AppArmor profile of LibreOffice

classic Classic list List threaded Threaded
2 messages Options
Gys Gys
Reply | Threaded
Open this post in threaded view
|

AppArmor profile of LibreOffice

Hi,
in my Linux Mint Tara aa-status lists 3 profiles related to LibreOffice :

libreoffice-xpdfimport (enforce)
libreoffice-senddoc (enforce)
libreoffice-oopslash (complain)

In the kernel log libreoffice-oopslash is complaining about a lot of
things.

Both the program and the profile in Nemo is oosplash

usr/lib/libreoffice/program/oosplash
/etc/apparmor.d/usr.lib.libreoffice.program.oosplash

Search oopslash in / in Nemo gives no results

Questions
1) Is the "p" and "s" reversal a typo ?

2) Why is there no profile for /usr/lib/libreoffice/program/soffice.bin ?

3) Is there anyone here with a working AppArmor profile for LibreOffice
and would you be so kind to share ?

4) I looked on-line but could not find an updated AppArmor profile for
LibreOffice or even the profile shipped with Version: 6.0.7.3
Build ID: 1:6.0.7-0ubuntu0.18.04.10 (?)

Thx
Gys


--
To unsubscribe e-mail to: [hidden email]
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/users/
Privacy Policy: https://www.documentfoundation.org/privacy
libreoffice-ml.mbourne libreoffice-ml.mbourne
Reply | Threaded
Open this post in threaded view
|

Re: AppArmor profile of LibreOffice

I don't know all that much about configuring AppArmor, but for what it's
worth for me on Linux Mint Sylvia 18.3 (still supported, although older
than your Tara 19.0) using the LibreOffice PPA for its newer versions of
LibreOffice (currently 6.2.8)...

Gys wrote:
> Hi,
> in my Linux Mint Tara aa-status lists 3 profiles related to LibreOffice :
>
> libreoffice-xpdfimport (enforce)
> libreoffice-senddoc (enforce)
> libreoffice-oopslash (complain)

I have:
    libreoffice-senddoc (enforce)
    libreoffice-soffice//gpg (enforce)
    libreoffice-xpdfimport (enforce)
    libreoffice-oopslash (complain)
    libreoffice-soffice (complain)

> In the kernel log libreoffice-oopslash is complaining about a lot of
> things.

Looking at my logs from the last week, I see a few "audit" messages
relating to libreoffice-soffice and libreoffice-oopslash.  Looks like a
cluster of about 10 entries for libreoffice-soffice each time I start
LibreOffice, with a few others for soffice and oopslash in between - but
I don't tend to be using it continuously for hours on end.

> Both the program and the profile in Nemo is oosplash
>
> usr/lib/libreoffice/program/oosplash
> /etc/apparmor.d/usr.lib.libreoffice.program.oosplash
>
> Search oopslash in / in Nemo gives no results
>
> Questions
> 1) Is the "p" and "s" reversal a typo ?

As mentioned at the start, I'm no expert on AppArmor, but it does look
suspiciously like a typo.  I guess it might only affect the displayed
name of the profile though, since the executable it applies to appears
to be correctly spelled "oosplash":
> profile libreoffice-oopslash /usr/lib/libreoffice/program/oosplash flags=(complain) {...}


> 2) Why is there no profile for /usr/lib/libreoffice/program/soffice.bin ?

For me the </etc/apparmor.d/usr.lib.libreoffice.program.*> files,
including one for soffice.bin, are provided by the libreoffice-common
package, which I've installed from the PPA.  From a quick look at the
.deb packages from libreoffice.org it doesn't look like any of them
contain AppArmor profiles, so I'd guess they're added by the Ubuntu/PPA
package maintainer.  Perhaps the PPA maintainer adds a profile for
soffice.bin while the Ubuntu one doesn't.

> 3) Is there anyone here with a working AppArmor profile for LibreOffice
> and would you be so kind to share ?

I've attached the libreoffice-soffice profile installed on my system
(with a .txt extension added - hopefully enough to get it through the
mailing list).  No guarantee it will work with your version though. It
does say in comments near the top:
> # This profile should enable the average LibreOffice user to get their
> # work done while blocking some advanced usage
> # ...
so I guess some complaints in "complain" mode may be expected.

> 4) I looked on-line but could not find an updated AppArmor profile for
> LibreOffice or even the profile shipped with Version: 6.0.7.3
> Build ID: 1:6.0.7-0ubuntu0.18.04.10 (?)

I've no idea who actually maintains them.  From a quick look, it doesn't
look like any of the .deb files downloaded from libreoffice.org contains
AppArmor profiles, so I'm guessing they're added by the Ubuntu/PPA
package maintainer.

--
Mark.


--
To unsubscribe e-mail to: [hidden email]
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/users/
Privacy Policy: https://www.documentfoundation.org/privacy

usr.lib.libreoffice.program.soffice.bin.txt (14K) Download Attachment