Bug#982274: usr.lib.libreoffice.program.soffice.bin: temporary files are not allowed due to length change
2021-03-09 20:40, Rene Engelhard rašė: I've looked at the https://salsa.debian.org/libreoffice-team/libreoffice/libreoffice/-/commit/03ba395bbe21154efc8a05dfbb9f7c16946eb4d2 diff linked in one of the posts and I see 11 question marks, not 9. > Hmm, indeed. My bad. That means we need to do some distinction like you suggested? The original report just said basically "works if I add another digit", so that was what I did :-) Best would be to find source code and see how these random paths are actually generated, instead of guessing. If it's really 9-to-11, my solution fits. Complain-by-default is really bad policy, is there a hope to change that (having it without complain mode, but with "disabled" symlink)? Personal opinion: I actually consider "ship a profile disabled" even worse than "complain" since stuff won't even be seen. As of now you see ALLOWED in the logs at least. I disagree, as in my case, you can *lose* confinement (security) "silently" after upgrade (when flags=complain returns), as in this my LibreOffice case. And, for example, Thunderbird package does upgrade it's AppArmor profile, probably because it's allowed do get new upstream Thunderbird version too, as a exception? As for visibility, I agree it could be better. For example, maybe `aa-status` could list disabled profiles too. Of course, profile might be corrupted/buggy/unparsable (and that's why disabled) so care should be taken, but maybe that would help a bit. ALLOWED is useful, but maybe we who cares about AppaArmor profiles can just use profiles enforced and report bugs in Sid, as expected. Well, I did, but got silently "complained"...
Bug#982274: usr.lib.libreoffice.program.soffice.bin: temporary files are not allowed due to length change
Hi, Am 09.03.21 um 19:27 schrieb Vincas Dargis: > Changing rule into this: >>> >>> owner @{libo_user_dirs}/{,**/}lu?{,?,??}.tmp rwk, #Temporary >>> file used when saving >>> >>> Did the trick (needed 9 symbol variant). >> >> As was done. >> >> >> If you would actually have read the bug you would have seen that. > > I've looked at the > https://salsa.debian.org/libreoffice-team/libreoffice/libreoffice/-/commit/03ba395bbe21154efc8a05dfbb9f7c16946eb4d2 > diff linked in one of the posts and I see 11 question marks, not 9. > Hmm, indeed. My bad. That means we need to do some distinction like you suggested? The original report just said basically "works if I add another digit", so that was what I did :-) >> No one claimed this was fixed in 7.0.4. >> >> 7.0.x is in freeze. (It is in git for 7.0.x though should there ever be >> an upload,) > > > So this means that's it, profile will be defunct as users will not be > able to save on Bullseye with profile enabled? :( > Jup, unfortunately. > Complain-by-default is really bad policy, is there a hope to change > that (having it without complain mode, but with "disabled" symlink)? Personal opinion: I actually consider "ship a profile disabled" even worse than "complain" since stuff won't even be seen. As of now you see ALLOWED in the logs at least. Regards, Rene
Bug#982274: usr.lib.libreoffice.program.soffice.bin: temporary files are not allowed due to length change
2021-03-08 21:51, Rene Engelhard wrote: Yes, it is done. In 7.1. As the version tracking info clearly showed. Ouch.. I've missed the version number, sorry... Changing rule into this: owner @{libo_user_dirs}/{,**/}lu?{,?,??}.tmp rwk, #Temporary file used when saving Did the trick (needed 9 symbol variant). As was done. If you would actually have read the bug you would have seen that. I've looked at the https://salsa.debian.org/libreoffice-team/libreoffice/libreoffice/-/commit/03ba395bbe21154efc8a05dfbb9f7c16946eb4d2 diff linked in one of the posts and I see 11 question marks, not 9. No one claimed this was fixed in 7.0.4. 7.0.x is in freeze. (It is in git for 7.0.x though should there ever be an upload,) So this means that's it, profile will be defunct as users will not be able to save on Bullseye with profile enabled? :( I wish I enabled it before.. I *was* using it in enforce mode some time ago, and even proposed some fixes upsteam, but probably forgot to re-enforce after some upgrade. Complain-by-default is really bad policy, is there a hope to change that (having it without complain mode, but with "disabled" symlink)?
Bug#982274: usr.lib.libreoffice.program.soffice.bin: temporary files are not allowed due to length change
Hi, for avoidance of doubt... Am 08.03.21 um 20:51 schrieb Rene Engelhard: >> type=AVC msg=audit(1615225628.771:1363): apparmor="DENIED" >> operation="mknod" profile="libreoffice-soffice" >> name="/home/vincas/Dokumentai/lu4638vdjw1.tmp" pid=4638 >> comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000 >> ouid=1000FSUID="vincas" OUID="vincas" >> > Just because you enable the profile. "Set the profile to enforcing" (from complain) I mean. Regards, Rene
Bug#982274: usr.lib.libreoffice.program.soffice.bin: temporary files are not allowed due to length change
Control: reopen -1 I see this bug marked as Done but I just got denial today: type=AVC msg=audit(1615225628.771:1363): apparmor="DENIED" operation="mknod" profile="libreoffice-soffice" name="/home/vincas/Dokumentai/lu4638vdjw1.tmp" pid=4638 comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas" Changing rule into this: owner @{libo_user_dirs}/{,**/}lu?{,?,??}.tmp rwk, #Temporary file used when saving Did the trick (needed 9 symbol variant).
Bug#982274: usr.lib.libreoffice.program.soffice.bin: temporary files are not allowed due to length change
Hi, Am 08.02.21 um 03:15 schrieb Paul Wise: > Tags: patch No, No patch. patch does not mean "add a ?" but if at all someting like this $ git diff sysui/desktop/apparmor/program.soffice.bin diff --git a/sysui/desktop/apparmor/program.soffice.bin b/sysui/desktop/apparmor/program.soffice.bin index 42053db2abef..83bd9d11f93c 100644 --- a/sysui/desktop/apparmor/program.soffice.bin +++ b/sysui/desktop/apparmor/program.soffice.bin @@ -101,7 +101,7 @@ profile libreoffice-soffice INSTDIR-program/soffice.bin { owner @{libo_user_dirs}/**/ rw, #allow creating directories that we own owner @{libo_user_dirs}/**~lock.* rw, #lock file support owner @{libo_user_dirs}/**.@{libreoffice_ext} rwk, #Open files rw with the right exts - owner @{libo_user_dirs}/{,**/}lu??{,?}.tmp rwk, #Temporary file used when saving + owner @{libo_user_dirs}/{,**/}lu???{,?}.tmp rwk, #Temporary file used when saving owner @{libo_user_dirs}/{,**/}.directory r, #Read directory settings on KDE # Settings (Which is even trivially to do in /etc/apparmor.d if you don't know the source path. This won t necessarily help since the path is there in the generated file but if yoz're lucky and are far away "enough" from the profile path..) Not removing the patch since it's now actually has one.. > When I open a document in my home directory in libreoffice I get this: > >Feb 08 08:08:48 audit[474619]: AVC apparmor="DENIED" operation="open" > profile="libreoffice-soffice" name="/home/pabs/lu474619vthyvt.tmp" pid=474619 > comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000 Didn't you already ask on IRC some weeks ago about this? Did you manually set it to enabled from the default complain-only mode or how did the soffice.bin get into complain mode? > The reason is that this rule allowing temporary files is too short: > > owner @{libo_user_dirs}/{,**/}lu??{,?}.tmp rwk, #Temporary file > used when saving > > Adding one more possible temporary filename length fixes the denial: > > owner @{libo_user_dirs}/{,**/}lu??{,?,??}.tmp rwk, #Temporary > file used when saving Did you change it or do you mean upstream did? Addendum: Yes, apprarently something changed and it got hidden due to it being complain-only. Indeed I get ALLOWED entries in the log. Regards, Rene
Bug#982274: usr.lib.libreoffice.program.soffice.bin: temporary files are not allowed due to length change
Package: libreoffice-common Version: 1:7.0.4-3 Severity: important File: /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin Usertags: apparmor Tags: patch When I open a document in my home directory in libreoffice I get this: Feb 08 08:08:48 audit[474619]: AVC apparmor="DENIED" operation="open" profile="libreoffice-soffice" name="/home/pabs/lu474619vthyvt.tmp" pid=474619 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000 The reason is that this rule allowing temporary files is too short: owner @{libo_user_dirs}/{,**/}lu??{,?}.tmp rwk, #Temporary file used when saving Adding one more possible temporary filename length fixes the denial: owner @{libo_user_dirs}/{,**/}lu??{,?,??}.tmp rwk, #Temporary file used when saving I expect that just switching to a wildcard would work too and would be much more likely to continue working if LibreOffice update the length. owner @{libo_user_dirs}/{,**/}lu??*.tmp rwk, #Temporary file used when saving -- Package-specific info: -- System Information: Debian Release: bullseye/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing'), (800, 'unstable-debug'), (800, 'unstable'), (790, 'buildd-unstable'), (700, 'experimental-debug'), (700, 'experimental'), (690, 'buildd-experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-3-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_FIRMWARE_WORKAROUND Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), LANGUAGE=en_AU:en Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libreoffice-common depends on: ii libnumbertext-data 1.0.7-1 ii libreoffice-style-colibre 1:7.0.4-3 ii ucf3.0043 ii ure1:7.0.4-3 Versions of packages libreoffice-common recommends: ii apparmor 2.13.6-7 pn fonts-liberation2 | ttf-mscorefonts-installer ii libexttextcat-data 3.4.5-1 ii python3-uno1:7.0.4-3 ii xdg-utils 1.1.3-2 Versions of packages libreoffice-common suggests: ii libreoffice-style-colibre [libreoffice-style] 1:7.0.4-3 Versions of packages python3-uno depends on: ii libc62.31-9 ii libgcc-s110.2.1-6 ii libpython3.9 3.9.1-3 ii libreoffice-core 1:7.0.4-3 ii libstdc++6 10.2.1-6 ii libuno-cppu3 1:7.0.4-3 ii libuno-cppuhelpergcc3-3 1:7.0.4-3 ii libuno-sal3 1:7.0.4-3 ii libuno-salhelpergcc3-3 1:7.0.4-3 ii python3 3.9.1-1 ii python3.93.9.1-3 ii ucf 3.0043 ii uno-libs-private 1:7.0.4-3 -- no debconf information -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part