[apparmor] New LibreOffice Profile
Simon Deziel
simon.deziel at gmail.com
Fri Apr 10 19:11:21 UTC 2015
Hi Bryan,
Those profiles work well even on 14.04 (after commenting out the unix
peer rules).
During my tests, I only got those apparently minor denials:
apparmor="DENIED" operation="open"
profile="/usr/lib{,32,64}/libreoffice/program/oosplash"
name="/sys/devices/system/cpu/" pid=31340 comm="oosplash"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="DENIED" operation="mknod"
profile="/usr/lib{,32,64}/libreoffice/program/soffice.bin"
name="/home/simon/.execoootv1uci" pid=31358 comm="soffice.bin"
requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
I have yet to look into those but I can already tell you I'm really glad
that LibreOffice programs are now contained. Thank you!
Regards,
Simon
On 04/10/2015 02:54 PM, Bryan Quigley wrote:
> Hello
>
>> but the excessive variable definition
>> in the soffice.bin profile uncovered a bug in aa-complain ;-)
> Glad I could help :).
>
>> BTW: On openSUSE, LibreOffice is installed to /usr/lib64/... on 64bit
>> systems, so you might want to change the profile names to /usr/lib*/...
> Changed them all to lib{,32,64}
>
>> Oh, at least openSUSE ships /etc/apparmor.d/abstractions/ubuntu-* (as
>> contained in bzr and the release tarball). I'm not too happy about the
>> naming scheme, but they can be useful nevertheless ;-)
> Switched xdg-open to use sanitized helper.. Works fine.
>
>> Another interesting discussion point. I'm not a fan of shipping profiles
>> disabled or in complain mode, because it could give users a false sense
>> of feeling protected.
> Agreed, I'm going to approach upstream and see what they say. I don't think
> it's out of the question to just make a seperate package libreoffice-apparmor
> that turns them on by default.
>
>> Besides that, the file has an interesting[tm] mix of tabs and spaces,
> All spaces now.
>
>> After proofreading the profiles, I actually tested them - and have several
> additions ;-)
> Thanks!
>
>>> + /home/*/.execooo* mrw, # probably tempfiles, * are 6 random chars
> That's actual been "fixed" in
> https://bugs.documentfoundation.org/show_bug.cgi?id=72755
>
>> BTW: Interestingly, oosplash keeps running all the time (and killing it
>> kills LibreOffice). Should oosplash also have a profile?
> Tried making a simple one for it, mostly is fine, but I'm leaving the
> Java part alone.
>
> Thanks again for all the reviews!
> Bryan
>
>
>
More information about the AppArmor
mailing list