BTW: While you work on the profile, you might want to put it into
complain mode. Without knowing the exact profile filename:
aa-complain /etc/apparmor.d/*thunderbird
This will allow everything (so Thunderbird will work) and log what would
be denied. However, note that "allow everything" means that AppArmor
won't prevent anything evil, so don't forget to switch the profile back
to enforce mode (using aa-enforce instead of aa-complain) when you think
it's complete.
If you prefer an interactive tool over reading the logfile, you can use
aa-logprof to update the profile.
Regards,
Christian Boltz
Sure. Just change your name to "openSUSE". ;)
[>> Mathias Homann, > Karl Sinn and James Knott in opensuse-factory]
Hi, Is this bug still valid? I'm getting the same errors since I upgraded to Debian Bullseye, however Thunderbird seems to be in enforce mode by default and so some things are just not working anymore. Trying to open links leads to: Nov 23 09:57:43 debian thunderbird.desktop[392093]: [392095:392095:1123/095743.933650:FATAL:double_fork_and_exec.cc(131)] execv /opt/google/chrome/chrome_crashpad_handler: Permission denied (13) Nov 23 09:57:43 debian kernel: audit: type=1400 audit(1637679463.930:453): apparmor="DENIED" operation="exec" profile="thunderbird//sanitized_helper" name="/opt/google/chrome/chrome_crashpad_handler" pid=392095 comm="chrome" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 I also get similar GPG errors (I can send the exact lines if needed), though I haven't even tried using GPG yet. I don't recall ever changing apparmor config... I did run a "dpkg-reconfigure apparmor" and it only asked about additional homedir locations - which I have - but that didn't help anyway. Regards,
FYI this is the fix for chrome (attached patch), but maybe I should report to a separate bug as it covers more than TB... I haven't looked at the gpg issue and apparmor configuration but it may too be best fixed at a global level... Unless we only want to allow specific applications to run gpg? The fix is inspired from https://askubuntu.com/q/1357638/628778
We believe that the bug you reported is fixed in the latest version of
thunderbird, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 949450@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Carsten Schoenert <c.schoenert@t-online.de> (supplier of updated thunderbird package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 22 Jun 2026 21:41:06 +0200
Source: thunderbird
Architecture: source
Version: 1:152.0-1
Distribution: experimental
Urgency: medium
Maintainer: Carsten Schoenert <c.schoenert@t-online.de>
Changed-By: Carsten Schoenert <c.schoenert@t-online.de>
Closes: 880424 882218 883245 900210 909281 914403 917613 928178 949450 949649 955380 961269 1127710 1128672 1128876 1138513
Changes:
thunderbird (1:152.0-1) experimental; urgency=medium
.
[ Carsten Schoenert ]
* [5097e09] d/control: Bump B-D for libnss3-dev
* [5350030] New upstream version 152.0
(Closes: #1138513)
* [92962df] Rebuild patch queue from patch-queue branch
Removed patch (included upstream):
fixes/Fix-conflicting-types-for-once_flag-and-call_once-with-gl.patch
fixes/Fix-math_private.h-for-i386-FTBFS.patch
fixes/Fix-sandbox-to-build-with-glibc-2.43.patch
* [46de392] d/mozconfig.default: Remove option --enable-av1
.
[ Christoph Goehre ]
* [5308430] rebuild patch queue from patch-queue branch (Closes: #1128876)
.
[ intrigeri ]
* [77d16c3] Don't install AppArmor policy anymore
(Closes: #1128672, #1127710, #928178, #909281, #955380, #882218, #900210,
#914403, #917613, #949450, #880424, #883245, #961269, #949649)
Checksums-Sha1:
1e9bca601d3dab684f2c1e34bbd107712eb17f8e 8402 thunderbird_152.0-1.dsc
5ed145d0f72ee7e539f3f0d40cea83ed62b1499f 12403192 thunderbird_152.0.orig-thunderbird-l10n.tar.xz
dbef2f6a94cec7b667931b222bdd6f0aaf9a4810 931861244 thunderbird_152.0.orig.tar.xz
6fc9531bd0e3c27e7908228227a542966eb827f8 537512 thunderbird_152.0-1.debian.tar.xz
41476b21bed4090bcf2c148b0178ef52d0e2f2e7 40158 thunderbird_152.0-1_amd64.buildinfo
Checksums-Sha256:
8d348b506605fc73d56722d5a55ed9dae8af623989312e5c039786edfbe4f0f2 8402 thunderbird_152.0-1.dsc
f4afa9846377239357e485da027035fe53762cc8100ced5cf5abca87fca7a1f8 12403192 thunderbird_152.0.orig-thunderbird-l10n.tar.xz
64f02562f1f4a18e39c67b07255feb5828acde86327f55b1ebe45e3ac63963ea 931861244 thunderbird_152.0.orig.tar.xz
52abff98afbeb3859791f46e5602bbbf6982f38876f7e223d0ff1ac7bb77c778 537512 thunderbird_152.0-1.debian.tar.xz
38ab10bf14449c38f7233f8d883b1a6ffbe412606232763f9bcaa5dcda320c03 40158 thunderbird_152.0-1_amd64.buildinfo
Files:
cddc168c5e8bdb4c051a11b4e56831b8 8402 mail optional thunderbird_152.0-1.dsc
27c69983d0063061996fc52794377743 12403192 mail optional thunderbird_152.0.orig-thunderbird-l10n.tar.xz
f49e9b967f1a1fdceec316060aef4959 931861244 mail optional thunderbird_152.0.orig.tar.xz
d435a5b441fa39456dfa21b01881fdf3 537512 mail optional thunderbird_152.0-1.debian.tar.xz
20c10b422095bf9f1d461c01e152c30e 40158 mail optional thunderbird_152.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtw38bxNP7PwBHmKqgwFgFCUdHbAFAmo5mL4ACgkQgwFgFCUd
HbCPqw/+LEBi5TrBqIfSUOoosSHHufs3R4FzJrZ6vNsK4ur6EVNNhR1u0Gc4VtEG
JIaiGg7fCDf3mgAowEIKSQpVHnqMPKpqZemfIWHNT0exdKp1RXlh9OuwGdOqg0Og
5MWrhKzrDVr7p9LmB7ilQ2V0I+xHx1zh/cG58Ar2Pp9Wn8YDlpIQmO0vp6sX2ex5
GTUYHvVrssW4L/hOAsbMu9YUnGPRiHPvj94JF7XT2JFC6mndXtiqvEOH5Oo1UluK
FcM8Xz1GsANmwB4gR7/g0f06RWEjAsOMXPU98ESaY85kRTJ4VlVvGWOknGa0Sptv
frrEG893xRFXFmnrDR7dLH8Ux1cnsGy5wpNCZeLVViuT6Pv4OIm83jijKqaGHvp3
jdD8OWx7YGbYdm+INBBnff5Y/IEEni7EIuX17/S3ZNqlLYJGPbL6OWG+pMK52+xZ
0dMFXCrSMc+xMMUHBQ/aUw3up5t4B5de51tX9kWTFv3W/qIiLdA+PpH2EGiJJJIF
Jgm9q0sAlXLC2GZW55MTbk2/jhewQOcShIRrEKFJUPzpPgeXZAAN/I47uKAzoUAW
0x/Hb0+b72NKBlK8jurZfKYBDPyxLnHSUcCbVCPj8SyzxcCHBZ12jsVhIEjUwMEH
cyFP/Ep5MDC7yo9XX+Xt4na47jktwLRJ5jRpySaIV9RfhvBHPNQ=
=jjF1
-----END PGP SIGNATURE-----