[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#887593: libreoffice-common: apparmor profiles triggers lot of ALLOWED entries

On Fri, Jan 19, 2018 at 12:52:32PM +0100, Christian Boltz wrote:
> just a quick note:
> 
> > +  /usr/bin/gpg                          rmix,
> > +  /usr/bin/gpgsm                        rmix,
> 
> and in a later comment
> 
> > Thinking about it, we probably also would need owner 
> > "@{HOME}/.gnupg/* rwk," then for gpg. This gets interesting...
> 
> I'd recommend to use Cx (child profile) rules for gpg so that only gpg 
> (and not libreoffice) get access to ~/.gnupg/

So you basically say this should be

/usr/bin/gpg                          rmCx,
/usr/bin/gpgsm                        rmCx,

?

At least that is how I read
https://github.com/coderbunker/linux/wiki/Apparmor-how-to

Something special for .gnupg then? Right now there is
https://cgit.freedesktop.org/libreoffice/core/commit/?id=c6a19889e91f2585453636667e3d5779b153ab86:

owner @{HOME}/.gnupg/* r,

Regards,

Rene
Reply to: