[apparmor] AppArmor profile for LibreOffice
Christian Boltz
apparmor at cboltz.de
Wed Dec 25 16:23:05 UTC 2013
Hello,
Am Mittwoch, 25. Dezember 2013 schrieb Jonathan Davies:
> I have created an AppArmor profile for LibreOffice and I would like to
> see it placed into the 14.04 packages.
I had a short look at it. Some notes:
> audit deny network bluetooth,
It seems this isn't allowed by any abstractions. What's the reason to
explicitely deny it?
> / r,
> owner @{HOME}/ r,
It would probably make sense to allow /home/ r or, better,
@{HOMEDIRS}/ r,
> # abstractions/private-files-strict is in force from above.
> owner @{HOME}/** rwk,
The usual "problem" of having an application with a "save as..."
dialog ;-)
I know there's some work done on a file dialog helper going (to avoid
the need for such rules), but I don't know the details and if it's
useable already.
> deny @{HOME}/.exec* rwmx,
What's the reason for this denial? Should it be part of an abstraction
instead of having it in the profile?
> /usr/bin/bluetooth-sendto rmUx,
> /usr/bin/lpr rmUx,
> /usr/bin/paperconf rmix,
> /usr/bin/xdg-open rmUx,
I'd recommend rmPUx instead of rmUx - if someone has a profile for one
of them, it should be used.
You also have several /usr/lib/... paths - at least on openSUSE, some
parts of libreoffice are in /usr/lib64/... Therefore it would be better
to use /usr/lib*/... everywhere (including the profile name ;-)
Regards,
Christian Boltz
--
Bei obigem reply-to per folder-hook, stehe in dann suse-linux und
schreibe, weil es mir grad einfaellt, an meinen Arzt er solle
doch grad mal die Bescheinigung vom letzten Alzheimer Test schicken.
Das koennte Euch so passen ;) [Maik Holtkamp in suse-linux]
More information about the AppArmor
mailing list