Hi, On Tue, Nov 28, 2017 at 11:19:05AM +0100, intrigeri wrote: > (context for pkg-apparmor folks: the last upload of libreoffice to > sid disabled the AppArmor profile by default due to #882597) > > Rene Engelhard: > > On Fri, Nov 24, 2017 at 02:33:20PM +0100, Michael Ott wrote: > >> start libreoffice with > >> soffice -env:UserInstallation=file:///srv/home/michael/tmp/ > >> does not work. Home folder is srv/home/michael > > > Sigh. Feared something like this. > > > So you try to access stuff outside the LO profile? > > My understanding is that Michael tries to access stuff inside his user > LO profile path, *but* that profile is stored in a custom location > which is not supported by the AppArmor profile. When such issues
Yes. > arise, the general thought process in distros that use AppArmor is: > > Is it common to use such a custom location? > > → In this case, I don't know. I assume Rene will know better :) It is, when people start soffice for listening on stuff. Document conversion etc. As you say below, "advanced users". But also LibreOffices testsuite... > → In this case, I would argue that we're talking about a corner > case, that only rather advanced users will hit, and I find it sad Yup. > that everyone else can't benefit from AppArmor security benefits > due to that, so I'm leaning towards: > > 1. keep the AppArmor profile enforced by default, so the vast > majority of users benefit from it; > 2. ensure the AppArmor profile supports customization and > affected users can learn how to tweak it; in this case, > I think adding in README.Debian "add your custom > env:UserInstallation to @{libo_user_dirs}" would be sufficient. > > What do you think? If you agree with my reasoning, then I could > provide a patch to implement the proposed change in README.Debian. Would be nice. > > Unfortunately there seems no way to install a profile but keep it > > "unconfined), only to just disable it.. > > Actually there is. > > If the AppArmor profile is shipped in the upstream tarball, at package Yes, partly. https://anonscm.debian.org/cgit/pkg-openoffice/libreoffice.git/tree/rules#n3256 > built time, you can either use aa-complain or manually patch the That's what I didn't want. Didn't want to stick manual aa-* calls into the postinst > profile, for example: > > https://anonscm.debian.org/cgit/collab-maint/apparmor-profiles-extra.git/tree/debian/rules#n20 > > Otherwise, if the AppArmor profile lives in the debian/ directory, > you can directly edit it so it looks like this: > > /usr/bin/irssi flags=(complain) { Aaah. Asked various times on IRC, no answer :-). Thanks. Regards, Rene