Bug#911897: AppArmor "complain" for oosplash & soffice
Control: user pkg-apparmor-t...@lists.alioth.debian.org Control: usertag -1 +modify-profile Also Rene, please add usertag for any AppArmor-related bug, so AppArmor team could see what's going on.
Bug#911897: AppArmor "complain" for oosplash & soffice
Hi,
I too seen these /tmp/xauth.. stuff (I'm KDE user), and asked about it in AppArmor mailing list [0],
and later in debian-devel [1].
Nothing new since when, haven given it any more time, but what I would like to achieve is as
"agreement", that if some Debian package changes some "popular" environment variable (like
XAUTHORITY or TMPDIR or whatver), it should ship a AppArmor "tunable" file with these variables
appended. Like in this case, it could be `/etc/apparmor.d/tunables/env.d/kde-plasma` file with these
contents:
```
XAUTHORITY += /tmp/xauth-@{uid}-_[0-9]* r,
```
And that XAUTHORITY would be used in abstractions/X [2] include, that is used in every GUI
application profile.
If you take a look at these mailing list emails, you'll see that not all applicatios use /tmp/xauth,
some still use ~/.Xauthority... I do not know what's the deal here...
Maybe I should just propose to add this `/tmp/xauth..` path into AppArmor upstream X abstraction, or
we just add it into LO profile. In most cases, if application includes "kde" abstraction, it allows
reading `/tmp/*` via `user-tmp` abstraction [3], so no problems are seen. For more smaller
`oosplash` - it's otherwise.
[0] https://lists.ubuntu.com/archives/apparmor/2018-July/011714.html
[1] https://lists.debian.org/debian-devel/2018/08/msg00107.html
[2]
https://gitlab.com/apparmor/apparmor/blob/f729391deb165a0100e27659a0d93bcf17eae067/profiles/apparmor.d/abstractions/X#L20
[3]
https://gitlab.com/apparmor/apparmor/blob/f729391deb165a0100e27659a0d93bcf17eae067/profiles/apparmor.d/abstractions/kde#L17
Bug#911897: AppArmor "complain" for oosplash & soffice
Hi, On Fri, Oct 26, 2018 at 01:24:52PM -0400, Anthony DeRobertis wrote: > Which one you get depends on the exact way the app is launched. In the > screenshot, the xterm on the left was launched as part of session restore; > the one on the right was launched from the KDE menu (bottom-left thingy). > The same thing happens on my normal desktop. I normally launch my xterms via > a KDE hotkey, those get the /tmp one. (And normally I start libreoffice from > an xterm). That could explain how it was missed — launch it from the menu > instead, and it'll be given ~/.Xauthority. Ah... And I "of course" launched konsole from the menu... (Alt-F2, konsole gives the same.) > I'm not sure what the intended behavior is here; the current behavior of > using both files is surely a bug in KDE. Seems perfectly reasonable to > reassign to them. Hmm. Regards, Rene
Bug#911897: AppArmor "complain" for oosplash & soffice
clone 911897 -1 retitle 911897 apparmor denies /tmp/xauth-1000-_0 set by sddm/KDE retitle -1 please include nvidia apparmor abstraction to allow nvidia driver resources severity -1 wishlist tag -1 - unreproducible tag -1 - moreinfo tag -1 + wontfix thanks On Fri, Oct 26, 2018 at 12:13:00PM -0400, Anthony DeRobertis wrote: > On 10/26/18 11:26 AM, Rene Engelhard wrote: > > > Then there is a lot of nVidia stuff, probably from this machine using the > > > nVidia proprietary > > > driver. > > Then the nvidia drivers (which I do not care about at all, to be honest) > > or libdrm or whatever should ship needed stuff. I mean, it's not LO using > > the stuff directly, it's those. It would imho be completely nonsense to > > make LO honour driver-specific things for every possible driver. > > apparmor ships an /etc/apparmor.d/abstractions/nvidia — but AFAICT each app > needs to #include it, which I agree is rather silly. E.g., Thunderbird and > Totem both include it. Making a bug out of this for documentation purposes. Wontfix, though. Regards, Rene
Bug#911897: AppArmor "complain" for oosplash & soffice
On Fri, Oct 26, 2018 at 12:13:00PM -0400, Anthony DeRobertis wrote:
> On 10/26/18 11:26 AM, Rene Engelhard wrote:
> > > Then there is a lot of nVidia stuff, probably from this machine using the
> > > nVidia proprietary
> > > driver.
