Bug#905442: AppArmor: cannot save files in enforced mode

2018-08-07 Thread Rene Engelhard 
tag 905442 - moreinfo
thanks

Hi,

On Tue, Aug 07, 2018 at 02:14:09PM +0300, Vincas Dargis wrote:
> n 8/7/18 1:55 PM, Rene Engelhard wrote:
> > Sorry, apparently didn't read fully the first time I read this mail.
> > 
> > Really $HOME? I would be surprised.
> > 
> > I know there's lu??.tmps in /tmp (or $TMPDIR) but $HOME?
> > Did you set TMPDIR=$HOME?
> 
> No, TMPDIR is not set. LO additionally tries to save .tmp file in the same
> directory where .odt is being saved:

Hrm, ok.

Regards,

Rene

Processed: Re: Bug#905442: AppArmor: cannot save files in enforced mode

2018-08-07 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> tag 905442 - moreinfo
Bug #905442 [libreoffice-common] AppArmor: cannot save files in enforced mode
Removed tag(s) moreinfo.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
905442: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905442
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#905442: AppArmor: cannot save files in enforced mode

2018-08-07 Thread Vincas Dargis 

n 8/7/18 1:55 PM, Rene Engelhard wrote:

Sorry, apparently didn't read fully the first time I read this mail.

Really $HOME? I would be surprised.

I know there's lu??.tmps in /tmp (or $TMPDIR) but $HOME?
Did you set TMPDIR=$HOME?


No, TMPDIR is not set. LO additionally tries to save .tmp file in the same directory where .odt is 
being saved:


```
# sudo sysdig "proc.name = soffice.bin and evt.type=openat and (fd.name contains /lu) or (fd.name 
contains .odt and fd.name contains Darbastalis)"

443456 14:04:09.138560524 1 soffice.bin (14623) < openat 
fd=26(/home/vincas/Darbastalis/test.odt)
443540 14:04:09.138982558 1 soffice.bin (14623) < openat 
fd=3(/home/vincas/Darbastalis/.~lock.test.odt#)
443645 14:04:09.139166513 1 soffice.bin (14623) < openat 
fd=3(/home/vincas/Darbastalis/lu14623jlf4nz.tmp)
443808 14:04:09.139301689 1 soffice.bin (14623) < openat 
fd=3(/home/vincas/Darbastalis/lu14623jlf4nz.tmp)

443916 14:04:09.139424232 1 soffice.bin (14623) < openat 
fd=24(/home/vincas/Darbastalis/test.odt)
444075 14:04:09.139604944 1 soffice.bin (14623) < openat 
fd=27(/tmp/lu14623jlf4nh.tmp)
444118 14:04:09.139648921 1 soffice.bin (14623) < openat 
fd=27(/tmp/lu14623jlf4nh.tmp/lu14623jlf4o0.tmp)
444223 14:04:09.139744770 1 soffice.bin (14623) < openat 
fd=27(/tmp/lu14623jlf4nh.tmp/lu14623jlf4o0.tmp)
444275 14:04:09.139790308 1 soffice.bin (14623) < openat 
fd=27(/tmp/lu14623jlf4nh.tmp/lu14623jlf4o0.tmp)

444322 14:04:09.139835306 1 soffice.bin (14623) < openat fd=-2(ENOENT)
444345 14:04:09.139859100 1 soffice.bin (14623) < openat 
fd=29(/home/vincas/Darbastalis/.~lock.test.odt#)

453115 14:04:09.189458991 1 soffice.bin (14623) < openat fd=-17(EEXIST)
453165 14:04:09.189556670 1 soffice.bin (14623) < openat 
fd=3(/home/vincas/Darbastalis/test.odt)
453340 14:04:09.191811379 1 soffice.bin (14623) < openat 
fd=3(/home/vincas/Darbastalis/test.odt)
453346 14:04:09.191874205 1 soffice.bin (14623) < openat 
fd=24(/tmp/lu14623jlf4nh.tmp)
453352 14:04:09.191913074 1 soffice.bin (14623) < openat 
fd=24(/tmp/lu14623jlf4nh.tmp/lu14623jlf4o1.tmp)

453378 14:04:09.192056428 1 soffice.bin (14623) < openat 
fd=24(/home/vincas/Darbastalis/test.odt)
453383 14:04:09.192069577 1 soffice.bin (14623) < openat 
fd=27(/tmp/lu14623jlf4nh.tmp/lu14623jlf4o1.tmp)
453411 14:04:09.192223706 1 soffice.bin (14623) < openat 
fd=3(/tmp/lu14623jlf4nh.tmp/lu14623jlf4o1.tmp)

453469 14:04:09.193561448 1 soffice.bin (14623) < openat 
fd=24(/home/vincas/Darbastalis/test.odt)
```

This line in particular:
```
443645 14:04:09.139166513 1 soffice.bin (14623) < openat 
fd=3(/home/vincas/Darbastalis/lu14623jlf4nz.tmp)

```

Maybe it's LO bug? Maybe it should write only into TMPDIR?


