Bug#955271: libreoffice-common: AppArmor profile blocks gpg's tofu.db, causes hang opening Options

To: 955271@bugs.debian.org
Subject: Bug#955271: libreoffice-common: AppArmor profile blocks gpg's tofu.db, causes hang opening Options
From: Benjamin Barenblat <bbaren@debian.org>
Date: Wed, 14 Apr 2021 13:32:39 -0400
Message-id: <[🔎] 871rbcpya0.jfx@summerland.benjamin.barenblat.name>
Reply-to: Benjamin Barenblat <bbaren@debian.org>, 955271@bugs.debian.org
In-reply-to: <eb645465-bfb1-7c17-8fb9-b4698996900c@debian.org>
References: <158544760364.94799.6188812668986142159.reportbug@T450>

Control: tags 955271 + patch

I ran into this today and figured out the necessary patch for the
AppArmor profile to make gpg useful under a tofu+pgp trust model. I’ve
attached it as a diff to the Debian source package. Might it be possible
to get it into the archive?

On Tue, 14 Jul 2020 20:01:19 +0200 Rene Engelhard <rene@debian.org> wrote:
> AppArmor allows only explicitely allowed stuff, and you can't simply
> allow anything as that would defeat the sense of apparmor.

I believe this patch does not break the security of the AppArmor
profile. It only widens access to include the GnuPG tofu.db file, which
doesn’t exist unless the user has explicitly opted into the tofu+pgp
trust model.

Best,
Benjamin

--- libreoffice-7.1.2.2/debian/patches/apparmor-gnupg-tofu.diff
+++ libreoffice-7.1.2.2/debian/patches/apparmor-gnupg-tofu.diff
@@ -0,0 +1,28 @@
+From: Benjamin Barenblat <bbaren@google.com>
+Subject: Support tofu+pgp trust model in GnuPG
+Bug-Debian: https://bugs.debian.org/955271
+Forwarded: no
+
+GnuPG supports a trust-on-first-use layer that sits on top of the
+standard PGP trust model. If this is enabled, 'gpg --list-keys' needs
+write and lock permissions on the TOFU database to return any useful
+data. Allow this access through AppArmor.
+
+--- libreoffice-7.1.2.2/sysui/desktop/apparmor/program.soffice.bin
++++ libreoffice-7.1.2.2/sysui/desktop/apparmor/program.soffice.bin
+@@ -2,6 +2,7 @@
+ #
+ #    Copyright (C) 2016 Canonical Ltd.
+ #    Copyright (C) 2018 Software in the Public Interest, Inc.
++#    Copyright (C) 2021 Google LLC
+ #
+ #    This Source Code Form is subject to the terms of the Mozilla Public
+ #    License, v. 2.0. If a copy of the MPL was not distributed with this
+@@ -215,6 +216,7 @@   profile gpg {
+ 
+     owner @{HOME}/.gnupg/* r,
+     owner @{HOME}/.gnupg/random_seed rk,
++    owner @{HOME}/.gnupg/tofu.db rwk,
+   }
+ 
+   # probably should become a subprofile like gpg above, but then it doesn't
--- libreoffice-7.1.2.2/debian/patches/series
+++ libreoffice-7.1.2.2/debian/patches/series
@@ -46,3 +46,4 @@
 pdfium-use-system-libopenjpeg.diff
 apparmor-updates.diff
 filter-out-lto-flags.diff
+apparmor-gnupg-tofu.diff

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: Processed: Re: Bug#955271: libreoffice-common: AppArmor profile blocks gpg's tofu.db, causes hang opening Options
Next by Date: Bug#986981: libreoffice-writer: Input freezes while auto-save occurs
Previous by thread: Bug#986876: regression: libreoffice can't open filenames containing spaces
Next by thread: Processed: Re: Bug#955271: libreoffice-common: AppArmor profile blocks gpg's tofu.db, causes hang opening Options
Index(es):
- Date
- Thread