Hi, Simon Deziel: > On 2017-10-31 08:32 AM, Philipp Kern wrote: >> When I use Thunderbird I see a lot of these in the kernel log (probably >> whenever I look at a signed and/or encrypted email): >> >> [94784.485686] audit: type=1400 audit(1509453045.981:153): >> apparmor="DENIED" operation="file_inherit" profile="thunderbird//gpg" >> name="/usr/share/thunderbird/omni.ja" pid=4440 comm="gpg2" >> requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
This means that Thunderbird has run gpg2 that inherited an open file descriptor to omni.ja (AppArmor now mediates such inherited file descriptors). But it does not imply that gpg2 has tried to access omni.ja whatsoever. >> I don't see an obvious degradation of the client. Even gpg-encrypted >> mails get handled correctly by Enigmail. But I suppose some kind of rule >> is missing to make the log lines go away? Indeed. > I'd be tempted to add a deny rule to silence it. Opinions? Yes, please :) You might need to add more than just the omni.ja rule, like I had to do for torbrowser-launcher: https://github.com/intrigeri/torbrowser-launcher/commit/d043788f590e8ff2da585e3512a0e596e7460ff8 Cheers!