[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#905442: AppArmor: cannot save files in enforced mode

n 8/7/18 1:55 PM, Rene Engelhard wrote:

Sorry, apparently didn't read fully the first time I read this mail.

Really $HOME? I would be surprised.

I know there's lu??????????.tmps in /tmp (or $TMPDIR) but $HOME?
Did you set TMPDIR=$HOME?
No, TMPDIR is not set. LO additionally tries to save .tmp file in the same directory where .odt is being saved: 

```
# sudo sysdig "proc.name = soffice.bin and evt.type=openat and (fd.name contains /lu) or (fd.name contains .odt and fd.name contains Darbastalis)" 
443456 14:04:09.138560524 1 soffice.bin (14623) < openat fd=26(<f>/home/vincas/Darbastalis/test.odt)
443540 14:04:09.138982558 1 soffice.bin (14623) < openat fd=3(<f>/home/vincas/Darbastalis/.~lock.test.odt#) 443645 14:04:09.139166513 1 soffice.bin (14623) < openat fd=3(<f>/home/vincas/Darbastalis/lu14623jlf4nz.tmp) 443808 14:04:09.139301689 1 soffice.bin (14623) < openat fd=3(<f>/home/vincas/Darbastalis/lu14623jlf4nz.tmp) 
443916 14:04:09.139424232 1 soffice.bin (14623) < openat fd=24(<f>/home/vincas/Darbastalis/test.odt)
444075 14:04:09.139604944 1 soffice.bin (14623) < openat fd=27(<d>/tmp/lu14623jlf4nh.tmp)
444118 14:04:09.139648921 1 soffice.bin (14623) < openat fd=27(<f>/tmp/lu14623jlf4nh.tmp/lu14623jlf4o0.tmp) 444223 14:04:09.139744770 1 soffice.bin (14623) < openat fd=27(<f>/tmp/lu14623jlf4nh.tmp/lu14623jlf4o0.tmp) 444275 14:04:09.139790308 1 soffice.bin (14623) < openat fd=27(<f>/tmp/lu14623jlf4nh.tmp/lu14623jlf4o0.tmp) 
444322 14:04:09.139835306 1 soffice.bin (14623) < openat fd=-2(ENOENT)
444345 14:04:09.139859100 1 soffice.bin (14623) < openat fd=29(<f>/home/vincas/Darbastalis/.~lock.test.odt#) 
453115 14:04:09.189458991 1 soffice.bin (14623) < openat fd=-17(EEXIST)
453165 14:04:09.189556670 1 soffice.bin (14623) < openat fd=3(<f>/home/vincas/Darbastalis/test.odt)
453340 14:04:09.191811379 1 soffice.bin (14623) < openat fd=3(<f>/home/vincas/Darbastalis/test.odt)
453346 14:04:09.191874205 1 soffice.bin (14623) < openat fd=24(<d>/tmp/lu14623jlf4nh.tmp)
453352 14:04:09.191913074 1 soffice.bin (14623) < openat fd=24(<f>/tmp/lu14623jlf4nh.tmp/lu14623jlf4o1.tmp) 
453378 14:04:09.192056428 1 soffice.bin (14623) < openat fd=24(<f>/home/vincas/Darbastalis/test.odt)
453383 14:04:09.192069577 1 soffice.bin (14623) < openat fd=27(<f>/tmp/lu14623jlf4nh.tmp/lu14623jlf4o1.tmp) 453411 14:04:09.192223706 1 soffice.bin (14623) < openat fd=3(<f>/tmp/lu14623jlf4nh.tmp/lu14623jlf4o1.tmp) 
453469 14:04:09.193561448 1 soffice.bin (14623) < openat fd=24(<f>/home/vincas/Darbastalis/test.odt)
```

This line in particular:
```
443645 14:04:09.139166513 1 soffice.bin (14623) < openat fd=3(<f>/home/vincas/Darbastalis/lu14623jlf4nz.tmp) 
```

Maybe it's LO bug? Maybe it should write only into TMPDIR?


That would make this invalid here. Stuff like this needs changing on various
places then (e.g. for my print server and the cups profile I needed to
allow the stuff out of /data/var instead of/additionally to /var - which is where
/var is moved out from the microSD card of this rpi3 ;-))
I have started (ugh, yet another) discussion [0] about introducing `/etc/apparmor.d/tunables/env`, where we would have @{TMPDIR} = /tmp (and @{XAUTHORITY} and others) set, and it could be modified by the local admin, maybe in `tunables/env.d/site.local` or in `local/tunables/env` (discussion not concluded yet), by appending (I believe we do not have a way to override yet): 
```
@{TMPDIR} += /var/run/user/*/
```

Meanwhile, application profiles could write `owner @{TMPDIR}/foobar rw` and similar rules.

[0] https://lists.ubuntu.com/archives/apparmor/2018-July/011730.html
Reply to: