I don't know all that much about configuring AppArmor, but for what it's
worth for me on Linux Mint Sylvia 18.3 (still supported, although older
than your Tara 19.0) using the LibreOffice PPA for its newer versions of
LibreOffice (currently 6.2.8)...
Gys wrote:
Hi,
in my Linux Mint Tara aa-status lists 3 profiles related to LibreOffice :
libreoffice-xpdfimport (enforce)
libreoffice-senddoc (enforce)
libreoffice-oopslash (complain)
I have:
libreoffice-senddoc (enforce)
libreoffice-soffice//gpg (enforce)
libreoffice-xpdfimport (enforce)
libreoffice-oopslash (complain)
libreoffice-soffice (complain)
In the kernel log libreoffice-oopslash is complaining about a lot of
things.
Looking at my logs from the last week, I see a few "audit" messages
relating to libreoffice-soffice and libreoffice-oopslash. Looks like a
cluster of about 10 entries for libreoffice-soffice each time I start
LibreOffice, with a few others for soffice and oopslash in between - but
I don't tend to be using it continuously for hours on end.
Both the program and the profile in Nemo is oosplash
usr/lib/libreoffice/program/oosplash
/etc/apparmor.d/usr.lib.libreoffice.program.oosplash
Search oopslash in / in Nemo gives no results
Questions
1) Is the "p" and "s" reversal a typo ?
As mentioned at the start, I'm no expert on AppArmor, but it does look
suspiciously like a typo. I guess it might only affect the displayed
name of the profile though, since the executable it applies to appears
to be correctly spelled "oosplash":
profile libreoffice-oopslash /usr/lib/libreoffice/program/oosplash
flags=(complain) {...}
2) Why is there no profile for /usr/lib/libreoffice/program/soffice.bin ?
For me the </etc/apparmor.d/usr.lib.libreoffice.program.*> files,
including one for soffice.bin, are provided by the libreoffice-common
package, which I've installed from the PPA. From a quick look at the
.deb packages from libreoffice.org it doesn't look like any of them
contain AppArmor profiles, so I'd guess they're added by the Ubuntu/PPA
package maintainer. Perhaps the PPA maintainer adds a profile for
soffice.bin while the Ubuntu one doesn't.
3) Is there anyone here with a working AppArmor profile for LibreOffice
and would you be so kind to share ?
I've attached the libreoffice-soffice profile installed on my system
(with a .txt extension added - hopefully enough to get it through the
mailing list). No guarantee it will work with your version though. It
does say in comments near the top:
# This profile should enable the average LibreOffice user to get their
# work done while blocking some advanced usage
# ...
so I guess some complaints in "complain" mode may be expected.
4) I looked on-line but could not find an updated AppArmor profile for
LibreOffice or even the profile shipped with Version: 6.0.7.3
Build ID: 1:6.0.7-0ubuntu0.18.04.10 (?)
I've no idea who actually maintains them. From a quick look, it doesn't
look like any of the .deb files downloaded from libreoffice.org contains
AppArmor profiles, so I'm guessing they're added by the Ubuntu/PPA
package maintainer.
--
Mark.
# ------------------------------------------------------------------
#
# Copyright (C) 2016 Canonical Ltd.
# Copyright (C) 2018 Software in the Public Interest, Inc.
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# Authors: Jonathan Davies <[email protected]>
# Bryan Quigley <[email protected]>
# Rene Engelhard <[email protected]>
#
# ------------------------------------------------------------------
# This profile should enable the average LibreOffice user to get their
# work done while blocking some advanced usage
# Namely not tested and likely not working : embedded plugins,
# Using the LibreOffice SDK and other development tasks
# Everything else should be working
#Defines all common supported file formats
#Some obscure ones we're excluded (mostly input)
#Generic
#.txt
@{libreoffice_ext} = [tT][xX][tT]
#All the open document format
@{libreoffice_ext} += {,f,F}[oO][dDtT][tTsSpPbBgGfF]
#.xml and xsl
@{libreoffice_ext} += [xX][mMsS][lL]
#.pdf
@{libreoffice_ext} += [pP][dD][fF]
#Unified office format
@{libreoffice_ext} += [uU][oO][fFtTsSpP]
#(x)htm(l)
@{libreoffice_ext} += {,x,X}[hH][tT][mM]{,l,L}
#.epub
@{libreoffice_ext} += [eE][pP][uU][bB]
#.ps (printing to file)
@{libreoffice_ext} += [pP][sS]
#Images
@{libreoffice_ext} += [jJ][pP][gG]
@{libreoffice_ext} += [jJ][pP][eE][gG]
@{libreoffice_ext} += [pP][nN][gG]
@{libreoffice_ext} += [sS][vV][gG]
@{libreoffice_ext} += [sS][vV][gG][zZ]99251
@{libreoffice_ext} += [tT][iI][fF]
@{libreoffice_ext} += [tT][iI][fF][fF]
#Writer
@{libreoffice_ext} += [dD][oO][cCtT]{,x,X}
@{libreoffice_ext} += [rR][tT][fF]
#Calc
@{libreoffice_ext} += [xX][lL][sStT]{,x,X,m,M}
@{libreoffice_ext} += [xX][lL][wW]
#.dif dbf
@{libreoffice_ext} += [dD][iIbB][fF]
#.tsv .csv
@{libreoffice_ext} += [cCtT][sS][vV]
@{libreoffice_ext} += [sS][lL][kK]
#Impress/Draw
@{libreoffice_ext} += [pP][pP][tTsS]{,x,X}
@{libreoffice_ext} += [pP][oO][tT]{,m,M}
#Flash
@{libreoffice_ext} += [sS][wW][fF]
#Photoshop
@{libreoffice_ext} += [pP][sS][dD]
#Math
@{libreoffice_ext} += [mM][mM][lL]
@{libo_user_dirs} = @{HOME} /mnt /media
#include <tunables/global>
profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin
flags=(complain) {
#include <abstractions/private-files>
#include <abstractions/audio>
#include <abstractions/bash>
#include <abstractions/cups-client>
#include <abstractions/dbus>
#include <abstractions/dbus-session>
#include <abstractions/dbus-accessibility>
#include <abstractions/ibus>
#include <abstractions/nameservice>
#include <abstractions/gnome>
# GnuPG1 only...
# #include <abstractions/gnupg>
#include <abstractions/python>
#include <abstractions/p11-kit>
#List directories for file browser
/ r,
/**/ r,
owner @{libo_user_dirs}/**/ rw, #allow creating directories that
we own
owner @{libo_user_dirs}/**~lock.* rw, #lock file support
owner @{libo_user_dirs}/**.@{libreoffice_ext} rwk, #Open files rw with the
right exts
owner @{libo_user_dirs}/{,**/}lu??????????{,?}.tmp rwk, #Temporary file used
when saving
owner @{libo_user_dirs}/{,**/}.directory r, #Read directory settings on KDE
# Settings
/etc/libreoffice/ r,
/etc/libreoffice/** r,
/etc/cups/ppd/*.ppd r,
/etc/xml/catalog r, #exporting to .xhtml, for libxml2
/proc/*/status r,
owner @{HOME}/.config/libreoffice{,dev}/** rwk,
owner @{HOME}/.config/soffice.binrc rwl -> @{HOME}/.config/#[0-9]*,
owner @{HOME}/.config/soffice.binrc.* rwl -> @{HOME}/.config/#[0-9]*,
owner @{HOME}/.config/soffice.binrc.lock rwk,
owner @{HOME}/.cache/fontconfig/** rw,
owner @{HOME}/.config/gtk-???/bookmarks r, #Make bookmarks work
owner @{HOME}/.recently-used rwk,
owner /tmp/psp[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]* rw,
#/tmp/psp1534203998 (printing to file)
owner /{,var/}run/user/*/dconf/user rw,
owner @{HOME}/.config/dconf/user r,
# allow schema to be read
/usr/share/glib-*/schemas/ r,
/usr/share/glib-*/schemas/** r,
# bluetooth send to
network bluetooth,
/{usr/,}bin/sh rmix,
/{usr/,}bin/bash rmix,
/{usr/,}bin/dash rmix,
/{usr/,}bin/rm rmix, #deleting /tmp/psp1534203998
(printing to file)
/usr/bin/bluetooth-sendto rmPUx,
/usr/bin/lpr rmPUx,
/usr/bin/paperconf rmix,
/usr/bin/gpgconf rmix,
/usr/bin/gpg rmCx -> gpg,
/usr/bin/gpgsm rmCx -> gpg,
/usr/bin/gpa rix,
/usr/bin/seahorse rix,
/usr/bin/kgpg rix,
/usr/bin/kleopatra rix,
/dev/tty rw,
/usr/lib{,32,64}/@{multiarch}/gstreamer???/gstreamer-???/gst-plugin-scanner
rmPUx,
owner @{HOME}/.cache/gstreamer-???/** rw,
unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined), #Gstreamer doesn't work
without this
/usr/lib{,32,64}/jvm/ r,
/usr/lib{,32,64}/jvm/** r,
/usr/lib{,32,64}/jvm/**/jre/bin/java mix,
/usr/lib{,32,64}/jvm/**/bin/java mix,
# should be included in the jvm/** above but there it is
# a symlink, so apparmor still doesn't allow it...
/etc/java-??-openjdk/security/java.security r,
/usr/lib/libreoffice/** rw,
/usr/lib/libreoffice/**.so m,
/usr/lib/libreoffice/program/soffice.bin mix,
/usr/lib/libreoffice/program/xpdfimport px,
/usr/lib/libreoffice/program/senddoc px,
/usr/bin/xdg-open rPUx,
/usr/share/java/**.jar r,
/usr/share/hunspell/ r,
/usr/share/hunspell/** r,
/usr/share/hyphen/ r,
/usr/share/hyphen/** r,
/usr/share/mythes/ r,
/usr/share/mythes/** r,
/usr/share/liblangtag/ r,
/usr/share/liblangtag/** r,
/usr/share/libreoffice/ r,
/usr/share/libreoffice/** r,
/usr/share/yelp-xsl/xslt/mallard/** r,
/usr/share/libexttextcat/* r,
/usr/share/icu/** r,
/usr/share/locale-bundle/* r,
/var/spool/libreoffice/ r,
/var/spool/libreoffice/** rw,
/var/cache/fontconfig/ rw,
#Likely moving to abstractions in the future
owner @{HOME}/.icons/*/cursors/* r,
/etc/fstab r, # Solid::DeviceNotifier::instance() TODO: deny?
/sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor}
r, # for libdrm
/usr/share/*-fonts/conf.avail/*.conf r,
/usr/share/fonts-config/conf.avail/*.conf r,
/{,var/}run/udev/data/+usb:* r, # Solid::Device::listFromQuery()
/{,var/}run/udev/data/{c,b}*:* r, # Solid::Device::description(),
Solid::Device::listFromQuery()
@{PROC}/sys/kernel/random/boot_id r, # KRecentDocument::add() ->
QSysInfo::bootUniqueId()
#To avoid "Unable to create io-slave." for file dialog
owner /{,var/}run/user/[0-9]*/#[0-9]* rw,
#For KIO IO::Slave::createSlave()
owner /{,var/}run/user/[0-9]*/soffice.bin*.slave-socket wl ->
/{,var/}run/user/[0-9]*/#[0-9]*,
owner @{HOME}/.mozilla/firefox/profiles.ini r,
owner @{HOME}/.mozilla/firefox/*/secmod.db r,
# firefox < 58
owner @{HOME}/.mozilla/firefox/*/cert8.db r,
# firefox >= 58
owner @{HOME}/.mozilla/firefox/*/cert9.db r,
owner @{HOME}/.local/share/user-places.xbel r,
# there is abstractions/gnupg but that's just for gpg1...
profile gpg {
#include <abstractions/base>
/usr/bin/gpgconf rm,
/usr/bin/gpg rm,
/usr/bin/gpgsm rm,
owner @{HOME}/.gnupg/* r,
owner @{HOME}/.gnupg/random_seed rk,
}
# probably should become a subprofile like gpg above, but then it doesn't
# work either as it tries to access stuff only allowed above...
owner @{HOME}/.config/kdeglobals r,
/usr/lib/libreoffice/program/lo_kde5filepicker rPUx,
/usr/share/qt5/translations/* r,
/usr/lib/*/qt5/plugins/** rm,
/usr/share/plasma/look-and-feel/**/contents/defaults r,
# TODO: remove when rules are available in abstractions/kde
owner @{HOME}/.cache/ksycoca5_??_* r, # KDE System Configuration Cache
owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used
by KFileWidget
owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget
owner @{HOME}/.config/kde.org/libphonon.conf r, # for
KNotifications::sendEvent()
owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages,
for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
owner @{HOME}/.config/trashrc r, # user by KFileWidget
/usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent
# TODO: remove when rules are available in abstractions/kde-write-icon-cache
or similar
owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader
# TODO: remove when rules are available in abstractions/kdeframeworks5 or
similar
/usr/share/kservices5/*.protocol r,
# TODO: use qt5-settings-write abstraction when it is available
owner @{HOME}/.config/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] rw,
owner @{HOME}/.config/QtProject.conf rw,
owner @{HOME}/.config/QtProject.conf.?????? l ->
@{HOME}/.config/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],
owner @{HOME}/.config/QtProject.conf.?????? rw, # for temporary files like
QtProject.conf.Aqrgeb
owner @{HOME}/.config/QtProject.conf.lock rwk,
# TODO: use qt5-compose-cache-write abstraction when it is available
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r,
# TODO: use recent-documents-write abstraction when it is available
owner @{HOME}/.local/share/RecentDocuments/** r,
owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl ->
@{HOME}/.local/share/RecentDocuments/#[0-9]*,
owner @{HOME}/.local/share/RecentDocuments/#[0-9]* rw,
owner @{HOME}/.local/share/RecentDocuments/*.lock rwk,
# TODO: use kde-globals-write abstraction when it is available
owner @{HOME}/.config/kdeglobals rw,
owner @{HOME}/.config/kdeglobals.* rwl -> @{HOME}/.config/#[0-9]*,
owner @{HOME}/.config/kdeglobals.lock rwk,
}
--
To unsubscribe e-mail to: [email protected]
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/users/
Privacy Policy: https://www.documentfoundation.org/privacy
