Bug#899380: libreoffice-common: AppArmor profile prohibits encrypting documents with GPG

[Rene Engelhard <rene@debian.org>]

tag 899380 + moreinfo
tag 899380 + unreproducible
thanks

Hi,

On Wed, May 23, 2018 at 10:22:24AM -0400, John Scott wrote:
> apparmor="DENIED" operation="open" profile="libreoffice-soffice//gpg" name="/home/john/.gnupg/trustdb.gpg" pid=2308 comm="gpg" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
> apparmor="DENIED" operation="file_lock" profile="libreoffice-soffice//gpg" name="/home/john/.gnupg/random_seed" pid=2804 comm="gpg" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000

Did it really fail to sign?

I tried that once when this was new.... Worked for me (the gpg stuff there
is actually from me.).

Let's try now, though, current buster.

root@frodo:/home/rene# aa-status
apparmor module is loaded.
33 profiles are loaded.
31 profiles are in enforce mode.
[...]
   libreoffice-soffice//gpg
[...]
2 profiles are in complain mode.
   libreoffice-oopslash
   libreoffice-soffice
[...]
root@frodo:/home/rene# aa-enforce /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin 
Setting /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin to enforce mode.
root@frodo:/home/rene# aa-status
apparmor module is loaded.
33 profiles are loaded.
32 profiles are in enforce mode.
[...]
   libreoffice-soffice
   libreoffice-soffice//gpg
[...]
root@frodo:/home/rene#
root@frodo:/home/rene# /etc/init.d/apparmor reload
[ ok ] Reloading apparmor configuration (via systemctl): apparmor.service.

Can sign just fine.

(but yes, I get the DENIED, too)

> I'd hate to cram two unrelated bugs in one report, but
> since the fixes will be in the AppArmor profiles anyway,
> I hope you don't mind.

Actually I do :-)

Regards,

Rene