Hi,
Am 15.03.26 um 12:35 schrieb Simon McVittie:
On Sat, 14 Mar 2026 at 22:30:10 +0100, Rene Engelhard wrote:
28 profiles are in complain mode.
libreoffice-oosplash
libreoffice-soffice
libreoffice-soffice//null-/usr/bin/bwrap
libreoffice-soffice//null-/usr/libexec/glycin-loaders/2+/glycin-image-rs
libreoffice-soffice//null-/usr/libexec/glycin-loaders/2+/glycin-svg
I believe the profiles with "//null-" in their names are automatically
synthesized by complain mode: libreoffice doesn't have a rule allowing it to run
/usr/bin/bwrap or /usr/libexec/glycin-loaders/**, but the absence of such a rule would
prevent it from working, defeating the purpose of complain mode, therefore AppArmor
synthesizes a blank profile in complain mode for them and behaves as though libreoffice's
profile allowed a transition to that new profile.
Hmm.
Interesting. Makes sense.
IMHO aa-disable is a bad idea for a warning.
There is a reason some profiles are kept in enforcing.
Sure, but libreoffice's profile isn't enforcing,
Some profiles are:
libreoffice-senddoc
libreoffice-soffice//gpg
libreoffice-xpdfimport
so its only purpose is to generate warnings, and it will never actually prevent anything. (This is not necessarily a bad thing - I did the same for some games - but it does limit its value.)
Yeah, the value is limited for soffice(.bin)/oosplash itself, indeed.
Regards,
Rene