That would make this invalid here. Stuff like this needs changing on various
places then (e.g. for my print server and the cups profile I needed to
allow the stuff out of /data/var instead of/additionally to /var - which is 
where
/var is moved out from the microSD card of this rpi3 ;-))


I have started (ugh, yet another) discussion [0] about introducing `/etc/apparmor.d/tunables/env`, 
where we would have @{TMPDIR} = /tmp (and @{XAUTHORITY} and others) set, and it could be modified by 
the local admin, maybe in `tunables/env.d/site.local` or in `local/tunables/env` (discussion not 
concluded yet), by appending (I believe we do not have a way to override yet):

```
@{TMPDIR} += /var/run/user/*/
```

Meanwhile, application profiles could write `owner @{TMPDIR}/foobar rw` and 
similar rules.

[0] https://lists.ubuntu.com/archives/apparmor/2018-July/011730.html

Bug#905442: AppArmor: cannot save files in enforced mode

2018-08-07 Thread Rene Engelhard 
tag 905442 + moreinfo
thanks

Hi,

On Sat, Aug 04, 2018 at 06:45:07PM +0300, Vincas Dargis wrote:
> I cannot save files when AppArmor profile is in enforce mode:
> 
> ```
> type=AVC msg=audit(1533396515.983:974): apparmor="DENIED"
> operation="mknod" profile="libreoffice-soffice"
> name="/home/vincas/lu27901fkol0k.tmp" pid=27901 comm="soffice.bin"


Sorry, apparently didn't read fully the first time I read this mail.

Really $HOME? I would be surprised.

I know there's lu??.tmps in /tmp (or $TMPDIR) but $HOME?
Did you set TMPDIR=$HOME?

That would make this invalid here. Stuff like this needs changing on various
places then (e.g. for my print server and the cups profile I needed to
allow the stuff out of /data/var instead of/additionally to /var - which is 
where
/var is moved out from the microSD card of this rpi3 ;-))

Regards,

Rene

Processed: Re: Bug#905442: AppArmor: cannot save files in enforced mode

2018-08-07 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> tag 905442 + moreinfo
Bug #905442 [libreoffice-common] AppArmor: cannot save files in enforced mode
Added tag(s) moreinfo.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
905442: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905442
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#905442: AppArmor: cannot save files in enforced mode

2018-08-04 Thread Rene Engelhard 
Hi,

On Sat, Aug 04, 2018 at 06:45:07PM +0300, Vincas Dargis wrote:
> I cannot save files when AppArmor profile is in enforce mode:

Ugh.

> So `...something.../lu???.tmp rw` rule would fix that (eleven
> changing possitions)
> 
> I'll try to propose fix in upstream gerrit.

Thanks.

Regards,

Rene

Bug#905442: AppArmor: cannot save files in enforced mode

2018-08-04 Thread Vincas Dargis 
Package: libreoffice-common
Version: 1:6.1.0~rc2-3
Severity: normal
Tags: upstream

Dear Maintainer,

I cannot save files when AppArmor profile is in enforce mode:

```
type=AVC msg=audit(1533396515.983:974): apparmor="DENIED"
operation="mknod" profile="libreoffice-soffice"
name="/home/vincas/lu27901fkol0k.tmp" pid=27901 comm="soffice.bin"
requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
```

Looks like these temp files always starts with "lu", and being
(attempted) saved in the same directory where file should be saved. They
appear to have fixed file name length (both Writer and Calc):

```
# grep -h -o  -P "[[:alnum:]]+\.tmp" /var/log/audit/audit.log*
lu27901fkol0k.tmp
lu27901fkol0l.tmp
lu27901fkol0m.tmp
lu28293fl6uko.tmp
lu30817780q83.tmp
lu116044dmon0.tmp
lu116044dmon3.tmp
lu116044dmon6.tmp
lu116044dmon9.tmp
```

So `...something.../lu???.tmp rw` rule would fix that (eleven
changing possitions)

I'll try to propose fix in upstream gerrit.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.17.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=lt_LT.UTF-8, LC_CTYPE=lt_LT.UTF-8 (charmap=UTF-8), LANGUAGE=lt 
(charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libreoffice-common depends on:
ii  libnumbertext-data   1.0-2
ii  libreoffice-style-tango  1:6.1.0~rc2-3
ii  ure  6.1.0~rc2-3

Versions of packages libreoffice-common recommends:
ii  fonts-liberation2   2.00.1-7
ii  libexttextcat-data  3.4.5-1
ii  python3-uno 1:6.1.0~rc2-3
ii  xdg-utils   1.1.3-1

Versions of packages libreoffice-common suggests:
ii  libreoffice-style-tango [libreoffice-style]  1:6.1.0~rc2-3

Versions of packages python3-uno depends on:
ii  libc6 2.27-5
ii  libgcc1   1:8.2.0-3
ii  libpython3.6  3.6.6-1
ii  libreoffice-core  1:6.1.0~rc2-3
ii  libstdc++68.2.0-3
ii  python3   3.6.6-1
ii  python3.6 3.6.6-1
ii  uno-libs3 6.1.0~rc2-3
ii  ure   6.1.0~rc2-3

-- Configuration Files:
/etc/apparmor.d/usr.lib.libreoffice.program.oosplash changed [not included]
/etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin changed [not included]

-- no debconf information