Bug#887593: libreoffice-common: apparmor profiles triggers lot of ALLOWED entries

Fri, 19 Jan 2018 14:28:12 -0800 

Hello,

Am Freitag, 19. Januar 2018, 13:16:57 CET schrieb Rene Engelhard:
> On Fri, Jan 19, 2018 at 12:52:32PM +0100, Christian Boltz wrote:
> > I'd recommend to use Cx (child profile) rules for gpg so that only
> > gpg (and not libreoffice) get access to ~/.gnupg/
> 
> So you basically say this should be
> 
> /usr/bin/gpg                          rmCx,
> /usr/bin/gpgsm                        rmCx,

I prefer mrCx because rm tends to confuse people not familiar with 
AppArmor (no, 'rm' does not mean delete permissions ;-) but in general 
you are right.

Note that this will result in two child profiles - one for each binary:

  profile /usr/bin/gpg {
    # whatever is needed
  }

  profile /usr/bin/gpgsm {
    # whatever is needed
  }

If you want to have a common child profile for gpg and gpgsm, use

  /usr/bin/gpg                          mrCx -> gpg,
  /usr/bin/gpgsm                        mrCx -> gpg,

  profile gpg {
      # whatever is needed
  }

> At least that is how I read
> https://github.com/coderbunker/linux/wiki/Apparmor-how-to

I didn't read all text on that page, but on a quick look it looks good.
<shameless plug>
Actually it *must* be good because it links to my presentation ;-))
(If you prefer to only read the slides, you can download them from
https://blog.cboltz.de/archives/70-openSUSE-Conference-2016.html )
</shameless plug>

> Something special for .gnupg then? Right now there is
> https://cgit.freedesktop.org/libreoffice/core/commit/?id=c6a19889e91f2
> 585453636667e3d5779b153ab86:

nice[tm]

+  # there is abstractions/gnupg but that's just for gpg1...

In such cases, it's a good idea to open a bugreport upstream [1] or to 
send a merge request on gitlab to get the abstraction updated ;-)
You might still want/need to add it in your profile as a temporary 
solution until everybody has a new-enough abstraction.

> owner @{HOME}/.gnupg/* r,

Indeed, giving gpg read access to all files in ~/.gnupg/ makes sense. 
I'd be very surprised if this directory contains a file gpg should not 
be allowed to read ;-)


Regards,

Christian Boltz

[1] actually a bugreport against the Debian AppArmor package also works.
    Even if I don't use Debian, I read all AppArmor-related Debian 
    bugreports.

-- 
Tja, in der Urzeit war vieles einfacher.
Da musste man sich nicht um die korrekte Uhrzeit seiner Rechner-Uhr
kümmern, weil es noch keine Mailing-Listen gab. ;-)
[Carsten Neumann in opensuse-de]

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to