On Sat, 14 Mar 2026 at 22:30:10 +0100, Rene Engelhard wrote:
28 profiles are in complain mode.
libreoffice-oosplash
libreoffice-soffice
libreoffice-soffice//null-/usr/bin/bwrap
libreoffice-soffice//null-/usr/libexec/glycin-loaders/2+/glycin-image-rs
libreoffice-soffice//null-/usr/libexec/glycin-loaders/2+/glycin-svg
I believe the profiles with "//null-" in their names are automatically
synthesized by complain mode: libreoffice doesn't have a rule allowing
it to run /usr/bin/bwrap or /usr/libexec/glycin-loaders/**, but the
absence of such a rule would prevent it from working, defeating the
purpose of complain mode, therefore AppArmor synthesizes a blank profile
in complain mode for them and behaves as though libreoffice's profile
allowed a transition to that new profile.
IMHO aa-disable is a bad idea for a warning.
There is a reason some profiles are kept in enforcing.
Sure, but libreoffice's profile isn't enforcing, so its only purpose is
to generate warnings, and it will never actually prevent anything. (This
is not necessarily a bad thing - I did the same for some games - but it
does limit its value.)
smcv
