Re: Re: [libreoffice-users] AppArmor profile of LibreOffice

classic Classic list List threaded Threaded
2 messages Options
Gys Gys
Reply | Threaded
Open this post in threaded view
|

Re: Re: [libreoffice-users] AppArmor profile of LibreOffice

On 10/24/19 10:41 PM, [hidden email] wrote:

> I don't know all that much about configuring AppArmor, but for what
> it's worth for me on Linux Mint Sylvia 18.3 (still supported, although
> older than your Tara 19.0) using the LibreOffice PPA for its newer
> versions of LibreOffice (currently 6.2.8)... Gys wrote:
>> Hi, in my Linux Mint Tara aa-status lists 3 profiles related to
>> LibreOffice : libreoffice-xpdfimport (enforce) libreoffice-senddoc
>> (enforce) libreoffice-oopslash (complain)
> I have: libreoffice-senddoc (enforce) libreoffice-soffice//gpg
> (enforce) libreoffice-xpdfimport (enforce) libreoffice-oopslash
> (complain) libreoffice-soffice (complain)
>> In the kernel log libreoffice-oopslash is complaining about a lot of
>> things.
> Looking at my logs from the last week, I see a few "audit" messages
> relating to libreoffice-soffice and libreoffice-oopslash. Looks like a
> cluster of about 10 entries for libreoffice-soffice each time I start
> LibreOffice, with a few others for soffice and oopslash in between -
> but I don't tend to be using it continuously for hours on end.
>> Both the program and the profile in Nemo is oosplash
>> usr/lib/libreoffice/program/oosplash
>> /etc/apparmor.d/usr.lib.libreoffice.program.oosplash Search oopslash
>> in / in Nemo gives no results Questions 1) Is the "p" and "s"
>> reversal a typo ?
> As mentioned at the start, I'm no expert on AppArmor, but it does look
> suspiciously like a typo. I guess it might only affect the displayed
> name of the profile though, since the executable it applies to appears
> to be correctly spelled "oosplash":
>> profile libreoffice-oopslash /usr/lib/libreoffice/program/oosplash
>> flags=(complain) {...}
>> 2) Why is there no profile for
>> /usr/lib/libreoffice/program/soffice.bin ?
> For me the </etc/apparmor.d/usr.lib.libreoffice.program.*> files,
> including one for soffice.bin, are provided by the libreoffice-common
> package, which I've installed from the PPA. From a quick look at the
> .deb packages from libreoffice.org it doesn't look like any of them
> contain AppArmor profiles, so I'd guess they're added by the
> Ubuntu/PPA package maintainer. Perhaps the PPA maintainer adds a
> profile for soffice.bin while the Ubuntu one doesn't.
>> 3) Is there anyone here with a working AppArmor profile for
>> LibreOffice and would you be so kind to share ?
> I've attached the libreoffice-soffice profile installed on my system
> (with a .txt extension added - hopefully enough to get it through the
> mailing list). No guarantee it will work with your version though. It
> does say in comments near the top:
>> # This profile should enable the average LibreOffice user to get
>> their # work done while blocking some advanced usage # ...
> so I guess some complaints in "complain" mode may be expected.
>> 4) I looked on-line but could not find an updated AppArmor profile
>> for LibreOffice or even the profile shipped with Version: 6.0.7.3
>> Build ID: 1:6.0.7-0ubuntu0.18.04.10 (?)
> I've no idea who actually maintains them. From a quick look, it
> doesn't look like any of the .deb files downloaded from
> libreoffice.org contains AppArmor profiles, so I'm guessing they're
> added by the Ubuntu/PPA package maintainer.
Hi Mark,

thank you for your kind reply. My first answer to you bounched. I don't
know why, so maybe it's here now twice.

I don't have a PPA for LibreOffice. Could you please share the link ?

I'm slowly moving to Mint from Win10 since a year ago so I'm no expert
in AppArmor either. I have studied the manual and finally got Clamd
through AppArmor.

I tooked at the AppArmor manual (again) and it says indeed : "the
convention" is to name the files in that particular way. So, you are
right. If I name the file : KindlyProvidedByMark.txt it may also work. I
had a look inside my version and there is also the line :

profile libreoffice-oopslash /usr/lib/libreoffice/program/oosplash
flags=(complain)

I just changed the name of the oosplash profile to adhere to the
AppArmore convention.

I have been looking at all kind of LibreOffice sources. You are right, I
should have looked at the package distributors. I found a lot of
#tickets about the AA-confinement there. I'm now thinking that this
subject is so complicated that I wonder if it really adds to the
security of my machine if I change it myself and maybe the best option
is to wait for the update from the package distributers which will
include an update for the AA-profile (I hope)

I'm using your libreoffice-soffice profile for a few days now.The
complain : "denied soffice is unconfined" have disappeared with a lot of
other ones. In the last days I have not seen any complains pertaining to
LibreOffice.In the meantime I think I will just ignore further
LibreOffice complaints.

Your libreoffice-soffice profile made it through this mailing list. It
is now also in the list archive. Which is nice for future reference.

Thx again Gys


--
To unsubscribe e-mail to: [hidden email]
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/users/
Privacy Policy: https://www.documentfoundation.org/privacy
libreoffice-ml.mbourne libreoffice-ml.mbourne
Reply | Threaded
Open this post in threaded view
|

Re: AppArmor profile of LibreOffice

> On 10/24/19 10:41 PM, [hidden email] wrote:
>> I don't know all that much about configuring AppArmor, but for what
>> it's worth for me on Linux Mint Sylvia 18.3 (still supported, although
>> older than your Tara 19.0) using the LibreOffice PPA for its newer
>> versions of LibreOffice (currently 6.2.8)...
>> Gys wrote:
<snipped>

>>> Both the program and the profile in Nemo is oosplash
>>> usr/lib/libreoffice/program/oosplash
>>> /etc/apparmor.d/usr.lib.libreoffice.program.oosplash Search oopslash
>>> in / in Nemo gives no results Questions 1) Is the "p" and "s"
>>> reversal a typo ?
>> As mentioned at the start, I'm no expert on AppArmor, but it does look
>> suspiciously like a typo. I guess it might only affect the displayed
>> name of the profile though, since the executable it applies to appears
>> to be correctly spelled "oosplash":
>>> profile libreoffice-oopslash /usr/lib/libreoffice/program/oosplash
>>> flags=(complain) {...}
>>> 2) Why is there no profile for
>>> /usr/lib/libreoffice/program/soffice.bin ?
>> For me the </etc/apparmor.d/usr.lib.libreoffice.program.*> files,
>> including one for soffice.bin, are provided by the libreoffice-common
>> package, which I've installed from the PPA. From a quick look at the
>> .deb packages from libreoffice.org it doesn't look like any of them
>> contain AppArmor profiles, so I'd guess they're added by the
>> Ubuntu/PPA package maintainer. Perhaps the PPA maintainer adds a
>> profile for soffice.bin while the Ubuntu one doesn't.
>>> 3) Is there anyone here with a working AppArmor profile for
>>> LibreOffice and would you be so kind to share ?
>> I've attached the libreoffice-soffice profile installed on my system
>> (with a .txt extension added - hopefully enough to get it through the
>> mailing list). No guarantee it will work with your version though. It
>> does say in comments near the top:
>>> # This profile should enable the average LibreOffice user to get
>>> their # work done while blocking some advanced usage # ...
>> so I guess some complaints in "complain" mode may be expected.
>>> 4) I looked on-line but could not find an updated AppArmor profile
>>> for LibreOffice or even the profile shipped with Version: 6.0.7.3
>>> Build ID: 1:6.0.7-0ubuntu0.18.04.10 (?)
>> I've no idea who actually maintains them. From a quick look, it
>> doesn't look like any of the .deb files downloaded from
>> libreoffice.org contains AppArmor profiles, so I'm guessing they're
>> added by the Ubuntu/PPA package maintainer.

Gys wrote:
> Hi Mark,
>
> thank you for your kind reply. My first answer to you bounched. I don't
> know why, so maybe it's here now twice.

No problem.  I did get previous replies on 27th and yesterday; just been
a bit busy the last couple of days.  Not sure why it would have bounced,
but sending to the list is better anyway since others can see the
discussion.

> I don't have a PPA for LibreOffice. Could you please share the link ?

The LibreOffice PPA is at
<https://launchpad.net/~libreoffice/+archive/ubuntu/ppa>.  It's worth
reading through the description.  This will give you the latest "fresh"
version of LibreOffice.  That page also lists some alternative PPAs for
specific series (6.3, 6.2, etc.) but if you choose to use one of those I
think you'll stop getting updates after the last update to that series.

See the "Adding this PPA to your system" section for how to add it.  The
usual package/update managers should then pick up the newer versions
from that PPA.

> I'm slowly moving to Mint from Win10 since a year ago so I'm no expert
> in AppArmor either. I have studied the manual and finally got Clamd
> through AppArmor.

No worries - it sounded like you knew quite a bit about it.  In case
you're not aware, Mint is based on Ubuntu so don't be put off by the PPA
referring to Ubuntu a lot.

> I tooked at the AppArmor manual (again) and it says indeed : "the
> convention" is to name the files in that particular way. So, you are
> right. If I name the file : KindlyProvidedByMark.txt it may also work. I
> had a look inside my version and there is also the line :
>
> profile libreoffice-oopslash /usr/lib/libreoffice/program/oosplash
> flags=(complain)
>
> I just changed the name of the oosplash profile to adhere to the
> AppArmore convention.
>
> I have been looking at all kind of LibreOffice sources. You are right, I
> should have looked at the package distributors. I found a lot of
> #tickets about the AA-confinement there. I'm now thinking that this
> subject is so complicated that I wonder if it really adds to the
> security of my machine if I change it myself and maybe the best option
> is to wait for the update from the package distributers which will
> include an update for the AA-profile (I hope)

As far as I can tell, the profile name is just a name and doesn't look
like it would make much difference to security.  From that perspective,
you're probably better off using the profiles as provided by the
package, despite the typo, since then you'll get updates which might
actually improve security.

There doesn't seem to be a bug open on the PPA to correct this typo, and
I can't find an option to report one (even having created an account on
Launchpad...) so it's not likely to be corrected unless someone there
notices.

> I'm using your libreoffice-soffice profile for a few days now.The
> complain : "denied soffice is unconfined" have disappeared with a lot of
> other ones. In the last days I have not seen any complains pertaining to
> LibreOffice.In the meantime I think I will just ignore further
> LibreOffice complaints.

Of course, just copying this onto your system it won't get updated at
all.  If you don't want to maintain updates to it yourself, again you're
probably better off using the profile provided by your package (whether
that's the Ubuntu or PPA package).

--
Mark.


--
To unsubscribe e-mail to: [hidden email]
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/users/
Privacy Policy: https://www.documentfoundation.org/privacy