On 2/16/18 8:08 PM, Rene Engelhard wrote:
On Fri, Feb 16, 2018 at 08:48:06AM -0700, Thomas Vaughan wrote:
Feb 15 17:41:31 foo-machine kernel: [85508.697711] kauditd_printk_skb:
8 callbacks suppressed
Feb 15 17:41:31 foo-machine kernel: [85508.697712] audit: type=1400
audit(1518741691.452:20): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice" name="/etc/OpenCL/vendors/pocl.icd"
pid=11676 comm="soffice.bin" requested_mask="r" denied_mask="r"
fsuid=1000 ouid=0
Feb 15 17:41:31 foo-machine kernel: [85509.116067] audit: type=1400
audit(1518741691.868:21): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/sys/devices/system/node/node0/meminfo" pid=11676
comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
Feb 15 17:41:32 foo-machine kernel: [85509.881791] audit: type=1400
audit(1518741692.636:22): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice" name="/etc/OpenCL/vendors/mesa.icd"
pid=11676 comm="soffice.bin" requested_mask="r" denied_mask="r"
fsuid=1000 ouid=0
Feb 15 17:41:33 foo-machine kernel: [85510.820260] audit: type=1400
audit(1518741693.572:23): apparmor="ALLOWED" operation="file_mmap"
profile="libreoffice-soffice"
name="/usr/lib/x86_64-linux-gnu/gallium-pipe/pipe_nouveau.so"
pid=11676 comm="soffice.bin" requested_mask="m" denied_mask="m"
fsuid=1000 ouid=0
Feb 15 17:41:33 foo-machine kernel: [85510.877083] audit: type=1400
audit(1518741693.628:24): apparmor="ALLOWED" operation="file_mmap"
profile="libreoffice-soffice"
name="/usr/lib/x86_64-linux-gnu/gallium-pipe/pipe_nouveau.so"
pid=11676 comm="soffice.bin" requested_mask="m" denied_mask="m"
fsuid=1000 ouid=0
Feb 15 17:41:33 foo-machine kernel: [85510.883425] audit: type=1400
audit(1518741693.636:25): apparmor="ALLOWED" operation="file_mmap"
profile="libreoffice-soffice"
name="/usr/lib/x86_64-linux-gnu/gallium-pipe/pipe_swrast.so" pid=11676
comm="soffice.bin" requested_mask="m" denied_mask="m" fsuid=1000
ouid=0
Feb 15 17:41:33 foo-machine kernel: [85510.975466] audit: type=1400
audit(1518741693.728:26): apparmor="ALLOWED" operation="mknod"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/mesa_shader_cache/index" pid=11676
comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000
ouid=1000
Feb 15 17:41:33 foo-machine kernel: [85510.975479] audit: type=1400
audit(1518741693.728:27): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/mesa_shader_cache/index" pid=11676
comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000
ouid=1000
Feb 15 17:41:33 foo-machine kernel: [85510.975481] audit: type=1400
audit(1518741693.728:28): apparmor="ALLOWED" operation="truncate"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/mesa_shader_cache/index" pid=11676
comm="soffice.bin" requested_mask="w" denied_mask="w" fsuid=1000
ouid=1000
Feb 15 17:41:33 foo-machine kernel: [85511.100060] audit: type=1400
audit(1518741693.852:29): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/etc/OpenCL/vendors/intel-beignet-x86_64-linux-gnu.icd"
pid=11676 comm="soffice.bin" requested_mask="r" denied_mask="r"
fsuid=1000 ouid=0
Feb 15 17:41:36 foo-machine kernel: [85513.938456] kauditd_printk_skb:
321 callbacks suppressed
Feb 15 17:41:36 foo-machine kernel: [85513.938457] audit: type=1400
audit(1518741696.692:351): apparmor="ALLOWED" operation="mknod"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000
ouid=1000
Feb 15 17:41:36 foo-machine kernel: [85513.938476] audit: type=1400
audit(1518741696.692:352): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000
ouid=1000
Feb 15 17:41:36 foo-machine kernel: [85513.938502] audit: type=1400
audit(1518741696.692:353): apparmor="ALLOWED" operation="unlink"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
comm="soffice.bin" requested_mask="d" denied_mask="d" fsuid=1000
ouid=1000
Feb 15 17:41:36 foo-machine kernel: [85513.938522] audit: type=1400
audit(1518741696.692:354): apparmor="ALLOWED" operation="mknod"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl.tmp"
pid=11676 comm="soffice.bin" requested_mask="c" denied_mask="c"
fsuid=1000 ouid=1000
Feb 15 17:41:36 foo-machine kernel: [85513.938531] audit: type=1400
audit(1518741696.692:355): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl.tmp"
pid=11676 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc"
fsuid=1000 ouid=1000
Feb 15 17:41:36 foo-machine kernel: [85513.938556] audit: type=1400
audit(1518741696.692:356): apparmor="ALLOWED" operation="rename_src"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl.tmp"
pid=11676 comm="soffice.bin" requested_mask="wrd" denied_mask="wrd"
fsuid=1000 ouid=1000
Feb 15 17:41:36 foo-machine kernel: [85513.938558] audit: type=1400
audit(1518741696.692:357): apparmor="ALLOWED" operation="rename_dest"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
comm="soffice.bin" requested_mask="wc" denied_mask="wc" fsuid=1000
ouid=1000
Feb 15 17:41:36 foo-machine kernel: [85513.938573] audit: type=1400
audit(1518741696.692:358): apparmor="ALLOWED" operation="mknod"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_WAx5lA.cl" pid=11676
comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000
ouid=1000
Feb 15 17:41:36 foo-machine kernel: [85513.938583] audit: type=1400
audit(1518741696.692:359): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_WAx5lA.cl" pid=11676
comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000
ouid=1000
Feb 15 17:41:36 foo-machine kernel: [85513.990375] audit: type=1400
audit(1518741696.744:360): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000
ouid=1000
So OpenCL until here, unless I oversaw something else above...
I guess we need yet another abstraction to prepare :) . I could search
for more OpenCL-using (or simply OpenCL example applications) to
(cross-)check what more paths it might need.
And there are some Nouveau stuff, that probably should land into
<abstractions/nvidia>. I have NVIDIA card, though I am running with
propiertary driver currently, though I could switch to Noveou, or work
in livecd or simiar for testing.
Feb 15 17:42:25 foo-machine kernel: [85562.858570] kauditd_printk_skb:
80 callbacks suppressed
Feb 15 17:42:25 foo-machine kernel: [85562.858571] audit: type=1400
audit(1518741745.613:441): apparmor="DENIED" operation="file_inherit"
profile="libreoffice-xpdfimport"
name="/home/tevaugha/Documents/Downloads/ICUSB2324852.pdf" pid=11960
comm="xpdfimport" requested_mask="wr" denied_mask="wr" fsuid=1000
ouid=1000
w?
The document opened, though or did that fail?
Looks like "xpdfimport" inherited file handle from parent (soffice.bin?).
I do not see rules allowing to read PDF files from anywhere in
`usr.lib.libreoffice.program.xpdfimport`. If `xpdfimport` only actually
reads PDF's from these `/tmp/*` paths (maybe soffice.bin copies it
there? I do not know how it works), it might mean that it would work
without allowing. It could be simply a artifact, inherited file handle
and would not be allowed for xpdfimport to read/write, but it doesn't
meen it actually uses it, if I understood explanation myself. I've seen
this in other profiles, denying these noises could be a solution.
Though I am not sure how could we implement "deny (silence) reading
*.pdf from everywhere _except_ from /tmp/* (allow from there)". I've
seen someone mentioning "except" rules, though not sure if these are
official and supported.
Anyway, testing with enforced profile is needed here (I could do that).
Feb 15 17:42:26 foo-machine kernel: [85563.650059] audit: type=1400
audit(1518741746.405:442): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/cert9.db"
pid=11946 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc"
fsuid=1000 ouid=1000
Feb 15 17:42:26 foo-machine kernel: [85563.650122] audit: type=1400
audit(1518741746.405:443): apparmor="ALLOWED" operation="file_lock"
profile="libreoffice-soffice"
name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/cert9.db"
pid=11946 comm="soffice.bin" requested_mask="k" denied_mask="k"
fsuid=1000 ouid=1000
Feb 15 17:42:26 foo-machine kernel: [85563.650551] audit: type=1400
audit(1518741746.405:444): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/key4.db"
pid=11946 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc"
fsuid=1000 ouid=1000
Feb 15 17:42:26 foo-machine kernel: [85563.650599] audit: type=1400
audit(1518741746.405:445): apparmor="ALLOWED" operation="file_lock"
profile="libreoffice-soffice"
name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/key4.db"
pid=11946 comm="soffice.bin" requested_mask="k" denied_mask="k"
fsuid=1000 ouid=1000
Hrmpf. more mozilla stuff.
It would be nice if LibreOffice would have utility application for
dealing with these signing stuff, not accessing these files directly...