Hello, Am Mittwoch, 25. Dezember 2013 schrieb Jonathan Davies: > On 25/12/2013 16:23, Christian Boltz wrote: > > Am Mittwoch, 25. Dezember 2013 schrieb Jonathan Davies: > >> I have created an AppArmor profile for LibreOffice and I would like > >> to see it placed into the 14.04 packages. > > > > I had a short look at it. Some notes: > >> audit deny network bluetooth, > > > > It seems this isn't allowed by any abstractions. What's the reason > > to > > explicitely deny it? > > I didn't want LibreOffice to talk on bluetooth, and it seems to open > up a service there by default.
Sounds reasonable - and leaves me with the question if "audit" makes sense. (You already know it wants to do that, and you deny it - so why fill the logs?) > >> # abstractions/private-files-strict is in force from above. > >> owner @{HOME}/** rwk, > > > > The usual "problem" of having an application with a "save as..." > > dialog ;-) > > > > I know there's some work done on a file dialog helper going (to > > avoid > > the need for such rules), but I don't know the details and if it's > > useable already. > > I don't see an issue here - I'm allowing full access to the home > folder of the user, while private-files-strict is disallowing access > to places such as ~/.{ssh,gnupg,mozilla}/*, etc. Trying opening or > saving a file there and you'll find that access is denied. The "issue" is that it allows full access to the home (with the private- files-strict exceptions). It's the best we can do currently - I just wanted to mention that there might be a better solution in the future. > >> deny @{HOME}/.exec* rwmx, > > > > What's the reason for this denial? Should it be part of an > > abstraction instead of having it in the profile? > > LibreOffice seems to try to write to these files but does nothing with > them - so I decided to block it. Ah, ok. > >> /usr/bin/bluetooth-sendto rmUx, > >> /usr/bin/lpr rmUx, > >> /usr/bin/paperconf rmix, > >> /usr/bin/xdg-open rmUx, > > > > I'd recommend rmPUx instead of rmUx - if someone has a profile for > > one of them, it should be used. > > Someone needs to update the manpage, it says that this kind of mode > mixing is incompatible. PUx means: if a profile exists, use it (so Px) - but if no profile exists, fall back to Ux. You are right - the apparmor.d manpage doesn't explain those fallback modes yet :-( I just submitted https://bugs.launchpad.net/apparmor/+bug/1264178 to make sure it doesn't get lost in the holiday season ;-) Regards, Christian Boltz -- Nicht das ich frei von Paranoia Schueben waere ;), aber wenn Dir das passiert spiel sofort Lotto, bei dem Glueck bekommst Du bestimmt 4 Wochen den 6er mit Superzahl. [Maik Holtkamp in suse-linux] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor