Bug#1004038: AppArmor: cannot save files in enforced mode (again)
Package: libreoffice-common
Version: 1:7.3.0~rc2-2
Severity: normal
Tags: upstream
Dear Maintainer,
Looks like bug #905442 is back. We need rule with eight (and more) question
marks:
type=AVC msg=audit(1642615553.674:2636): apparmor="DENIED"
operation="mknod" profile="libreoffice-soffice"
name="/home/vincas/Darbastalis/lu7600dk8g.tmp" pid=7600
comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000
ouid=1000FSUID="vincas" OUID="vincas"
This one rule should the trick:
owner @{libo_user_dirs}/{,**/}lu????????{,?,??,???,????}.tmp rwk,
It would be nice to find code that generates these temporaries and see
what range is currently used...
-- Package-specific info:
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.15.0-2-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=lt_LT.UTF-8, LC_CTYPE=lt_LT.UTF-8 (charmap=UTF-8), LANGUAGE=lt
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libreoffice-common depends on:
ii libnumbertext-data 1.0.8-1
ii libreoffice-style-colibre 1:7.3.0~rc2-2
ii ucf 3.0043
ii ure 1:7.3.0~rc2-2
Versions of packages libreoffice-common recommends:
ii apparmor 3.0.3-6
ii fonts-liberation2 2.1.5-1
ii libexttextcat-data 3.4.5-1
ii poppler-data 0.4.11-1
ii python3-uno 1:7.3.0~rc2-2
ii xdg-utils 1.1.3-4.1
Versions of packages libreoffice-common suggests:
ii libreoffice-style-breeze [libreoffice-style] 1:7.3.0~rc2-2
ii libreoffice-style-colibre [libreoffice-style] 1:7.3.0~rc2-2
Versions of packages python3-uno depends on:
ii libc6 2.33-3
ii libgcc-s1 11.2.0-14
ii libpython3.9 3.9.10-1
ii libreoffice-core 1:7.3.0~rc2-2
ii libstdc++6 11.2.0-14
ii libuno-cppu3 1:7.3.0~rc2-2
ii libuno-cppuhelpergcc3-3 1:7.3.0~rc2-2
ii libuno-sal3 1:7.3.0~rc2-2
ii libuno-salhelpergcc3-3 1:7.3.0~rc2-2
ii python3 3.9.8-1
ii python3.9 3.9.10-1
ii ucf 3.0043
ii uno-libs-private 1:7.3.0~rc2-2
-- Configuration Files:
/etc/apparmor.d/usr.lib.libreoffice.program.oosplash changed:
profile libreoffice-oosplash /usr/lib/libreoffice/program/oosplash {
#include <abstractions/base>
#include <abstractions/X>
/etc/libreoffice/ r,
/etc/libreoffice/** r,
/etc/passwd r,
/etc/nsswitch.conf r,
/run/nscd/passwd r,
/sys/devices/{virtual,pci[0-9]*}/**/queue/rotational r, # for isRotational() in desktop/unx/source/pagein.c
/usr/lib{,32,64}/ure/bin/javaldx rmpux,
/usr/share/libreoffice/program/* r,
/usr/lib/libreoffice/program/** r,
/usr/lib/libreoffice/program/soffice.bin rmpx,
/usr/lib/libreoffice/program/javaldx rmpux,
owner @{HOME}/.Xauthority r,
owner @{HOME}/.config/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw,
unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined),
unix peer=(addr=@/tmp/.X11-unix/* label=unconfined),
}
/etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin changed:
@{libreoffice_ext} = [tT][xX][tT]
@{libreoffice_ext} += {,f,F}[oO][dDtT][tTsSpPbBgGfF]
@{libreoffice_ext} += [xX][mMsS][lL]
@{libreoffice_ext} += [pP][dD][fF]
@{libreoffice_ext} += [uU][oO][fFtTsSpP]
@{libreoffice_ext} += {,x,X}[hH][tT][mM]{,l,L}
@{libreoffice_ext} += [eE][pP][uU][bB]
@{libreoffice_ext} += [pP][sS]
@{libreoffice_ext} += [jJ][pP][gG]
@{libreoffice_ext} += [jJ][pP][eE][gG]
@{libreoffice_ext} += [pP][nN][gG]
@{libreoffice_ext} += [sS][vV][gG]
@{libreoffice_ext} += [sS][vV][gG][zZ]99251
@{libreoffice_ext} += [tT][iI][fF]
@{libreoffice_ext} += [tT][iI][fF][fF]
@{libreoffice_ext} += [dD][oO][cCtT]{,x,X}
@{libreoffice_ext} += [rR][tT][fF]
@{libreoffice_ext} += [xX][lL][sStT]{,x,X,m,M}
@{libreoffice_ext} += [xX][lL][wW]
@{libreoffice_ext} += [dD][iIbB][fF]
@{libreoffice_ext} += [cCtT][sS][vV]
@{libreoffice_ext} += [sS][lL][kK]
@{libreoffice_ext} += [pP][pP][tTsS]{,x,X}
@{libreoffice_ext} += [pP][oO][tT]{,m,M}
@{libreoffice_ext} += [pP][sS][dD]
@{libreoffice_ext} += [mM][mM][lL]
@{libo_user_dirs} = @{HOME} /mnt /media
profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin {
#include <abstractions/private-files>
#include <abstractions/audio>
#include <abstractions/bash>
#include <abstractions/cups-client>
#include <abstractions/dbus>
#include <abstractions/dbus-session>
#include <abstractions/dbus-accessibility>
#include <abstractions/dri-enumerate>
#include <abstractions/mesa>
#include <abstractions/ibus>
#include <abstractions/nameservice>
#include <abstractions/gnome>
#include <abstractions/python>
#include <abstractions/p11-kit>
#include <abstractions/user-tmp>
#include <abstractions/opencl-intel>
#include <abstractions/opencl-mesa>
#include <abstractions/opencl-nvidia>
#List directories for file browser
/ r,
/**/ r,
owner @{libo_user_dirs}/**/ rw, #allow creating directories that we own
owner @{libo_user_dirs}/**~lock.* rw, #lock file support
owner @{libo_user_dirs}/**.@{libreoffice_ext} rwk, #Open files rw with the right exts
owner @{libo_user_dirs}/{,**/}lu???????????{,?}.tmp rwk, #Temporary file used when saving
owner @{libo_user_dirs}/{,**/}lu????????{,?,??,???,????}.tmp rwk, #Temporary file used when saving
owner @{libo_user_dirs}/{,**/}lu??????????{,?,??}.tmp rwk, #Temporary file used when saving
owner @{libo_user_dirs}/{,**/}.directory r, #Read directory settings on KDE
# Settings
/etc/libreoffice/ r,
/etc/libreoffice/** r,
/etc/cups/ppd/*.ppd r,
/etc/xml/catalog r, #exporting to .xhtml, for libxml2
/proc/*/status r,
owner @{HOME}/.config/libreoffice{,dev}/** rwk,
owner @{HOME}/.config/soffice.binrc rwl -> @{HOME}/.config/#[0-9]*,
owner @{HOME}/.config/soffice.binrc.* rwl -> @{HOME}/.config/#[0-9]*,
owner @{HOME}/.config/soffice.binrc.lock rwk,
owner @{HOME}/.cache/fontconfig/** rw,
owner @{HOME}/.config/gtk-???/bookmarks r, #Make bookmarks work
owner /{,var/}run/user/*/dconf/user rw,
owner @{HOME}/.config/dconf/user r,
# allow schema to be read
/usr/share/glib-*/schemas/ r,
/usr/share/glib-*/schemas/** r,
# bluetooth send to
network bluetooth,
/{usr/,}bin/sh rmix,
/{usr/,}bin/bash rmix,
/{usr/,}bin/dash rmix,
/{usr/,}bin/rm rmix, #deleting /tmp/psp1534203998 (printing to file)
/usr/bin/bluetooth-sendto rmPUx,
/usr/bin/lpr rmPUx,
/usr/bin/paperconf rmix,
/usr/bin/gpgconf rmix,
/usr/bin/gpg rmCx -> gpg,
/usr/bin/gpgsm rmCx -> gpg,
/usr/bin/gpa rix,
/usr/bin/seahorse rix,
/usr/bin/kgpg rix,
/usr/bin/kleopatra rix,
/dev/tty rw,
/usr/lib{,32,64}/@{multiarch}/gstreamer???/gstreamer-???/gst-plugin-scanner rmPUx,
owner @{HOME}/.cache/gstreamer-???/** rw,
unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined), #Gstreamer doesn't work without this
/usr/lib{,32,64}/jvm/ r,
/usr/lib{,32,64}/jvm/** r,
/usr/lib{,32,64}/jvm/**/jre/bin/java mix,
/usr/lib{,32,64}/jvm/**/bin/java mix,
# should be included in the jvm/** above but there it is
# a symlink, so apparmor still doesn't allow it...
/etc/java-??-openjdk/security/java.security r,
/usr/lib/libreoffice/** rw,
/usr/lib/libreoffice/**.so m,
/usr/lib/libreoffice/program/soffice.bin mix,
/usr/lib/libreoffice/program/xpdfimport px,
/usr/lib/libreoffice/program/senddoc px,
/usr/bin/xdg-open rPUx,
/usr/share/java/**.jar r,
/usr/share/hunspell/ r,
/usr/share/hunspell/** r,
/usr/share/hyphen/ r,
/usr/share/hyphen/** r,
/usr/share/mythes/ r,
/usr/share/mythes/** r,
/usr/share/liblangtag/ r,
/usr/share/liblangtag/** r,
/usr/share/libreoffice/ r,
/usr/share/libreoffice/** r,
/usr/share/yelp-xsl/xslt/mallard/** r,
/usr/share/libexttextcat/* r,
/usr/share/icu/** r,
/usr/share/locale-bundle/* r,
/var/spool/libreoffice/ r,
/var/spool/libreoffice/** rw,
/var/cache/fontconfig/ rw,
#Likely moving to abstractions in the future
owner @{HOME}/.icons/*/cursors/* r,
/etc/fstab r, # Solid::DeviceNotifier::instance() TODO: deny?
/usr/share/*-fonts/conf.avail/*.conf r,
/usr/share/fonts-config/conf.avail/*.conf r,
/{,var/}run/udev/data/+usb:* r, # Solid::Device::listFromQuery()
/{,var/}run/udev/data/{c,b}*:* r, # Solid::Device::description(), Solid::Device::listFromQuery()
@{PROC}/sys/kernel/random/boot_id r, # KRecentDocument::add() -> QSysInfo::bootUniqueId()
#To avoid "Unable to create io-slave." for file dialog
owner /{,var/}run/user/[0-9]*/#[0-9]* rw,
#For KIO IO::Slave::createSlave()
owner /{,var/}run/user/[0-9]*/soffice.bin*.slave-socket wl -> /{,var/}run/user/[0-9]*/#[0-9]*,
owner @{HOME}/.mozilla/firefox/profiles.ini r,
owner @{HOME}/.mozilla/firefox/*/secmod.db r,
# firefox < 58
owner @{HOME}/.mozilla/firefox/*/cert8.db r,
# firefox >= 58
owner @{HOME}/.mozilla/firefox/*/cert9.db r,
owner @{HOME}/.local/share/user-places.xbel r,
# there is abstractions/gnupg but that's just for gpg1...
profile gpg {
#include <abstractions/base>
/usr/bin/gpgconf rm,
/usr/bin/gpg rm,
/usr/bin/gpgsm rm,
owner @{HOME}/.gnupg/* r,
owner @{HOME}/.gnupg/random_seed rk,
owner @{HOME}/.gnupg/tofu.db rwk,
}
# probably should become a subprofile like gpg above, but then it doesn't
# work either as it tries to access stuff only allowed above...
owner @{HOME}/.config/kdeglobals r,
/usr/lib/libreoffice/program/lo_kde5filepicker rPUx,
/usr/share/qt5/translations/* r,
/usr/lib/*/qt5/plugins/** rm,
/usr/share/plasma/look-and-feel/**/contents/defaults r,
# TODO: remove when rules are available in abstractions/kde
owner @{HOME}/.cache/ksycoca5_??_* r, # KDE System Configuration Cache
owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget
owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget
owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent()
owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
owner @{HOME}/.config/trashrc r, # user by KFileWidget
/usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent
# TODO: remove when rules are available in abstractions/kde-write-icon-cache or similar
owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader
# TODO: remove when rules are available in abstractions/kdeframeworks5 or similar
/usr/share/kservices5/*.protocol r,
# TODO: use qt5-settings-write abstraction when it is available
owner @{HOME}/.config/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] rw,
owner @{HOME}/.config/QtProject.conf rw,
owner @{HOME}/.config/QtProject.conf.?????? l -> @{HOME}/.config/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],
owner @{HOME}/.config/QtProject.conf.?????? rw, # for temporary files like QtProject.conf.Aqrgeb
owner @{HOME}/.config/QtProject.conf.lock rwk,
# TODO: use qt5-compose-cache-write abstraction when it is available
owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r,
# TODO: use recent-documents-write abstraction when it is available
owner @{HOME}/.local/share/RecentDocuments/** r,
owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> @{HOME}/.local/share/RecentDocuments/#[0-9]*,
owner @{HOME}/.local/share/RecentDocuments/#[0-9]* rw,
owner @{HOME}/.local/share/RecentDocuments/*.lock rwk,
# TODO: use kde-globals-write abstraction when it is available
owner @{HOME}/.config/kdeglobals rw,
owner @{HOME}/.config/kdeglobals.* rwl -> @{HOME}/.config/#[0-9]*,
owner @{HOME}/.config/kdeglobals.lock rwk,
}
-- no debconf information
Reply to: