[apparmor] New LibreOffice Profile

Tue Apr 14 20:01:00 UTC 2015

Hello,

Am Freitag, 10. April 2015 schrieb Bryan Quigley:
> >but the excessive variable definition
> >in the soffice.bin profile uncovered a bug in aa-complain ;-)
> 
> Glad I could help :).

;-)

Now you "just" need to push Steve (or someone else) to review my pending
patches, so that the fix for those bugs (yes, plural [1] ;-) can go into
bzr ;-)

> >Another interesting discussion point. I'm not a fan of shipping
> >profiles disabled or in complain mode, because it could give users a
> >false sense of feeling protected.
> 
> Agreed, I'm going to approach upstream and see what they say.   I
> don't think it's out of the question to just make a seperate package
> libreoffice-apparmor that turns them on by default.

Yes, that sounds like a good solution.

> >>+  /home/*/.execooo* mrw,   # probably tempfiles, * are 6 random
> >>chars
> That's actual been "fixed" in
> https://bugs.documentfoundation.org/show_bug.cgi?id=72755

Maybe you should allow it nevertheless to make the profile compatible 
with the LibreOffice versions people are using currently?

> >BTW: Interestingly, oosplash keeps running all the time (and killing
> >it kills LibreOffice). Should oosplash also have a profile?
> 
> Tried making a simple one for it, mostly is fine, but I'm leaving the
> Java part alone.

I tend to want a (child?) profile for the Java stuff, because Java isn't 
known as the most secure software out there ;-)

My tests with your latest profiles look quite good, but I have some 
additions nevertheless ;-)

soffice.bin:

+  /home/*/.execooo* mrw,   # see above
+  /usr/lib64/libreoffice/program/__pycache__/ ra,   # deny?
+  /usr/lib64/libreoffice/share/extensions/lightproof-en/pythonpath/__pycache__/ ra,  # deny?
+  /usr/lib64/libreoffice/share/uno_packages/cache/stamp.sys ra,  # deny?
+  /usr/share/locale-bundle/*/LC_MESSAGES/bash.mo r,

oosplash:

+  /run/nscd/passwd r,   # abstractions/nameservice? Or would that be too permissive?
+  /usr/lib64/libreoffice/ure/bin/javaldx Cx,   # seems to be a different path on openSUSE- but gave me a nice child profile ;-)
+  /usr/share/libreoffice/program/intro.png r,
+  /usr/share/libreoffice/program/sofficerc r,
+
+  profile /usr/lib64/libreoffice/ure/bin/javaldx flags=(complain) {
+    #include <abstractions/base>
+
+    /home/*/.config/ r,
+    /home/*/.config/libreoffice/4-suse/user/config/javasettings_Linux_X86_64.xml r,   # you'll probably need a different directory name for ubuntu ;-) (hint: "4-suse") and might also want to use a filename like javasettings_Linux_*.xml
+    /run/nscd/passwd r,
+    /usr/ r,   # no idea why this and the next one is needed...
+    /usr/lib64/ r,
+    /usr/lib64/libreoffice/ure/bin/javaldx mr,
+
+  }

Regards,

Christian Boltz

[1] patches for bugs uncovered by the LibreOffice profiles:
    33-fix-add-to-variable-and-add-tests.diff
    35-fix-serialize_profile_from_old_profiles-variable-add.diff
    36-fix-crash-in-serialize_profile_from_old_profiles.diff

-- 
Wenn das Teil unter Windows CE oder Pocket PC 2000 läuft, ist Synce Dein
Fall.  Zu finden auf Sourceforge, wenn ich mich nicht irre, und ich irre
mich nie wenn ich mich nicht irre.        [Michael Karges in suse-linux]