Hello, Am Montag, 6. April 2015 schrieb Bryan Quigley: > > These are looking impressive; > > Thanks!
I can only agree ;-) I just copied the profiles to /etc/apparmor.d/, switched them to complain mode - well, I tried to, but the excessive variable definition in the soffice.bin profile uncovered a bug in aa-complain ;-) [...] File "/home/cb/apparmor/HEAD-clean/utils/apparmor/aa.py", line 3272, in store_list_var var[list_var] = set(var[list_var] + vlist) TypeError: unsupported operand type(s) for +: 'set' and 'list' It seems adding to a variable is broken (in both trunk and 2.9 branch) :-( Therefore I manually added the complain flag everywhere (and also fixed the tools, but that's another mail ;-) BTW: On openSUSE, LibreOffice is installed to /usr/lib64/... on 64bit systems, so you might want to change the profile names to /usr/lib*/... > >> I added profiles for LibreOffice's built-in launching programs > >> which > >> make some of the abstractions/ubuntu useless. > > > > I did wonder if some of the xdg-open kinds of rmPUx permissions > > might be replaced with the sanitized_helper that ubuntu uses > > elsewhere. > Quite possible, but I was trying to make it more cross distro. Oh, at least openSUSE ships /etc/apparmor.d/abstractions/ubuntu-* (as contained in bzr and the release tarball). I'm not too happy about the naming scheme, but they can be useful nevertheless ;-) (and I won't object if we get them renamed one day) That said - maybe we should make sanitized_helper a global (Px'able) profile instead of hiding it in abstractions/ ? That would also be an optimization, because every profile that uses it currently keeps its own copy (as child profile) in the kernel. > >Another option is shipping them in the package, but disabled by > >default via /etc/apparmor.d/disabled, like Ubuntu does with firefox > >and rsyslog now. Another interesting discussion point. I'm not a fan of shipping profiles disabled or in complain mode, because it could give users a false sense of feeling protected. > I'll approach LibreOffice upstream to see if we can get it included > there.. then all distros could inherit the right one for the version > they are using. Some notes: /usr/lib*/libreoffice/program/open-url { owner @{HOME}/.config/libreoffice{,dev}/4/user/uno_packages/cache/log.txt rw, and /usr/lib*/libreoffice/program/senddoc { owner @{HOME}/.config/libreoffice{,dev}/4/user/uno_packages/cache/log.txt rw, You are hardcoding the version number here. /usr/lib*/libreoffice/program/xpdfimport { owner /tmp/* r, #Seems to need to read file created with pattern /tmp/RRRRRR Trailing space after the comment. owner @{HOME}/.config/libreoffice{,dev}/4/user/uno_packages/cache/log.txt rw, And another hardcoded version number ;-) /usr/lib*/libreoffice/program/soffice.bin { owner @{HOME}/.config/gtk-3.0/bookmarks r, #Make bookmarks work Here's a hardcoded gtk version. /usr/lib/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner rmPUx, owner @{HOME}/.cache/gstreamer-1.0/** rw, And another version number, this time gstreamer. Besides that, the file has an interesting[tm] mix of tabs and spaces, and also some trailing spaces in the copyright header. So far, so good. After proofreading the profiles, I actually tested them - and have several additions ;-) I avoided usage of globbing and abstractions in most cases to make clear what exactly happens. I'm sure you can (and want to) change that. + /bin/bash Cx, # feel free to use mrix and include the permissions in the main profile (probably just "/dev/tty w") + /etc/cups/ppd/*.ppd r, + /home/*/.execooo* mrw, # probably tempfiles, * are 6 random chars + /home/*/.icons/*/cursors/* r, # system-wide cursors are boring *g* (something for an abstraction? which one?) + /home/*/.recently-used rwk, + /home/cb/**.odt k, # looks like you should add lock permissions for all allowed file types + /home/cb/**.txt k, + /proc/*/status r, + /usr/lib64/libreoffice/program/__pycache__/ ra, # the "usual" problem - the kernel first checks AppArmor, then the directory permissions + /usr/lib64/libreoffice/share/extensions/lightproof-en/pythonpath/__pycache__/ ra, # same here + /usr/lib64/libreoffice/share/uno_packages/cache/stamp.sys ra, # same here + /usr/lib64/pkcs11/gnome-keyring-pkcs11.so mr, # maybe abstractions/p11-kit instead of this and the following lines + /usr/lib64/pkcs11/p11-kit-trust.so mr, + /usr/lib64/python3.4/lib-dynload/_heapq.cpython-34m.so mr, # abstractions/python ? + /usr/lib64/python3.4/lib-dynload/_socket.cpython-34m.so mr, + /usr/lib64/python3.4/lib-dynload/array.cpython-34m.so mr, + /usr/share/cantarell-fonts/conf.avail/*.conf r, # something that should be in abstractions/fonts? + /usr/share/fonts-config/conf.avail/*.conf r, + /usr/share/icu/54.1/icudt54l.dat r, + /usr/share/libexttextcat/*.lm r, + /usr/share/libexttextcat/fpdb.conf r, + /usr/share/p11-kit/modules/gnome-keyring.module r, + /usr/share/p11-kit/modules/p11-kit-trust.module r, + profile /bin/bash flags=(complain) { + #include <abstractions/base> + + /bin/bash mr, + /dev/tty rw, + /home/*/ r, + /proc/meminfo r, + + } Oh, and let me warn you that aa-logprof will merge your nice variable definition into the easily readable ;-)) @{libo_base} = /usr/lib*/libreoffice/ @{libreoffice_ext} = [pP][sS][dD] [pP][nN][gG] [sS][vV][gG] [xX][lL][sSwWtT]{,x,X} [cCtT][sS][vV] [jJ][pP][eE][gG] [pP][oO][tT]{,m,M} [xX][mMsS][lL] [uU][oO][fFtTsSpP] [rR][tT][fF] {,f,F}[oO][dDtT][tTsSpPbBgGfF] [pP][pP][tTsS]{,x,X} [tT][iI][fF][fF] [tT][iI][fF] [tT][xX][tT] [jJ][pP][gG] [sS][vV][gG][zZ] [mM][mM][lL] [dD][iIbB][fF] [sS][lL][kK] [pP][dD][fF] [sS][wW][fF] {,x,X}[hH][tT][mM]{,l,L} [dD][oO][cCtT]{,x,X} @{libreoffice_user_directories} = /mnt @{HOME} /media BTW: Interestingly, oosplash keeps running all the time (and killing it kills LibreOffice). Should oosplash also have a profile? Regards, Christian Boltz PS: Speaking about hardcoded version numbers - I wonder if the (random) sig needs an update. I expect some KDE4 vs. Plasma 5 flamewars soon ;-) -- I appreciate what you're trying to do - the Rules of OpenSuSE say that the project has to have at least one KDE3 vs KDE4 flamewar per quarter, and at least one KDE vs GNOME mudwrestling match a year. [Will Stephenson in opensuse-factory] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor