Bug#1004038: marked as done (AppArmor: cannot save files in enforced mode (again))

[Debian Bug Tracking System]

Your message dated Fri, 21 Jan 2022 20:35:34 +0000
with message-id <e1nb0dc-000ivr...@fasolo.debian.org>
and subject line Bug#1004038: fixed in libreoffice 1:7.3.0~rc2-3
has caused the Debian Bug report #1004038,
regarding AppArmor: cannot save files in enforced mode (again)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1004038: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004038
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libreoffice-common
Version: 1:7.3.0~rc2-2
Severity: normal
Tags: upstream

Dear Maintainer,

Looks like bug #905442 is back. We need rule with eight (and more) question
marks:

type=AVC msg=audit(1642615553.674:2636): apparmor="DENIED"
operation="mknod" profile="libreoffice-soffice"
name="/home/vincas/Darbastalis/lu7600dk8g.tmp" pid=7600
comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000
ouid=1000FSUID="vincas" OUID="vincas"

This one rule should the trick:

owner @{libo_user_dirs}/{,**/}lu????????{,?,??,???,????}.tmp rwk,

It would be nice to find code that generates these temporaries and see
what range is currently used...

-- Package-specific info:

-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.15.0-2-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=lt_LT.UTF-8, LC_CTYPE=lt_LT.UTF-8 (charmap=UTF-8), LANGUAGE=lt
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libreoffice-common depends on:
ii  libnumbertext-data         1.0.8-1
ii  libreoffice-style-colibre  1:7.3.0~rc2-2
ii  ucf                        3.0043
ii  ure                        1:7.3.0~rc2-2

Versions of packages libreoffice-common recommends:
ii  apparmor            3.0.3-6
ii  fonts-liberation2   2.1.5-1
ii  libexttextcat-data  3.4.5-1
ii  poppler-data        0.4.11-1
ii  python3-uno         1:7.3.0~rc2-2
ii  xdg-utils           1.1.3-4.1

Versions of packages libreoffice-common suggests:
ii  libreoffice-style-breeze [libreoffice-style]   1:7.3.0~rc2-2
ii  libreoffice-style-colibre [libreoffice-style]  1:7.3.0~rc2-2

Versions of packages python3-uno depends on:
ii  libc6                    2.33-3
ii  libgcc-s1                11.2.0-14
ii  libpython3.9             3.9.10-1
ii  libreoffice-core         1:7.3.0~rc2-2
ii  libstdc++6               11.2.0-14
ii  libuno-cppu3             1:7.3.0~rc2-2
ii  libuno-cppuhelpergcc3-3  1:7.3.0~rc2-2
ii  libuno-sal3              1:7.3.0~rc2-2
ii  libuno-salhelpergcc3-3   1:7.3.0~rc2-2
ii  python3                  3.9.8-1
ii  python3.9                3.9.10-1
ii  ucf                      3.0043
ii  uno-libs-private         1:7.3.0~rc2-2

-- Configuration Files:
/etc/apparmor.d/usr.lib.libreoffice.program.oosplash changed:
profile libreoffice-oosplash /usr/lib/libreoffice/program/oosplash {
  #include <abstractions/base>
  #include <abstractions/X>
  /etc/libreoffice/                     r,
  /etc/libreoffice/**                   r,
  /etc/passwd                           r,
  /etc/nsswitch.conf                    r,
  /run/nscd/passwd                      r,
  /sys/devices/{virtual,pci[0-9]*}/**/queue/rotational  r, # for isRotational() 
in desktop/unx/source/pagein.c
  /usr/lib{,32,64}/ure/bin/javaldx      rmpux,
  /usr/share/libreoffice/program/*      r,
  /usr/lib/libreoffice/program/**                       r,
  /usr/lib/libreoffice/program/soffice.bin rmpx,
  /usr/lib/libreoffice/program/javaldx rmpux,
  owner @{HOME}/.Xauthority             r,
  owner @{HOME}/.config/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw,
  unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined),
  unix peer=(addr=@/tmp/.X11-unix/* label=unconfined),
}

/etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin changed:
@{libreoffice_ext} = [tT][xX][tT]
@{libreoffice_ext} += {,f,F}[oO][dDtT][tTsSpPbBgGfF]
@{libreoffice_ext} += [xX][mMsS][lL]
@{libreoffice_ext} += [pP][dD][fF]
@{libreoffice_ext} += [uU][oO][fFtTsSpP]
@{libreoffice_ext} += {,x,X}[hH][tT][mM]{,l,L}
@{libreoffice_ext} += [eE][pP][uU][bB]
@{libreoffice_ext} += [pP][sS]
@{libreoffice_ext} += [jJ][pP][gG]
@{libreoffice_ext} += [jJ][pP][eE][gG]
@{libreoffice_ext} += [pP][nN][gG]
@{libreoffice_ext} += [sS][vV][gG]
@{libreoffice_ext} += [sS][vV][gG][zZ]99251
@{libreoffice_ext} += [tT][iI][fF]
@{libreoffice_ext} += [tT][iI][fF][fF]
@{libreoffice_ext} += [dD][oO][cCtT]{,x,X}
@{libreoffice_ext} += [rR][tT][fF]
@{libreoffice_ext} += [xX][lL][sStT]{,x,X,m,M}
@{libreoffice_ext} += [xX][lL][wW]
@{libreoffice_ext} += [dD][iIbB][fF]
@{libreoffice_ext} += [cCtT][sS][vV]
@{libreoffice_ext} += [sS][lL][kK]
@{libreoffice_ext} += [pP][pP][tTsS]{,x,X}
@{libreoffice_ext} += [pP][oO][tT]{,m,M}
@{libreoffice_ext} += [pP][sS][dD]
@{libreoffice_ext} += [mM][mM][lL]
@{libo_user_dirs} = @{HOME} /mnt /media
profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin {
  #include <abstractions/private-files>
  #include <abstractions/audio>
  #include <abstractions/bash>
  #include <abstractions/cups-client>
  #include <abstractions/dbus>
  #include <abstractions/dbus-session>
  #include <abstractions/dbus-accessibility>
  #include <abstractions/dri-enumerate>
  #include <abstractions/mesa>
  #include <abstractions/ibus>
  #include <abstractions/nameservice>
  #include <abstractions/gnome>
  #include <abstractions/python>
  #include <abstractions/p11-kit>
  #include <abstractions/user-tmp>
  #include <abstractions/opencl-intel>
  #include <abstractions/opencl-mesa>
  #include <abstractions/opencl-nvidia>
  #List directories for file browser
  /                                     r,
  /**/                                  r,
  owner @{libo_user_dirs}/**/           rw,  #allow creating directories that 
we own
  owner @{libo_user_dirs}/**~lock.*     rw,  #lock file support
  owner @{libo_user_dirs}/**.@{libreoffice_ext} rwk,  #Open files rw with the 
right exts
  owner @{libo_user_dirs}/{,**/}lu???????????{,?}.tmp rwk, #Temporary file used 
when saving
  owner @{libo_user_dirs}/{,**/}lu????????{,?,??,???,????}.tmp rwk, #Temporary 
file used when saving
  owner @{libo_user_dirs}/{,**/}lu??????????{,?,??}.tmp rwk, #Temporary file 
used when saving
  owner @{libo_user_dirs}/{,**/}.directory r, #Read directory settings on KDE
  # Settings
  /etc/libreoffice/                     r,
  /etc/libreoffice/**                   r,
  /etc/cups/ppd/*.ppd                   r,
  /etc/xml/catalog                      r, #exporting to .xhtml, for libxml2
  /proc/*/status                        r,
  owner @{HOME}/.config/libreoffice{,dev}/** rwk,
  owner @{HOME}/.config/soffice.binrc rwl -> @{HOME}/.config/#[0-9]*,
  owner @{HOME}/.config/soffice.binrc.* rwl -> @{HOME}/.config/#[0-9]*,
  owner @{HOME}/.config/soffice.binrc.lock rwk,
  owner @{HOME}/.cache/fontconfig/**    rw,
  owner @{HOME}/.config/gtk-???/bookmarks r,  #Make bookmarks work
  owner /{,var/}run/user/*/dconf/user   rw,
  owner @{HOME}/.config/dconf/user      r,
  # allow schema to be read
  /usr/share/glib-*/schemas/            r,
  /usr/share/glib-*/schemas/**          r,
  # bluetooth send to
  network bluetooth,
  /{usr/,}bin/sh                        rmix,
  /{usr/,}bin/bash                      rmix,
  /{usr/,}bin/dash                      rmix,
  /{usr/,}bin/rm                        rmix, #deleting /tmp/psp1534203998 
(printing to file)
  /usr/bin/bluetooth-sendto             rmPUx,
  /usr/bin/lpr                          rmPUx,
  /usr/bin/paperconf                    rmix,
  /usr/bin/gpgconf                      rmix,
  /usr/bin/gpg                          rmCx -> gpg,
  /usr/bin/gpgsm                        rmCx -> gpg,
  /usr/bin/gpa                          rix,
  /usr/bin/seahorse                     rix,
  /usr/bin/kgpg                         rix,
  /usr/bin/kleopatra                    rix,
  /dev/tty                              rw,
  /usr/lib{,32,64}/@{multiarch}/gstreamer???/gstreamer-???/gst-plugin-scanner   
rmPUx,
  owner @{HOME}/.cache/gstreamer-???/**                                 rw,
  unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined),  #Gstreamer doesn't work 
without this
  /usr/lib{,32,64}/jvm/                         r,
  /usr/lib{,32,64}/jvm/**                       r,
  /usr/lib{,32,64}/jvm/**/jre/bin/java          mix,
  /usr/lib{,32,64}/jvm/**/bin/java              mix,
  # should be included in the jvm/** above but there it is
  # a symlink, so apparmor still doesn't allow it...
  /etc/java-??-openjdk/security/java.security   r,
  /usr/lib/libreoffice/**                        rw,
  /usr/lib/libreoffice/**.so                     m,
  /usr/lib/libreoffice/program/soffice.bin       mix,
  /usr/lib/libreoffice/program/xpdfimport        px,
  /usr/lib/libreoffice/program/senddoc           px,
  /usr/bin/xdg-open                 rPUx,
  /usr/share/java/**.jar                r,
  /usr/share/hunspell/                  r,
  /usr/share/hunspell/**                r,
  /usr/share/hyphen/                    r,
  /usr/share/hyphen/**                  r,
  /usr/share/mythes/                    r,
  /usr/share/mythes/**                  r,
  /usr/share/liblangtag/                r,
  /usr/share/liblangtag/**              r,
  /usr/share/libreoffice/               r,
  /usr/share/libreoffice/**             r,
  /usr/share/yelp-xsl/xslt/mallard/**   r,
  /usr/share/libexttextcat/*            r,
  /usr/share/icu/**                     r,
  /usr/share/locale-bundle/*            r,
  /var/spool/libreoffice/               r,
  /var/spool/libreoffice/**             rw,
  /var/cache/fontconfig/                rw,
  #Likely moving to abstractions in the future
  owner @{HOME}/.icons/*/cursors/*      r,
  /etc/fstab r, # Solid::DeviceNotifier::instance() TODO: deny?
  /usr/share/*-fonts/conf.avail/*.conf  r,
  /usr/share/fonts-config/conf.avail/*.conf r,
  /{,var/}run/udev/data/+usb:* r, # Solid::Device::listFromQuery()
  /{,var/}run/udev/data/{c,b}*:* r, # Solid::Device::description(), 
Solid::Device::listFromQuery()
  @{PROC}/sys/kernel/random/boot_id r, # KRecentDocument::add() -> 
QSysInfo::bootUniqueId()
  #To avoid "Unable to create io-slave." for file dialog
  owner /{,var/}run/user/[0-9]*/#[0-9]* rw,
  #For KIO IO::Slave::createSlave()
  owner /{,var/}run/user/[0-9]*/soffice.bin*.slave-socket wl ->  
/{,var/}run/user/[0-9]*/#[0-9]*,
  owner @{HOME}/.mozilla/firefox/profiles.ini r,
  owner @{HOME}/.mozilla/firefox/*/secmod.db r,
  # firefox < 58
  owner @{HOME}/.mozilla/firefox/*/cert8.db r,
  # firefox >= 58
  owner @{HOME}/.mozilla/firefox/*/cert9.db r,
  owner @{HOME}/.local/share/user-places.xbel r,
  # there is abstractions/gnupg but that's just for gpg1...
  profile gpg {
    #include <abstractions/base>
   /usr/bin/gpgconf rm,
   /usr/bin/gpg rm,
   /usr/bin/gpgsm rm,
    owner @{HOME}/.gnupg/* r,
    owner @{HOME}/.gnupg/random_seed rk,
    owner @{HOME}/.gnupg/tofu.db rwk,
  }
  # probably should become a subprofile like gpg above, but then it doesn't
  # work either as it tries to access stuff only allowed above...
  owner @{HOME}/.config/kdeglobals r,
  /usr/lib/libreoffice/program/lo_kde5filepicker rPUx,
  /usr/share/qt5/translations/* r,
  /usr/lib/*/qt5/plugins/** rm,
  /usr/share/plasma/look-and-feel/**/contents/defaults r,
  # TODO: remove when rules are available in abstractions/kde
  owner @{HOME}/.cache/ksycoca5_??_* r, # KDE System Configuration Cache
  owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used 
by KFileWidget
  owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget
  owner @{HOME}/.config/kde.org/libphonon.conf r, # for 
KNotifications::sendEvent()
  owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, 
for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
  owner @{HOME}/.config/trashrc r, # user by KFileWidget
  /usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent
  # TODO: remove when rules are available in abstractions/kde-write-icon-cache 
or similar
  owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader
  # TODO: remove when rules are available in abstractions/kdeframeworks5 or 
similar
  /usr/share/kservices5/*.protocol r,
  # TODO: use qt5-settings-write abstraction when it is available
  owner @{HOME}/.config/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] rw,
  owner @{HOME}/.config/QtProject.conf rw,
  owner @{HOME}/.config/QtProject.conf.?????? l -> 
@{HOME}/.config/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],
  owner @{HOME}/.config/QtProject.conf.?????? rw, # for temporary files like 
QtProject.conf.Aqrgeb
  owner @{HOME}/.config/QtProject.conf.lock rwk,
  # TODO: use qt5-compose-cache-write abstraction when it is available
  owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r,
  # TODO: use recent-documents-write abstraction when it is available
  owner @{HOME}/.local/share/RecentDocuments/** r,
  owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> 
@{HOME}/.local/share/RecentDocuments/#[0-9]*,
  owner @{HOME}/.local/share/RecentDocuments/#[0-9]* rw,
  owner @{HOME}/.local/share/RecentDocuments/*.lock rwk,
  # TODO: use kde-globals-write abstraction when it is available
  owner @{HOME}/.config/kdeglobals rw,
  owner @{HOME}/.config/kdeglobals.* rwl -> @{HOME}/.config/#[0-9]*,
  owner @{HOME}/.config/kdeglobals.lock rwk,
}


-- no debconf information

--- End Message ---

--- Begin Message ---

Source: libreoffice
Source-Version: 1:7.3.0~rc2-3
Done: Rene Engelhard <r...@debian.org>

We believe that the bug you reported is fixed in the latest version of
libreoffice, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1004...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Rene Engelhard <r...@debian.org> (supplier of updated libreoffice package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 21 Jan 2022 20:35:38 +0100
Source: libreoffice
Architecture: source
Version: 1:7.3.0~rc2-3
Distribution: unstable
Urgency: medium
Maintainer: Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
Changed-By: Rene Engelhard <r...@debian.org>
Closes: 1003864 1004038
Changes:
 libreoffice (1:7.3.0~rc2-3) unstable; urgency=medium
 .
   * debian/tests/control.in:
     - comment out build-needing autopkgtests again by request of the release
       team; the infrastructure even on amd64 is not capable of handling it due
       due autopkgtest shortcomings
   * debian/control.help.in.
     - move the browser Depends to Recommends: (closes: #1003864)
   * debian/patches/apparmor-updates.diff: add patch to fix saving with
     enforced apparmor again, thanks Vincas Dargis (closes: #1004038)
Checksums-Sha1:
 b83b68b4d8a541608baa4d25fe301ae5978e229e 31381 libreoffice_7.3.0~rc2-3.dsc
 d02bc7b3ddac8a5342d96e020c4565513e97f644 23930984 
libreoffice_7.3.0~rc2-3.debian.tar.xz
 19c7640b8612fa0ebcecf89ddac5be53d4fb516e 32948 
libreoffice_7.3.0~rc2-3_source.buildinfo
Checksums-Sha256:
 688e65ac0d537f9bc685d6ff5140bf51e8acc9a366f18c2d38988ae57fb090ae 31381 
libreoffice_7.3.0~rc2-3.dsc
 24b6d01f21bae47fe11a1b5e17469feb7d94a5023c6b30092045cb20ceb373f8 23930984 
libreoffice_7.3.0~rc2-3.debian.tar.xz
 40548933adc560ab4a944ccb8316eef75c8dd6e0d2e6f47d3770963142a14e14 32948 
libreoffice_7.3.0~rc2-3_source.buildinfo
Files:
 8dbe5b88ac4a2038c303c728b1f4920c 31381 editors optional 
libreoffice_7.3.0~rc2-3.dsc
 6e79c580049e9ed392670bf54abe00dc 23930984 editors optional 
libreoffice_7.3.0~rc2-3.debian.tar.xz
 8fcddfd2783d43339223ca7e2a625b7d 32948 editors optional 
libreoffice_7.3.0~rc2-3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCgAuFiEE4S3qRnUGcM+pYIAdCqBFcdA+PnAFAmHrDHwQHHJlbmVAZGVi
aWFuLm9yZwAKCRAKoEVx0D4+cGGWD/9eiWzaai7JvcdAXoRWJQaYJzje6dPQDAXj
XJqdT6lTjIDuAxJ0TKbMF484tKSxJhteQbZ3ytVkNjg3lvGzSJidZ+DtKEq/VVla
OqC5npRgD+BTwWwHDcs/rasI+t3eyFD2InvkuOLmuSqRtNk72x8orf9fDma3zxM3
IuLdlF+1vpaIBnqXttntnI+s+WSDVryBXqdFKcI7Qop31x5RpC6eB/lGzp1h9pdb
rAak8T6YoxiyVMaVyZeaBehdz8ATsRF8lbrCDxpJHQ14LaYpJoBEdocH7Dba7ErU
xHs2Px58RSbHZnpcRUvcXvFb4iBWhEf3eLVY55fOMuHfdZznZIh+LVt3wftCZvGp
rY+ddN6n+hYGn5/pL5bLBw07HX6V00xqdtj+qmuaYzksfJVTLBrJtfqvfuo5B7kO
O49AghmCYo4wTi9pGPl/Y2deTd24wI/bH1p4fqP4+YjKhzmiHto2kafntG/r6SqO
hKEccGXmaER/yyIClxxpW+KqrSza+VUkgKxqLYvwKMcR8qcF2mBpJWCVcMuHBvxB
IO5Fx1XfRnSaENfOmQMehDQVPf2eqX129YWMHkt6x4m9wizGm4RVaX/MU3X45Crt
OTjMb/0ztWWRfXfXQXr7BzdcoCRH6AhXFECmzrkxu761MKsVHLV3wxG/rLJgel46
Lbr3v8/24Q==
=AgRA
-----END PGP SIGNATURE-----

--- End Message ---