Bug#887593: libreoffice-common: apparmor profiles triggers lot of ALLOWED entries

To: Félix Sipma <felix+debian@gueux.org>, 887593@bugs.debian.org
Subject: Bug#887593: libreoffice-common: apparmor profiles triggers lot of ALLOWED entries
From: Rene Engelhard <rene@debian.org>
Date: Thu, 18 Jan 2018 15:33:21 +0100
Message-id: <[🔎] 20180118143320.GH1051@rene-engelhard.de>
Reply-to: Rene Engelhard <rene@debian.org>, 887593@bugs.debian.org
In-reply-to: <[🔎] 20180118102919.GA30880@capeo>
References: <[🔎] 20180118102919.GA30880@capeo> <[🔎] 20180118102919.GA30880@capeo>

On Thu, Jan 18, 2018 at 11:29:19AM +0100, Félix Sipma wrote:
>     Jan 18 11:09:25 laptop audit[21088]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-oopslash" name="/sys/devices/virtual/block/dm-0/queue/rotational" pid=21088 comm="oosplash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

15:07 < _rene_>     Jan 18 11:09:25 laptop audit[21088]: AVC apparmor="ALLOWED"
                operation="open" profile="libreoffice-oopslash" 
                name="/sys/devices/virtual/block/dm-0/queue/rotational" 
                pid=21088 comm="oosplash" requested_mask="r" denied_mask="r" 
                fsuid=1000 ouid=0
[...]
15:09 <@jmux> _rene_: desktop/unx/source/pagein.c:61:    
sprintf(fullpath,"/sys/dev/block/%d:%d/queue/rotational",major,minor);
15:09 < _rene_> shrugs.
15:10 <@jmux> I stumbled about this code a while ago and quickly wiped my 
              memory of it
15:11 < mst_> jmux: it probably calls SfxBaseModel::close
15:11 < _rene_> ok, shouldn't do bad things at least when this is disallowed

>     Jan 18 11:09:25 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.config/X11/XCompose" pid=21105 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
>     Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/profiles.ini" pid=21105 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
>     Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/secmod.db" pid=21105 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
>     Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/cert8.db" pid=21105 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
>     Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/key3.db" pid=21105 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000

Leaves (assuming the simple adding of gpg and gpgsm suffices) just this one.

https://github.com/mk-fg/apparmor-profiles/blob/master/profiles/usr.bin.firefox
has

owner @{HOME}/.mozilla/firefox/** rwk,

in the profile...

Thinking about it, we probably also would need owner "@{HOME}/.gnupg/* rwk,"
then for gpg. This gets interesting...

Regards,

Rene

Reply to:

References:
- Bug#887593: libreoffice-common: apparmor profiles triggers lot of ALLOWED entries
  - From: Félix Sipma <felix+debian@gueux.org>

Prev by Date: Processed: block 886548 with 887593
Next by Date: Processed: tagging 887593
Previous by thread: Bug#887593: libreoffice-common: apparmor profiles triggers lot of ALLOWED entries
Next by thread: Bug#887593: libreoffice-common: apparmor profiles triggers lot of ALLOWED entries
Index(es):
- Date
- Thread