Bug#887593: libreoffice-common: apparmor profiles triggers lot of ALLOWED entries

Thu, 18 Jan 2018 05:52:05 -0800 

Hi again,

On Thu, Jan 18, 2018 at 02:05:02PM +0100, Rene Engelhard wrote:
> X stuff....

diff --git a/sysui/desktop/apparmor/program.oosplash 
b/sysui/desktop/apparmor/program.oosplash
index fef54b7ee384..d68fa776de8f 100644
--- a/sysui/desktop/apparmor/program.oosplash
+++ b/sysui/desktop/apparmor/program.oosplash
@@ -14,6 +14,7 @@
 
 profile libreoffice-oopslash INSTDIR-program/oosplash {
   #include <abstractions/base>
+  #include <abstractions/X>
 
   /etc/libreoffice/                     r,
   /etc/libreoffice/**                   r,

might do at least parts of it. (Xauthority for example.)

> >     Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" 
> > operation="open" profile="libreoffice-soffice" 
> > name="/home/gueux/.mozilla/firefox/profiles.ini" pid=21105 
> > comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
> >     Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" 
> > operation="open" profile="libreoffice-soffice" 
> > name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/secmod.db"
> >  pid=21105 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 
> > ouid=1000
> >     Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" 
> > operation="open" profile="libreoffice-soffice" 
> > name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/cert8.db" 
> > pid=21105 comm="soffice.bin" requested_mask="wr" denied_mask="wr" 
> > fsuid=1000 ouid=1000
> >     Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" 
> > operation="open" profile="libreoffice-soffice" 
> > name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/key3.db" 
> > pid=21105 comm="soffice.bin" requested_mask="wr" denied_mask="wr" 
> > fsuid=1000 ouid=1000
> 
> Here it gets interesting. That's for digital signing with X.509. The
> certificates are supposed to come from mozilla...
> 
> >     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" 
> > operation="exec" profile="libreoffice-soffice" name="/usr/bin/gpg" 
> > pid=21125 comm="soffice.bin" requested_mask="x" denied_mask="x" fsuid=1000 
> > ouid=0 target="libreoffice-soffice//null-/usr/bin/gpg"
[...]

diff --git a/sysui/desktop/apparmor/program.soffice.bin 
b/sysui/desktop/apparmor/program.soffice.bin
index ff2c4b08cd4b..efa801445e6b 100644
--- a/sysui/desktop/apparmor/program.soffice.bin
+++ b/sysui/desktop/apparmor/program.soffice.bin
@@ -114,6 +114,8 @@ profile libreoffice-soffice INSTDIR-program/soffice.bin {
   /usr/bin/lpr                          rmPUx,
   /usr/bin/paperconf                    rmix,
   /usr/bin/gpgconf                      rmix,
+  /usr/bin/gpg                          rmix,
+  /usr/bin/gpgsm                        rmix,
 
   /dev/tty                              rw,
 
is trivial, though I still wonder about

> >     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" 
> > operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" 
> > name="/usr/lib/x86_64-linux-gnu/ld-2.26.so" pid=21125 comm="gpg" 
> > requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0

stuff like this and the following (libc, locale.alias, etc.)...

Regards,

Rene

Reply via email to