Package: libreoffice-common Version: 1:5.4.3-4 Severity: wishlist Tags: patch
Hi, following up on our conversation on #882597, here is a patch series that documents how advanced users can adjust the included AppArmor profiles to cope with their local setup, and re-enables the AppArmor profiles by default. What do you think? If you want, I could also document in README.Debian how to disable one (or all) of these profiles, which might be useful in case a user prefers not to bother adjusting the profiles to their setup. You mentioned something elsewhere about the LibreOffice test suite being possibly affected by this change. Could you please point me at an example of this problem? I could investigate. In general, test suites run at package build time are not affected by AppArmor because they run the binaries for a (build-) path that is not covered by the AppArmor policy. Now, runtime tests such as autopkgtests may be affected; if needed I could take a look. Finally, if this AppArmor policy proves to break too many things for less technical users, I will support going back to ENABLE_APPARMOR_PROFILES=n without any afterthought: one of the key aspects of how we've approaching AppArmor in Debian is that we want to avoid creating a culture of "AppArmor breaks stuff so I always disable it entirely". Cheers, -- intrigeri
>From 1afd67ec9f4e68e619f4e707bd62142ba8de78cf Mon Sep 17 00:00:00 2001 From: intrigeri <intrig...@boum.org> Date: Thu, 7 Dec 2017 17:34:48 +0000 Subject: [PATCH 1/2] * debian/README.Debian: document how to debug and customize the included AppArmor profiles --- README.Debian | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/README.Debian b/README.Debian index 815ac735..1493746d 100644 --- a/README.Debian +++ b/README.Debian @@ -17,6 +17,7 @@ Font problems Why are the menu fonts smaller than in older versions? Changing the default user interface font typeface for non-KDE/Gnome desktops Disabling the splash screen +AppArmor problems More information about LibreOffice in Debian @@ -278,6 +279,23 @@ If you don't like the splash screen staying in front of other windows while LibreOffice is loading, you can disable it by editing /etc/openoffice/sofficerc. Change Logo=1 to Logo=0. +AppArmor problems +================= + +LibreOffice in Debian ships with AppArmor profiles: + + /etc/apparmor.d/usr.lib.libreoffice.* + +To debug issues with these AppArmor profiles, see: + + https://wiki.debian.org/AppArmor/Debug + +If you are using custom settings such as a custom env:UserInstallation +directory, you may need to adjust them to match your local setup. +In this example, you would need to add your custom +env:UserInstallation to @{libo_user_dirs} in the +usr.lib.libreoffice.program.soffice.bin profile. + More information about LibreOffice in Debian =============================================== Please read the official README.gz (in the same directory as this file), too. -- 2.15.1
>From 070fba71b11f1fb6ebc4e229f50c18ff53deea52 Mon Sep 17 00:00:00 2001 From: intrigeri <intrig...@boum.org> Date: Thu, 7 Dec 2017 17:35:13 +0000 Subject: [PATCH 2/2] enable the AppArmor profiles back We disabled them due to #882597. After looking closer at the problem that triggered this bug report, it appeared that it only affects technical users with highly specific needs, such as passing a custom env:UserInstallation on the command line. Now that README.Debian documents how to adjust the AppArmor profiles to cope with such needs, it seems safe to re-enable them so that everyone else can benefit from the added security by default. --- rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules b/rules index edf08a44..0b2282ff 100755 --- a/rules +++ b/rules @@ -532,7 +532,7 @@ BUILD_PPC64EL=y BUILD_ARM64=y SYSTEM_STUFF += gpgmepp INSTALL_APPARMOR_PROFILES=y -ENABLE_APPARMOR_PROFILES=n +ENABLE_APPARMOR_PROFILES=y # Default flags to pass to configure CONFIGURE_FLAGS= \ -- 2.15.1