Bug#883800: libreoffice-common: Please re-enable the AppArmor profiles
Package: libreoffice-common
Version: 1:5.4.3-4
Severity: wishlist
Tags: patch
Hi,
following up on our conversation on #882597, here is a patch series
that documents how advanced users can adjust the included AppArmor
profiles to cope with their local setup, and re-enables the AppArmor
profiles by default.
What do you think?
If you want, I could also document in README.Debian how to disable one
(or all) of these profiles, which might be useful in case a user
prefers not to bother adjusting the profiles to their setup.
You mentioned something elsewhere about the LibreOffice test suite
being possibly affected by this change. Could you please point me at
an example of this problem? I could investigate. In general, test
suites run at package build time are not affected by AppArmor because
they run the binaries for a (build-) path that is not covered by the
AppArmor policy. Now, runtime tests such as autopkgtests may be
affected; if needed I could take a look.
Finally, if this AppArmor policy proves to break too many things for
less technical users, I will support going back to
ENABLE_APPARMOR_PROFILES=n without any afterthought: one of the key
aspects of how we've approaching AppArmor in Debian is that we want to
avoid creating a culture of "AppArmor breaks stuff so I always disable
it entirely".
Cheers,
--
intrigeri
>From 1afd67ec9f4e68e619f4e707bd62142ba8de78cf Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@boum.org>
Date: Thu, 7 Dec 2017 17:34:48 +0000
Subject: [PATCH 1/2] * debian/README.Debian: document how to debug and
customize the included AppArmor profiles
---
README.Debian | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/README.Debian b/README.Debian
index 815ac735..1493746d 100644
--- a/README.Debian
+++ b/README.Debian
@@ -17,6 +17,7 @@ Font problems
Why are the menu fonts smaller than in older versions?
Changing the default user interface font typeface for non-KDE/Gnome desktops
Disabling the splash screen
+AppArmor problems
More information about LibreOffice in Debian
@@ -278,6 +279,23 @@ If you don't like the splash screen staying in front of other windows while
LibreOffice is loading, you can disable it by editing
/etc/openoffice/sofficerc. Change Logo=1 to Logo=0.
+AppArmor problems
+=================
+
+LibreOffice in Debian ships with AppArmor profiles:
+
+ /etc/apparmor.d/usr.lib.libreoffice.*
+
+To debug issues with these AppArmor profiles, see:
+
+ https://wiki.debian.org/AppArmor/Debug
+
+If you are using custom settings such as a custom env:UserInstallation
+directory, you may need to adjust them to match your local setup.
+In this example, you would need to add your custom
+env:UserInstallation to @{libo_user_dirs} in the
+usr.lib.libreoffice.program.soffice.bin profile.
+
More information about LibreOffice in Debian
===============================================
Please read the official README.gz (in the same directory as this file), too.
--
2.15.1
>From 070fba71b11f1fb6ebc4e229f50c18ff53deea52 Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@boum.org>
Date: Thu, 7 Dec 2017 17:35:13 +0000
Subject: [PATCH 2/2] enable the AppArmor profiles back
We disabled them due to #882597. After looking closer at the problem that
triggered this bug report, it appeared that it only affects technical users with
highly specific needs, such as passing a custom env:UserInstallation on the
command line. Now that README.Debian documents how to adjust the AppArmor
profiles to cope with such needs, it seems safe to re-enable them so that
everyone else can benefit from the added security by default.
---
rules | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rules b/rules
index edf08a44..0b2282ff 100755
--- a/rules
+++ b/rules
@@ -532,7 +532,7 @@ BUILD_PPC64EL=y
BUILD_ARM64=y
SYSTEM_STUFF += gpgmepp
INSTALL_APPARMOR_PROFILES=y
-ENABLE_APPARMOR_PROFILES=n
+ENABLE_APPARMOR_PROFILES=y
# Default flags to pass to configure
CONFIGURE_FLAGS= \
--
2.15.1
Reply to: