Thunderbird cannot open attachments under Linux any more after updating

Solution 1:

The issue is triggered by a mix of a recent Debian kernel now supporting App Armor, and the App Armor rules shipped with the system being to strict and denying evince to access the recently used files (which are updated when opening an attachment with evince). The issue is also described in Debian bug report #882782 and might as well affect other Linux distributions.

The solution is to install the App Armor tools package (sudo apt install apparmor-utils and then adjusting the App Armor profile using sudo aa-logprof). The tool will show following observations (likely it will print more results which will indicate other issues, in my case it was the first):

$ sudo aa-logprof
Reading log entries from /var/log/audit/audit.log.
Updating AppArmor profiles in /etc/apparmor.d.

Profile:  thunderbird
Execute:  /usr/bin/evince
Severity: unknown

(I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny / Abo(r)t / (F)inish

The output means that while the thunderbird profile was active, /usr/bin/evince was to be executed but failed.

You can now decide whether to:

(I)nherit Thunderbird's profile (which means Thunderbird's restrictions will also apply to evince, which will not be matching properly), or
(C)hild will apply evince's profile instead (if available) <-- that's what we're looking for.

...
Finally, select (F)inish to finish editing.

If you use another tool to read logs, the prompt might read slightly different.

Future Thunderbird updates should bring better App Armor profiles, but this is a proper workaround for the moment (and should not do harm in future after better profiles are installed).

It's worth noting that the man page for aa-logprof only mentions this menu: