[apparmor] Thunderbird profile - Links in GNOME

John Johansen john.johansen at canonical.com
Sun Apr 2 09:25:13 UTC 2017

On 03/19/2017 04:24 AM, u wrote:
> Hi,
> I've added the patch by Douglas Bagnall here:
> https://code.launchpad.net/~u-d/apparmor-profiles/+git/apparmor-profiles/+ref/thunderbird/links
> Then I thought I need to try to make this work on a Debian/GNOME system
> too.  Thunderbird seems to ask gnome-open for my preferred browser but
> it does not open links using gnome-open, instead it wants to open the
> browsers directly.
> But I keep running into this kind of problem when I tell Thunderbird to
> use Chromium:
> type=AVC msg=audit(1489921484.684:12657): apparmor="DENIED"
> operation="file_mmap" profile="icedove//sanitized_helper"
> name="/lib/x86_64-linux-gnu/libpthread-2.19.so" pid=32115
> comm="chrome-sandbox" requested_mask="m" denied_mask="m" fsuid=0 ouid=0
So the sanitized_helper profile is a specialized transition helper, that
helps to sanitize the environment. You will need to add a rule of the

  /lib/@{multiarch}/libpthread-2.19.so m,

this is likely not the only rule you will need, and I am sure the
chrome/chromium profile will need to updated as well

> And when I tell it to use Firefox-ESR:
> type=AVC msg=audit(1489921598.610:12721): apparmor="DENIED"
> operation="exec" profile="icedove"
> name="/usr/lib/firefox-esr/firefox-esr" pid=32303 comm="icedove"
> requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> This seems to be a very similar issue here:
> https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1282314
No. That bug is more like the first denial message from above.
This is the icedove profile not being allowed to exec firefox-esr

you will need to add an exec rule. Without looking at the debian
profiles, I would hazard a guess at

  /usr/lib/firefox-esr/firefox-esr Px,

however I wouldn't be surprised if px might be needed due to env

> I was wondering how to solve this.
> Cheers!
> ulrike

More information about the AppArmor mailing list