[apparmor] AppArmor profile for LibreOffice

Jonathan Davies jonathan.davies at canonical.com
Wed Dec 25 22:12:04 UTC 2013 

Hello,

On 25/12/2013 16:23, Christian Boltz wrote:
> Am Mittwoch, 25. Dezember 2013 schrieb Jonathan Davies:
>> I have created an AppArmor profile for LibreOffice and I would like to
>> see it placed into the 14.04 packages.
> 
> I had a short look at it. Some notes:
> 
>> audit deny network bluetooth,
> 
> It seems this isn't allowed by any abstractions. What's the reason to 
> explicitely deny it?

I didn't want LibreOffice to talk on bluetooth, and it seems to open up
a service there by default.

>>   /                          r,
>>   owner @{HOME}/             r,
> 
> It would probably make sense to allow   /home/ r   or, better, 
>     @{HOMEDIRS}/  r,

True, committed.

>>   # abstractions/private-files-strict is in force from above.
>>   owner @{HOME}/**           rwk,
> 
> The usual "problem" of having an application with a "save as..." 
> dialog ;-)
> 
> I know there's some work done on a file dialog helper going (to avoid 
> the need for such rules), but I don't know the details and if it's 
> useable already.

I don't see an issue here - I'm allowing full access to the home folder
of the user, while private-files-strict is disallowing access to places
such as ~/.{ssh,gnupg,mozilla}/*, etc. Trying opening or saving a file
there and you'll find that access is denied.

>>   deny @{HOME}/.exec*           rwmx,
> 
> What's the reason for this denial? Should it be part of an abstraction 
> instead of having it in the profile?

LibreOffice seems to try to write to these files but does nothing with
them - so I decided to block it.

>>   /usr/bin/bluetooth-sendto     rmUx,
>>   /usr/bin/lpr              rmUx,
>>   /usr/bin/paperconf        rmix,
>>   /usr/bin/xdg-open         rmUx,
> 
> I'd recommend rmPUx instead of rmUx - if someone has a profile for one 
> of them, it should be used.

Someone needs to update the manpage, it says that this kind of mode
mixing is incompatible.

> You also have several /usr/lib/... paths - at least on openSUSE, some 
> parts of libreoffice are in /usr/lib64/...  Therefore it would be better 
> to use /usr/lib*/... everywhere (including the profile name ;-)

Done, thanks.

-- 
 Jonathan Davies | Canonical Ltd.
 www.canonical.com | www.ubuntu.com

More information about the AppArmor mailing list