Bug#887593: libreoffice-common: apparmor profiles triggers lot of ALLOWED entries
Hi again,
On Thu, Jan 18, 2018 at 02:05:02PM +0100, Rene Engelhard wrote:
> X stuff....
diff --git a/sysui/desktop/apparmor/program.oosplash b/sysui/desktop/apparmor/program.oosplash
index fef54b7ee384..d68fa776de8f 100644
--- a/sysui/desktop/apparmor/program.oosplash
+++ b/sysui/desktop/apparmor/program.oosplash
@@ -14,6 +14,7 @@
profile libreoffice-oopslash INSTDIR-program/oosplash {
#include <abstractions/base>
+ #include <abstractions/X>
/etc/libreoffice/ r,
/etc/libreoffice/** r,
might do at least parts of it. (Xauthority for example.)
> > Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/profiles.ini" pid=21105 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
> > Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/secmod.db" pid=21105 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
> > Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/cert8.db" pid=21105 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
> > Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/key3.db" pid=21105 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
>
> Here it gets interesting. That's for digital signing with X.509. The
> certificates are supposed to come from mozilla...
>
> > Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="exec" profile="libreoffice-soffice" name="/usr/bin/gpg" pid=21125 comm="soffice.bin" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="libreoffice-soffice//null-/usr/bin/gpg"
[...]
diff --git a/sysui/desktop/apparmor/program.soffice.bin b/sysui/desktop/apparmor/program.soffice.bin
index ff2c4b08cd4b..efa801445e6b 100644
--- a/sysui/desktop/apparmor/program.soffice.bin
+++ b/sysui/desktop/apparmor/program.soffice.bin
@@ -114,6 +114,8 @@ profile libreoffice-soffice INSTDIR-program/soffice.bin {
/usr/bin/lpr rmPUx,
/usr/bin/paperconf rmix,
/usr/bin/gpgconf rmix,
+ /usr/bin/gpg rmix,
+ /usr/bin/gpgsm rmix,
/dev/tty rw,
is trivial, though I still wonder about
> > Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/ld-2.26.so" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
stuff like this and the following (libc, locale.alias, etc.)...
Regards,
Rene
Reply to: