[apparmor] AppArmor profile for LibreOffice

[Christian Boltz]

Hello,

Am Mittwoch, 25. Dezember 2013 schrieb Jonathan Davies:
> On 25/12/2013 16:23, Christian Boltz wrote:
> > Am Mittwoch, 25. Dezember 2013 schrieb Jonathan Davies:
> >> I have created an AppArmor profile for LibreOffice and I would like
> >> to see it placed into the 14.04 packages.
> > 
> > I had a short look at it. Some notes:
> >> audit deny network bluetooth,
> > 
> > It seems this isn't allowed by any abstractions. What's the reason
> > to
> > explicitely deny it?
> 
> I didn't want LibreOffice to talk on bluetooth, and it seems to open
> up a service there by default.

Sounds reasonable - and leaves me with the question if "audit" makes 
sense. (You already know it wants to do that, and you deny it - so why 
fill the logs?)

> >>   # abstractions/private-files-strict is in force from above.
> >>   owner @{HOME}/**           rwk,
> > 
> > The usual "problem" of having an application with a "save as..."
> > dialog ;-)
> > 
> > I know there's some work done on a file dialog helper going (to
> > avoid
> > the need for such rules), but I don't know the details and if it's
> > useable already.
> 
> I don't see an issue here - I'm allowing full access to the home
> folder of the user, while private-files-strict is disallowing access
> to places such as ~/.{ssh,gnupg,mozilla}/*, etc. Trying opening or
> saving a file there and you'll find that access is denied.

The "issue" is that it allows full access to the home (with the private-
files-strict exceptions). It's the best we can do currently - I just 
wanted to mention that there might be a better solution in the future.

> >>   deny @{HOME}/.exec*           rwmx,
> > 
> > What's the reason for this denial? Should it be part of an
> > abstraction instead of having it in the profile?
> 
> LibreOffice seems to try to write to these files but does nothing with
> them - so I decided to block it.

Ah, ok.

> >>   /usr/bin/bluetooth-sendto     rmUx,
> >>   /usr/bin/lpr              rmUx,
> >>   /usr/bin/paperconf        rmix,
> >>   /usr/bin/xdg-open         rmUx,
> > 
> > I'd recommend rmPUx instead of rmUx - if someone has a profile for
> > one of them, it should be used.
> 
> Someone needs to update the manpage, it says that this kind of mode
> mixing is incompatible.

PUx means: if a profile exists, use it (so Px) - but if no profile 
exists, fall back to Ux.

You are right - the apparmor.d manpage doesn't explain those fallback 
modes yet :-(  

I just submitted https://bugs.launchpad.net/apparmor/+bug/1264178 
to make sure it doesn't get lost in the holiday season ;-)


Regards,

Christian Boltz
-- 
Nicht das ich frei von Paranoia Schueben waere ;), aber wenn Dir das
passiert spiel sofort Lotto, bei dem Glueck bekommst Du bestimmt 4
Wochen den 6er mit Superzahl.   [Maik Holtkamp in suse-linux]