> > Then the nvidia drivers (which I do not care about at all, to be honest)
> > or libdrm or whatever should ship needed stuff. I mean, it's not LO using
> > the stuff directly, it's those. It would imho be completely nonsense to
> > make LO honour driver-specific things for every possible driver.
>
> apparmor ships an /etc/apparmor.d/abstractions/nvidia — but AFAICT each app
> needs to #include it, which I agree is rather silly.
Yes, it is.
I think the worst which can happen (I at least hope..) is no acceleration or
OpenGL
features (I consider LO using OpenGL for some stuff a nuisance anyway, but some
stuff of it got disabled upstream anyway.
> PS: Just saw your other reply about $XAUTHORITY, and yeah, that's how it's
> set here. Definitely KDE launched from sddm:
>
> 1473 ?Ssl0:00 /usr/bin/sddm
> 1707 tty7 Ssl+ 90:32 \_ /usr/lib/xorg/Xorg -nolisten tcp -auth
> /var/run/sddm/{592354bf-2439-40b4-9616-3bd3943e9502} -background none
> -noreset -displayfd 17 -seat seat0 vt7
> 11894 ?S 0:00 \_ /usr/lib/x86_64-linux-gnu/sddm/sddm-helper
> --socket /tmp/sddm-authe60db6a4-a442-404f-9833-9762d7da6686 --id 1 --start
> /usr/bin/startkde --user anthony
> 11897 ?S 0:00 \_ /bin/sh /usr/bin/startkde
> 11960 ?Ss 0:00 \_ /usr/bin/ssh-agent env
> LD_PRELOAD=libgtk3-nocsd.so.0 /usr/bin/startkde
> 12010 ?S 0:00 \_ kwrapper5 /usr/bin/ksmserver
>
> ... going to try to figure out why my machine is different than yours.
Here it was just apt install sddm kde-plasma-desktop. (don't use
KDE myself.)
Regards,
Rene
Bug#911897: AppArmor "complain" for oosplash & soffice
On 10/26/18 11:26 AM, Rene Engelhard wrote:
Then there is a lot of nVidia stuff, probably from this machine using the
nVidia proprietary
driver.
Then the nvidia drivers (which I do not care about at all, to be honest)
or libdrm or whatever should ship needed stuff. I mean, it's not LO using
the stuff directly, it's those. It would imho be completely nonsense to
make LO honour driver-specific things for every possible driver.
apparmor ships an /etc/apparmor.d/abstractions/nvidia — but AFAICT each
app needs to #include it, which I agree is rather silly. E.g.,
Thunderbird and Totem both include it.
Not that it matters here, but no -kde(5) even when you're using KDE?
Never tried it, actually. I have a such a mix of apps running anyway
that there is no hope of consistency, and I don't run KDE everywhere...
so I'd rather just have LibreOffice look like LibreOffice.
PS: Just saw your other reply about $XAUTHORITY, and yeah, that's how
it's set here. Definitely KDE launched from sddm:
1473 ?Ssl0:00 /usr/bin/sddm
1707 tty7 Ssl+ 90:32 \_ /usr/lib/xorg/Xorg -nolisten tcp -auth
/var/run/sddm/{592354bf-2439-40b4-9616-3bd3943e9502} -background none -noreset
-displayfd 17 -seat seat0 vt7
11894 ?S 0:00 \_ /usr/lib/x86_64-linux-gnu/sddm/sddm-helper
--socket /tmp/sddm-authe60db6a4-a442-404f-9833-9762d7da6686 --id 1 --start
/usr/bin/startkde --user anthony
11897 ?S 0:00 \_ /bin/sh /usr/bin/startkde
11960 ?Ss 0:00 \_ /usr/bin/ssh-agent env
LD_PRELOAD=libgtk3-nocsd.so.0 /usr/bin/startkde
12010 ?S 0:00 \_ kwrapper5 /usr/bin/ksmserver
... going to try to figure out why my machine is different than yours.
Bug#911897: AppArmor "complain" for oosplash & soffice
Hi, On Fri, Oct 26, 2018 at 05:26:56PM +0200, Rene Engelhard wrote: > > Then there is a lot of nVidia stuff, probably from this machine using the > > nVidia proprietary > > driver. > > Then the nvidia drivers (which I do not care about at all, to be honest) > or libdrm or whatever should ship needed stuff. I mean, it's not LO using > the stuff directly, it's those. It would imho be completely nonsense to > make LO honour driver-specific things for every possible driver. > > I think I saw these once in an other report where I reassigned that one > or a clone to either of those, need to search for it... Ah, no, I just closed it it seems based on what the real issue in that bug was: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903900 Regards, Rene
Bug#911897: AppArmor "complain" for oosplash & soffice
tag 911897 + moreinfo tag 911897 + unreproducible thanks On Thu, Oct 25, 2018 at 05:49:27PM -0400, Anthony DeRobertis wrote: > Presumably the xauth one will effect a lot of people (as that's the > value of $XAUTHORITY here, set by KDE/sddm). Then there is a lot of Really? $ echo $XAUTHORITY /home/rene/.Xauthority (set by sddm logging into GNOME) Shouldn't - if KDE set it - it not have been found when Vincas did https://cgit.freedesktop.org/libreoffice/core/commit/?id=c86e4ad53391d17d1eb54845b5999889f7e65061 ? $ echo $XAUTHORITY /home/rene/.Xauthority (set by sddm logging into Plasma) > Oct 25 16:52:11 Zia kernel: audit: type=1400 audit(1540500731.877:200): > apparmor="ALLOWED" operation="open" profile="libreoffice-oopslash" > name="/tmp/xauth-1000-_0" pid=25385 comm="oosplash" requested_mask="r" > denied_mask="r" fsuid=1000 ouid=1000 ^^ root@frodo:~# aa-enforce /etc/apparmor.d/usr.lib.libreoffice.program.oosplash Setting /etc/apparmor.d/usr.lib.libreoffice.program.oosplash to enforce mode. root@frodo:~# aa-enforce /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin Setting /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin to enforce mode. Starts fine and does NOT print above (or deny) it. Regards, Rene
Bug#911897: AppArmor "complain" for oosplash & soffice
Hi, On Thu, Oct 25, 2018 at 05:49:27PM -0400, Anthony DeRobertis wrote: > I understand the goal is to get AppArmor back in to enforcing mode > someday, so presumably these complain-mode allow messages are of use. > Presumably the xauth one will effect a lot of people (as that's the > value of $XAUTHORITY here, set by KDE/sddm). Maybe. > Then there is a lot of nVidia stuff, probably from this machine using the > nVidia proprietary > driver. Then the nvidia drivers (which I do not care about at all, to be honest) or libdrm or whatever should ship needed stuff. I mean, it's not LO using the stuff directly, it's those. It would imho be completely nonsense to make LO honour driver-specific things for every possible driver. I think I saw these once in an other report where I reassigned that one or a clone to either of those, need to search for it... > (Side note, I understand sandboxing web browsers and the like with > AppArmor. Firefox shouldn't have random access to $HOME. But I wonder if > its really worth it for LibreOffice; by its nature it must have access > to my important documents. But that's a discussion for elsewhere, I'm > sure.) Yes, and there's the "get xyz from the filesystem" or "do not run xyz after a security bug was used" scenario. I wouldn't have written a profile if one (incomplete and ooold, as noticed.) wasn't already there and ready to be installed. > Installed VCLplugs: > Desired=Unknown/Install/Remove/Purge/Hold > | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend > |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) > ||/ Name Version Architecture Description > +++----= > un libreoffice-gtk2 (no description available) > un libreoffice-gtk3 (no description available) > un libreoffice-kde(no description available) Not that it matters here, but no -kde(5) even when you're using KDE? Regards, Rene
Bug#911897: AppArmor "complain" for oosplash & soffice
Package: libreoffice-core Version: 1:6.1.3~rc1-1 Severity: normal File: /usr/lib/libreoffice/program/oosplash I understand the goal is to get AppArmor back in to enforcing mode someday, so presumably these complain-mode allow messages are of use. Presumably the xauth one will effect a lot of people (as that's the value of $XAUTHORITY here, set by KDE/sddm). Then there is a lot of nVidia stuff, probably from this machine using the nVidia proprietary driver. (Side note, I understand sandboxing web browsers and the like with AppArmor. Firefox shouldn't have random access to $HOME. But I wonder if its really worth it for LibreOffice; by its nature it must have access to my important documents. But that's a discussion for elsewhere, I'm sure.) Oct 25 16:52:11 Zia kernel: audit: type=1400 audit(1540500731.877:200): apparmor="ALLOWED" operation="open" profile="libreoffice-oopslash" name="/tmp/xauth-1000-_0" pid=25385 comm="oosplash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 Oct 25 16:52:12 Zia kernel: audit: type=1400 audit(1540500732.729:201): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/nvidia/nvidia-application-profiles-390.87-rc" pid=25398 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:52:12 Zia kernel: audit: type=1400 audit(1540500732.849:202): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/nvidia/nvidia-application-profiles-390.87-rc" pid=25398 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:52:12 Zia kernel: audit: type=1400 audit(1540500732.861:203): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/modules" pid=25398 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:52:12 Zia kernel: audit: type=1400 audit(1540500732.861:204): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/driver/nvidia/params" pid=25398 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:52:12 Zia kernel: audit: type=1400 audit(1540500732.861:205): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/dev/nvidiactl" pid=25398 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0 Oct 25 16:52:12 Zia kernel: audit: type=1400 audit(1540500732.861:206): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/system/memory/block_size_bytes" pid=25398 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:52:12 Zia kernel: audit: type=1400 audit(1540500732.861:207): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/modules" pid=25398 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:52:12 Zia kernel: audit: type=1400 audit(1540500732.861:208): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/driver/nvidia/params" pid=25398 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:52:12 Zia kernel: audit: type=1400 audit(1540500732.861:209): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/dev/nvidia-modeset" pid=25398 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0 Oct 25 16:52:44 Zia kernel: audit: type=1400 audit(1540500764.333:287): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/nvidia/nvidia-application-profiles-390.87-rc" pid=25519 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:52:44 Zia kernel: audit: type=1400 audit(1540500764.453:288): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/nvidia/nvidia-application-profiles-390.87-rc" pid=25519 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:52:44 Zia kernel: audit: type=1400 audit(1540500764.465:289): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/modules" pid=25519 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:52:44 Zia kernel: audit: type=1400 audit(1540500764.465:290): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/driver/nvidia/params" pid=25519 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:52:44 Zia kernel: audit: type=1400 audit(1540500764.465:291): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/dev/nvidiactl" pid=25519 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0 Oct 25 16:52:44 Zia kernel: audit: type=1400 audit(1540500764.469:292): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/system/memory/block_size_bytes" pid=25519 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:52:44 Zia kernel: audit: type=1400 audit(15405
