[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#887593: libreoffice-common: apparmor profiles triggers lot of ALLOWED entries

Hi again,

On Thu, Jan 18, 2018 at 02:05:02PM +0100, Rene Engelhard wrote:
> X stuff....

diff --git a/sysui/desktop/apparmor/program.oosplash b/sysui/desktop/apparmor/program.oosplash
index fef54b7ee384..d68fa776de8f 100644
--- a/sysui/desktop/apparmor/program.oosplash
+++ b/sysui/desktop/apparmor/program.oosplash
@@ -14,6 +14,7 @@
 
 profile libreoffice-oopslash INSTDIR-program/oosplash {
   #include <abstractions/base>
+  #include <abstractions/X>
 
   /etc/libreoffice/                     r,
   /etc/libreoffice/**                   r,

might do at least parts of it. (Xauthority for example.)

> >     Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/profiles.ini" pid=21105 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
> >     Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/secmod.db" pid=21105 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
> >     Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/cert8.db" pid=21105 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
> >     Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/key3.db" pid=21105 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
> 
> Here it gets interesting. That's for digital signing with X.509. The
> certificates are supposed to come from mozilla...
> 
> >     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="exec" profile="libreoffice-soffice" name="/usr/bin/gpg" pid=21125 comm="soffice.bin" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="libreoffice-soffice//null-/usr/bin/gpg"
[...]

diff --git a/sysui/desktop/apparmor/program.soffice.bin b/sysui/desktop/apparmor/program.soffice.bin
index ff2c4b08cd4b..efa801445e6b 100644
--- a/sysui/desktop/apparmor/program.soffice.bin
+++ b/sysui/desktop/apparmor/program.soffice.bin
@@ -114,6 +114,8 @@ profile libreoffice-soffice INSTDIR-program/soffice.bin {
   /usr/bin/lpr                          rmPUx,
   /usr/bin/paperconf                    rmix,
   /usr/bin/gpgconf                      rmix,
+  /usr/bin/gpg                          rmix,
+  /usr/bin/gpgsm                        rmix,
 
   /dev/tty                              rw,
 
is trivial, though I still wonder about

> >     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/ld-2.26.so" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0

stuff like this and the following (libc, locale.alias, etc.)...

Regards,

Rene
Reply to: