[apparmor] New LibreOffice Profile

Bryan Quigley bryan.quigley at canonical.com
Fri Feb 27 15:13:30 UTC 2015 

Thanks for the detailed review!  I'm going to adapt the suggested
changes and then return (after another round of testing).

Kind regards,
Bryan

On Thu, Feb 26, 2015 at 11:45 AM, Christian Boltz <apparmor at cboltz.de> wrote:
> Hello,
>
> Am Donnerstag, 5. Februar 2015 schrieb Bryan Quigley:
>> I've taken a few stabs (and followed a few others) at creating a
>> useful LibreOffice profile (attached, previous iterations[1]).
>>
>> This profile should not be turned on by default because:
>
> That means it should probably live in the extra profiles directory, with
> the disadvantage that not too many people look into it or use it.
>
>> Will not open a file without an known extension
>> Will not open rw a file if it's not under /media or /home.
>
> That doesn't match your soffice.bin profile, see below for a possible
> solution.
>
>> The permissions are quite lenient (due to file selector) but I believe
>> it still provides advantages.
>
> Indeed, the soffice.bin comes with an impressive collection of
> abstractions and other permissions. (I hope you have good reasons for
> each of them ;-)
>
> Maybe you should add a comment explaining exactly that:
>     "What this profile will / will not do"
>
>> [1] https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/1284507
>
> To answer your follow-up first - it seems most people are currently too
> busy to review patches. I'm suffering from that myself - as you probably
> noticed, I have some patches pending without feedback...
>
> Anyway, I just looked at your profiles.
>
> The xpdfimport looks good.
>
> Just to be sure - does it really only need write access to temp files?
>
> Nitpicking:
> - if the tempfiles use a defined name scheme (for example
>   /tmp/xpdfimport.*), you should use that (with "owner" keyword) instead
>   of abstractions/user-tmp
> - OTOH, instead of all the /lib* and /usr/lib* permissions, you could
>   use the slightly more permissive abstractions/base to simplify
>   the profile
>
>
> The soffice.bin profile is a bit more interesting ;-)
>
>   /**.[hH][tT][mM]?     rwk,  # html, htm, etc
>   /**.[xX][hH][tT][mM]? rwk,  # x^
>
> This doesn't match the comment - the rules will match *.html and *.xhtml
> (and also *.htma, which you probably don't want), but not *.htm and
> *.xhtm.
>
> You can merge both lines into
>   /**.{,x,X}[hH][tT][mM]{,l,L}   rwk,   # htm, html, xhtm, xhtml
> or add separate lines to have it more readable)
>
>   /**.[pP][nN][gG]? rw,
>   /**.[sS][vV][gG]? rw,
>
> Those mean .svgX and pngX, where X is any char. I'd guess you should
> delete the ? ;-)
>
>   /**.[dD][oO]*         rwk,
>   /**.[xX][lL]*         rwk,
>   /**.[pP][pP]*         rwk,
>   /**.[pP][oO][tT]*     rwk,
>
> might be a bit broad - if possible, replace * with a set of letters.
>
>
> Another option might be to define a variable with all those extensions,
> for example
>
> @{libreoffice_ext} = [oO][dD]? [oO][tT]?   # .od*, .ot*
> @{libreoffice_ext} += [fF][oO][dD]?   # .fod*
> @{libreoffice_ext} += [xX][mM][lL]   # .xml
>
> By using +=, you can keep the definition readable.
>
> The advantage of using a variable is that it makes the profile a bit
> more readable and even allows to restrict in which directories you allow
> write access. You could do something like
>
> /**.@{libreoffice_ext} r,   # read from everywhere and everybody
> owner @{HOME}/**.@{libreoffice_ext} rw,   # write own files in $HOME
> owner /tmp/**.@{libreoffice_ext} rw,   # ... and own files in /tmp
>
>
> That all said - I didn't find anything that looks wrong in your
> profiles, so I'm willing to commit them to the extra-profiles directory
> with the above answered and (optionally) some of my proposed changes
> included.
>
>
> Regards,
>
> Christian Boltz
> --
>> Alle Distributionen saugen - die Schmerzen sind nur *anders*
> Für die einen ist es Linux, für die anderen der flexibelste
> Schmerzbaukasten der Welt.       [> G. Doering + Oli Schad]
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

More information about the AppArmor mailing list