Hello,
Am Mittwoch, 25. Dezember 2013 schrieb Jonathan Davies:
> On 25/12/2013 16:23, Christian Boltz wrote:
> > Am Mittwoch, 25. Dezember 2013 schrieb Jonathan Davies:
> >> I have created an AppArmor profile for LibreOffice and I would like
> >> to see it placed into the 14.04 packages.
> >
> > I had a short look at it. Some notes:
> >> audit deny network bluetooth,
> >
> > It seems this isn't allowed by any abstractions. What's the reason
> > to
> > explicitely deny it?
>
> I didn't want LibreOffice to talk on bluetooth, and it seems to open
> up a service there by default.
Sounds reasonable - and leaves me with the question if "audit" makes
sense. (You already know it wants to do that, and you deny it - so why
fill the logs?)
> >> # abstractions/private-files-strict is in force from above.
> >> owner @{HOME}/** rwk,
> >
> > The usual "problem" of having an application with a "save as..."
> > dialog ;-)
> >
> > I know there's some work done on a file dialog helper going (to
> > avoid
> > the need for such rules), but I don't know the details and if it's
> > useable already.
>
> I don't see an issue here - I'm allowing full access to the home
> folder of the user, while private-files-strict is disallowing access
> to places such as ~/.{ssh,gnupg,mozilla}/*, etc. Trying opening or
> saving a file there and you'll find that access is denied.
The "issue" is that it allows full access to the home (with the private-
files-strict exceptions). It's the best we can do currently - I just
wanted to mention that there might be a better solution in the future.
> >> deny @{HOME}/.exec* rwmx,
> >
> > What's the reason for this denial? Should it be part of an
> > abstraction instead of having it in the profile?
>
> LibreOffice seems to try to write to these files but does nothing with
> them - so I decided to block it.
Ah, ok.
> >> /usr/bin/bluetooth-sendto rmUx,
> >> /usr/bin/lpr rmUx,
> >> /usr/bin/paperconf rmix,
> >> /usr/bin/xdg-open rmUx,
> >
> > I'd recommend rmPUx instead of rmUx - if someone has a profile for
> > one of them, it should be used.
>
> Someone needs to update the manpage, it says that this kind of mode
> mixing is incompatible.
PUx means: if a profile exists, use it (so Px) - but if no profile
exists, fall back to Ux.
You are right - the apparmor.d manpage doesn't explain those fallback
modes yet :-(
I just submitted https://bugs.launchpad.net/apparmor/+bug/1264178
to make sure it doesn't get lost in the holiday season ;-)
Regards,
Christian Boltz
--
Nicht das ich frei von Paranoia Schueben waere ;), aber wenn Dir das
passiert spiel sofort Lotto, bei dem Glueck bekommst Du bestimmt 4
Wochen den 6er mit Superzahl. [Maik Holtkamp in suse-linux]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
