Date: prev next · Thread: first prev next last
2019 Archives by date, by thread · List index


I don't know all that much about configuring AppArmor, but for what it's worth for me on Linux Mint Sylvia 18.3 (still supported, although older than your Tara 19.0) using the LibreOffice PPA for its newer versions of LibreOffice (currently 6.2.8)...

Gys wrote:
Hi,
in my Linux Mint Tara aa-status lists 3 profiles related to LibreOffice :

libreoffice-xpdfimport (enforce)
libreoffice-senddoc (enforce)
libreoffice-oopslash (complain)

I have:
   libreoffice-senddoc (enforce)
   libreoffice-soffice//gpg (enforce)
   libreoffice-xpdfimport (enforce)
   libreoffice-oopslash (complain)
   libreoffice-soffice (complain)

In the kernel log libreoffice-oopslash is complaining about a lot of things.

Looking at my logs from the last week, I see a few "audit" messages relating to libreoffice-soffice and libreoffice-oopslash. Looks like a cluster of about 10 entries for libreoffice-soffice each time I start LibreOffice, with a few others for soffice and oopslash in between - but I don't tend to be using it continuously for hours on end.

Both the program and the profile in Nemo is oosplash

usr/lib/libreoffice/program/oosplash
/etc/apparmor.d/usr.lib.libreoffice.program.oosplash

Search oopslash in / in Nemo gives no results

Questions
1) Is the "p" and "s" reversal a typo ?

As mentioned at the start, I'm no expert on AppArmor, but it does look suspiciously like a typo. I guess it might only affect the displayed name of the profile though, since the executable it applies to appears to be correctly spelled "oosplash":
profile libreoffice-oopslash /usr/lib/libreoffice/program/oosplash flags=(complain) {...}


2) Why is there no profile for /usr/lib/libreoffice/program/soffice.bin ?

For me the </etc/apparmor.d/usr.lib.libreoffice.program.*> files, including one for soffice.bin, are provided by the libreoffice-common package, which I've installed from the PPA. From a quick look at the .deb packages from libreoffice.org it doesn't look like any of them contain AppArmor profiles, so I'd guess they're added by the Ubuntu/PPA package maintainer. Perhaps the PPA maintainer adds a profile for soffice.bin while the Ubuntu one doesn't.

3) Is there anyone here with a working AppArmor profile for LibreOffice and would you be so kind to share ?

I've attached the libreoffice-soffice profile installed on my system (with a .txt extension added - hopefully enough to get it through the mailing list). No guarantee it will work with your version though. It does say in comments near the top:
# This profile should enable the average LibreOffice user to get their # work done while blocking some advanced usage
# ...
so I guess some complaints in "complain" mode may be expected.

4) I looked on-line but could not find an updated AppArmor profile for LibreOffice or even the profile shipped with Version: 6.0.7.3
Build ID: 1:6.0.7-0ubuntu0.18.04.10 (?)

I've no idea who actually maintains them. From a quick look, it doesn't look like any of the .deb files downloaded from libreoffice.org contains AppArmor profiles, so I'm guessing they're added by the Ubuntu/PPA package maintainer.

--
Mark.
# ------------------------------------------------------------------
#
#    Copyright (C) 2016 Canonical Ltd.
#    Copyright (C) 2018 Software in the Public Interest, Inc.
#
#    This Source Code Form is subject to the terms of the Mozilla Public
#    License, v. 2.0. If a copy of the MPL was not distributed with this
#    file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
#    Authors: Jonathan Davies <jonathan.davies@canonical.com>
#             Bryan Quigley <bryan.quigley@canonical.com>
#             Rene Engelhard <rene@debian.org>
#
# ------------------------------------------------------------------

# This profile should enable the average LibreOffice user to get their 
# work done while blocking some advanced usage
# Namely not tested and likely not working : embedded plugins,
# Using the LibreOffice SDK and other development tasks
# Everything else should be working

#Defines all common supported file formats
#Some obscure ones we're excluded (mostly input)

#Generic
#.txt
@{libreoffice_ext} = [tT][xX][tT]
#All the open document format
@{libreoffice_ext} += {,f,F}[oO][dDtT][tTsSpPbBgGfF]
#.xml and xsl
@{libreoffice_ext} += [xX][mMsS][lL]
#.pdf
@{libreoffice_ext} += [pP][dD][fF]
#Unified office format
@{libreoffice_ext} += [uU][oO][fFtTsSpP]
#(x)htm(l)
@{libreoffice_ext} += {,x,X}[hH][tT][mM]{,l,L}
#.epub
@{libreoffice_ext} += [eE][pP][uU][bB]
#.ps (printing to file)
@{libreoffice_ext} += [pP][sS]

#Images
@{libreoffice_ext} += [jJ][pP][gG]
@{libreoffice_ext} += [jJ][pP][eE][gG]
@{libreoffice_ext} += [pP][nN][gG]
@{libreoffice_ext} += [sS][vV][gG]
@{libreoffice_ext} += [sS][vV][gG][zZ]99251
@{libreoffice_ext} += [tT][iI][fF]
@{libreoffice_ext} += [tT][iI][fF][fF]

#Writer
@{libreoffice_ext} += [dD][oO][cCtT]{,x,X}
@{libreoffice_ext} += [rR][tT][fF]

#Calc
@{libreoffice_ext} += [xX][lL][sStT]{,x,X,m,M}
@{libreoffice_ext} += [xX][lL][wW]
#.dif dbf
@{libreoffice_ext} += [dD][iIbB][fF]
#.tsv .csv
@{libreoffice_ext} += [cCtT][sS][vV]
@{libreoffice_ext} += [sS][lL][kK]

#Impress/Draw
@{libreoffice_ext} += [pP][pP][tTsS]{,x,X}
@{libreoffice_ext} += [pP][oO][tT]{,m,M}
#Flash
@{libreoffice_ext} += [sS][wW][fF]
#Photoshop
@{libreoffice_ext} += [pP][sS][dD]

#Math
@{libreoffice_ext} += [mM][mM][lL]

@{libo_user_dirs} = @{HOME} /mnt /media

#include <tunables/global>

profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(complain) {
  #include <abstractions/private-files>

  #include <abstractions/audio>
  #include <abstractions/bash>
  #include <abstractions/cups-client>
  #include <abstractions/dbus>
  #include <abstractions/dbus-session>
  #include <abstractions/dbus-accessibility>
  #include <abstractions/ibus>
  #include <abstractions/nameservice>
  #include <abstractions/gnome>
# GnuPG1 only...
# #include <abstractions/gnupg>
  #include <abstractions/python>
  #include <abstractions/p11-kit>

  #List directories for file browser
  /                                     r,
  /**/                                  r,

  owner @{libo_user_dirs}/**/           rw,  #allow creating directories that we own
  owner @{libo_user_dirs}/**~lock.*     rw,  #lock file support
  owner @{libo_user_dirs}/**.@{libreoffice_ext} rwk,  #Open files rw with the right exts
  owner @{libo_user_dirs}/{,**/}lu??????????{,?}.tmp rwk, #Temporary file used when saving
  owner @{libo_user_dirs}/{,**/}.directory r, #Read directory settings on KDE

  # Settings
  /etc/libreoffice/                     r,
  /etc/libreoffice/**                   r,

  /etc/cups/ppd/*.ppd                   r,
  /etc/xml/catalog                      r, #exporting to .xhtml, for libxml2
  /proc/*/status                        r,

  owner @{HOME}/.config/libreoffice{,dev}/** rwk,
  owner @{HOME}/.config/soffice.binrc rwl -> @{HOME}/.config/#[0-9]*,
  owner @{HOME}/.config/soffice.binrc.* rwl -> @{HOME}/.config/#[0-9]*,
  owner @{HOME}/.config/soffice.binrc.lock rwk,
  owner @{HOME}/.cache/fontconfig/**    rw,
  owner @{HOME}/.config/gtk-???/bookmarks r,  #Make bookmarks work
  owner @{HOME}/.recently-used          rwk,
  owner /tmp/psp[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]* rw, #/tmp/psp1534203998 
(printing to file)

  owner /{,var/}run/user/*/dconf/user   rw,
  owner @{HOME}/.config/dconf/user      r,

  # allow schema to be read
  /usr/share/glib-*/schemas/            r,
  /usr/share/glib-*/schemas/**          r,

  # bluetooth send to
  network bluetooth,

  /{usr/,}bin/sh                        rmix,
  /{usr/,}bin/bash                      rmix,
  /{usr/,}bin/dash                      rmix,
  /{usr/,}bin/rm                        rmix, #deleting /tmp/psp1534203998 (printing to file)
  /usr/bin/bluetooth-sendto             rmPUx,
  /usr/bin/lpr                          rmPUx,
  /usr/bin/paperconf                    rmix,
  /usr/bin/gpgconf                      rmix,
  /usr/bin/gpg                          rmCx -> gpg,
  /usr/bin/gpgsm                        rmCx -> gpg,
  /usr/bin/gpa                          rix,
  /usr/bin/seahorse                     rix,
  /usr/bin/kgpg                         rix,
  /usr/bin/kleopatra                    rix,

  /dev/tty                              rw,

  /usr/lib{,32,64}/@{multiarch}/gstreamer???/gstreamer-???/gst-plugin-scanner   rmPUx,
  owner @{HOME}/.cache/gstreamer-???/**                                 rw,
  unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined),  #Gstreamer doesn't work without this

  /usr/lib{,32,64}/jvm/                         r,
  /usr/lib{,32,64}/jvm/**                       r,
  /usr/lib{,32,64}/jvm/**/jre/bin/java          mix,
  /usr/lib{,32,64}/jvm/**/bin/java              mix,
  # should be included in the jvm/** above but there it is
  # a symlink, so apparmor still doesn't allow it...
  /etc/java-??-openjdk/security/java.security   r,
  /usr/lib/libreoffice/**                        rw,
  /usr/lib/libreoffice/**.so                     m,
  /usr/lib/libreoffice/program/soffice.bin       mix,
  /usr/lib/libreoffice/program/xpdfimport        px,
  /usr/lib/libreoffice/program/senddoc           px,
  /usr/bin/xdg-open                 rPUx,

  /usr/share/java/**.jar                r,
  /usr/share/hunspell/                  r,
  /usr/share/hunspell/**                r,
  /usr/share/hyphen/                    r,
  /usr/share/hyphen/**                  r,
  /usr/share/mythes/                    r,
  /usr/share/mythes/**                  r,
  /usr/share/liblangtag/                r,
  /usr/share/liblangtag/**              r,
  /usr/share/libreoffice/               r,
  /usr/share/libreoffice/**             r,
  /usr/share/yelp-xsl/xslt/mallard/**   r,
  /usr/share/libexttextcat/*            r,
  /usr/share/icu/**                     r,
  /usr/share/locale-bundle/*            r,

  /var/spool/libreoffice/               r,
  /var/spool/libreoffice/**             rw,
  /var/cache/fontconfig/                rw,

  #Likely moving to abstractions in the future
  owner @{HOME}/.icons/*/cursors/*      r,
  /etc/fstab r, # Solid::DeviceNotifier::instance() TODO: deny?
  /sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r, # for libdrm
  /usr/share/*-fonts/conf.avail/*.conf  r,
  /usr/share/fonts-config/conf.avail/*.conf r,
  /{,var/}run/udev/data/+usb:* r, # Solid::Device::listFromQuery()
  /{,var/}run/udev/data/{c,b}*:* r, # Solid::Device::description(), Solid::Device::listFromQuery()
  @{PROC}/sys/kernel/random/boot_id r, # KRecentDocument::add() -> QSysInfo::bootUniqueId()

  #To avoid "Unable to create io-slave." for file dialog
  owner /{,var/}run/user/[0-9]*/#[0-9]* rw,
  #For KIO IO::Slave::createSlave()
  owner /{,var/}run/user/[0-9]*/soffice.bin*.slave-socket wl ->  /{,var/}run/user/[0-9]*/#[0-9]*,

  owner @{HOME}/.mozilla/firefox/profiles.ini r,
  owner @{HOME}/.mozilla/firefox/*/secmod.db r,
  # firefox < 58
  owner @{HOME}/.mozilla/firefox/*/cert8.db r,
  # firefox >= 58
  owner @{HOME}/.mozilla/firefox/*/cert9.db r,

  owner @{HOME}/.local/share/user-places.xbel r,

  # there is abstractions/gnupg but that's just for gpg1...
  profile gpg {
    #include <abstractions/base>

   /usr/bin/gpgconf rm,
   /usr/bin/gpg rm,
   /usr/bin/gpgsm rm,

    owner @{HOME}/.gnupg/* r,
    owner @{HOME}/.gnupg/random_seed rk,
  }

  # probably should become a subprofile like gpg above, but then it doesn't
  # work either as it tries to access stuff only allowed above...
  owner @{HOME}/.config/kdeglobals r,
  /usr/lib/libreoffice/program/lo_kde5filepicker rPUx,
  /usr/share/qt5/translations/* r,
  /usr/lib/*/qt5/plugins/** rm,
  /usr/share/plasma/look-and-feel/**/contents/defaults r,

  # TODO: remove when rules are available in abstractions/kde
  owner @{HOME}/.cache/ksycoca5_??_* r, # KDE System Configuration Cache
  owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget
  owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget
  owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent()
  owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for 
KDEPrivate::initializeLanguages() from libKF5XmlGui.so
  owner @{HOME}/.config/trashrc r, # user by KFileWidget
  /usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent

  # TODO: remove when rules are available in abstractions/kde-write-icon-cache or similar
  owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader

  # TODO: remove when rules are available in abstractions/kdeframeworks5 or similar
  /usr/share/kservices5/*.protocol r,

  # TODO: use qt5-settings-write abstraction when it is available
  owner @{HOME}/.config/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] rw,
  owner @{HOME}/.config/QtProject.conf rw,
  owner @{HOME}/.config/QtProject.conf.?????? l -> 
@{HOME}/.config/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],
  owner @{HOME}/.config/QtProject.conf.?????? rw, # for temporary files like QtProject.conf.Aqrgeb
  owner @{HOME}/.config/QtProject.conf.lock rwk,

  # TODO: use qt5-compose-cache-write abstraction when it is available
  owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r,

  # TODO: use recent-documents-write abstraction when it is available
  owner @{HOME}/.local/share/RecentDocuments/** r,
  owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> 
@{HOME}/.local/share/RecentDocuments/#[0-9]*,
  owner @{HOME}/.local/share/RecentDocuments/#[0-9]* rw,
  owner @{HOME}/.local/share/RecentDocuments/*.lock rwk,

  # TODO: use kde-globals-write abstraction when it is available
  owner @{HOME}/.config/kdeglobals rw,
  owner @{HOME}/.config/kdeglobals.* rwl -> @{HOME}/.config/#[0-9]*,
  owner @{HOME}/.config/kdeglobals.lock rwk,
}

-- 
To unsubscribe e-mail to: users+unsubscribe@global.libreoffice.org
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/users/
Privacy Policy: https://www.documentfoundation.org/privacy

Context


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.