Bug#887593: libreoffice-common: apparmor profiles triggers lot of ALLOWED entries
On Thu, Jan 18, 2018 at 11:29:19AM +0100, Félix Sipma wrote:
> Jan 18 11:09:25 laptop audit[21088]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-oopslash" name="/sys/devices/virtual/block/dm-0/queue/rotational" pid=21088 comm="oosplash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
15:07 < _rene_> Jan 18 11:09:25 laptop audit[21088]: AVC apparmor="ALLOWED"
operation="open" profile="libreoffice-oopslash"
name="/sys/devices/virtual/block/dm-0/queue/rotational"
pid=21088 comm="oosplash" requested_mask="r" denied_mask="r"
fsuid=1000 ouid=0
[...]
15:09 <@jmux> _rene_: desktop/unx/source/pagein.c:61:
sprintf(fullpath,"/sys/dev/block/%d:%d/queue/rotational",major,minor);
15:09 < _rene_> shrugs.
15:10 <@jmux> I stumbled about this code a while ago and quickly wiped my
memory of it
15:11 < mst_> jmux: it probably calls SfxBaseModel::close
15:11 < _rene_> ok, shouldn't do bad things at least when this is disallowed
> Jan 18 11:09:25 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.config/X11/XCompose" pid=21105 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
> Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/profiles.ini" pid=21105 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
> Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/secmod.db" pid=21105 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
> Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/cert8.db" pid=21105 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
> Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/key3.db" pid=21105 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
Leaves (assuming the simple adding of gpg and gpgsm suffices) just this one.
https://github.com/mk-fg/apparmor-profiles/blob/master/profiles/usr.bin.firefox
has
owner @{HOME}/.mozilla/firefox/** rwk,
in the profile...
Thinking about it, we probably also would need owner "@{HOME}/.gnupg/* rwk,"
then for gpg. This gets interesting...
Regards,
Rene
Reply to: