On Fri, Jan 19, 2018 at 12:52:32PM +0100, Christian Boltz wrote: > just a quick note: > > > + /usr/bin/gpg rmix, > > + /usr/bin/gpgsm rmix, > > and in a later comment > > > Thinking about it, we probably also would need owner > > "@{HOME}/.gnupg/* rwk," then for gpg. This gets interesting... > > I'd recommend to use Cx (child profile) rules for gpg so that only gpg > (and not libreoffice) get access to ~/.gnupg/
So you basically say this should be /usr/bin/gpg rmCx, /usr/bin/gpgsm rmCx, ? At least that is how I read https://github.com/coderbunker/linux/wiki/Apparmor-how-to Something special for .gnupg then? Right now there is https://cgit.freedesktop.org/libreoffice/core/commit/?id=c6a19889e91f2585453636667e3d5779b153ab86: owner @{HOME}/.gnupg/* r, Regards, Rene