sysui/desktop/apparmor/program.oosplash | 20 +++---- sysui/desktop/apparmor/program.senddoc | 10 ++- sysui/desktop/apparmor/program.soffice.bin | 80 +++++++++++++++-------------- sysui/desktop/apparmor/program.xpdfimport | 11 ++- 4 files changed, 65 insertions(+), 56 deletions(-)
New commits: commit f5441e050835238c3a9b5a77629b0f8770a739df Author: Daniel Richard G <[email protected]> AuthorDate: Mon Sep 8 22:10:45 2025 -0400 Commit: Ilmari Lauhakangas <[email protected]> CommitDate: Sat Sep 20 16:06:41 2025 +0200 apparmor: Profile modernization and updates General: * Replace `#include` directives with `include`, as AppArmor no longer favors the former syntax * Clean up trailing whitespace, indent with spaces instead of tabs * Add `include` directive for site-specific additions/overrides * Replace `/{,var/}run` with the more modern `@{run}` variable program.oosplash: * Add `complain` flag for opt-in enforcement * Use `abstractions/nameservice`, and remove rules made redundant by it. This also fixes violations like `2025-09-06T23:14:05.973442-04:00 test-ubuntu64 kernel: audit: type=1400 audit(1757214845.971:163): apparmor="ALLOWED" operation="connect" class="file" profile="libreoffice-oosplash" name="/run/nscd/socket" pid=2643 comm="oosplash" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0` * Remove rules already made redundant by abstractions/X program.soffice.bin: * Add Google copyright attribution for the `tofu.db` addition to the `gpg` child profile * Add `complain` flag for opt-in enforcement * Re-sort list of abstraction `include` directives * Add abstractions: dri-enumerate, mesa, opencl-* * Simplify rule for temporary file, as the number of `?` characters needed appears to vary in the wild * Add missing gvfsd rule to avoid violations like `2025-09-06T23:14:32.508946-04:00 test-ubuntu64 kernel: audit: type=1400 audit(1757214872.491:167): apparmor="ALLOWED" operation="connect" class="file" profile="libreoffice-soffice" name="/run/user/1000/gvfsd/socket-Qaq0BKpG" pid=2669 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000` * Remove all `/path/to/dir/ r,` rules that are made redundant by the `/**/ r,` rule * Remove GStreamer rule already made redundant by abstractions/X * Add rule for access to java.security * Remove libdrm rule made redundant by abstractions/dri-enumerate * Add rules for access to Thunderbird configuration * Add a couple of rules to the `gpg` child profile, taken from patches used in Debian/Ubuntu Change-Id: I4a558d7cc809c0c2afd55fab0cf74800e1efc9e5 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/190686 Tested-by: Jenkins Reviewed-by: René Engelhard <[email protected]> Reviewed-by: Ilmari Lauhakangas <[email protected]> diff --git a/sysui/desktop/apparmor/program.oosplash b/sysui/desktop/apparmor/program.oosplash index dd1136bc9b06..4c040cec25d6 100644 --- a/sysui/desktop/apparmor/program.oosplash +++ b/sysui/desktop/apparmor/program.oosplash @@ -12,25 +12,23 @@ # # ------------------------------------------------------------------ -#include <tunables/global> +include <tunables/global> -profile libreoffice-oosplash INSTDIR-program/oosplash { - #include <abstractions/base> - #include <abstractions/X> +profile libreoffice-oosplash INSTDIR-program/oosplash flags=(complain) { + include <abstractions/base> + include <abstractions/nameservice> + include <abstractions/X> /etc/libreoffice/ r, /etc/libreoffice/** r, - /etc/passwd r, - /etc/nsswitch.conf r, - /run/nscd/passwd r, /sys/devices/{virtual,pci[0-9]*}/**/queue/rotational r, # for isRotational() in desktop/unx/source/pagein.c /usr/lib{,32,64}/ure/bin/javaldx rmpux, /usr/share/libreoffice/program/* r, - INSTDIR-program/** r, + INSTDIR-program/** r, INSTDIR-program/soffice.bin rmpx, INSTDIR-program/javaldx rmpux, - owner @{HOME}/.Xauthority r, owner @{HOME}/.config/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw, - unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined), - unix peer=(addr=@/tmp/.X11-unix/* label=unconfined), + + # Site-specific additions and overrides. See local/README for details. + include if exists <local/libreoffice-oosplash> } diff --git a/sysui/desktop/apparmor/program.senddoc b/sysui/desktop/apparmor/program.senddoc index 969130f4ea90..ac193d563120 100644 --- a/sysui/desktop/apparmor/program.senddoc +++ b/sysui/desktop/apparmor/program.senddoc @@ -12,12 +12,11 @@ # # ------------------------------------------------------------------ -#include <tunables/global> +include <tunables/global> profile libreoffice-senddoc INSTDIR-program/senddoc { - #include <abstractions/base> - - #include <abstractions/user-tmp> + include <abstractions/base> + include <abstractions/user-tmp> /{usr/,}bin/sh rmix, /{usr/,}bin/bash rmix, @@ -33,5 +32,8 @@ profile libreoffice-senddoc INSTDIR-program/senddoc { INSTDIR-program/uri-encode rmpux, /usr/share/libreoffice/share/config/* r, owner @{HOME}/.config/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw, + + # Site-specific additions and overrides. See local/README for details. + include if exists <local/libreoffice-senddoc> } diff --git a/sysui/desktop/apparmor/program.soffice.bin b/sysui/desktop/apparmor/program.soffice.bin index d4f92580de57..88d43685f710 100644 --- a/sysui/desktop/apparmor/program.soffice.bin +++ b/sysui/desktop/apparmor/program.soffice.bin @@ -2,6 +2,7 @@ # # Copyright (C) 2016 Canonical Ltd. # Copyright (C) 2018 Software in the Public Interest, Inc. +# Copyright (C) 2021 Google LLC # # This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this @@ -13,7 +14,7 @@ # # ------------------------------------------------------------------ -# This profile should enable the average LibreOffice user to get their +# This profile should enable the average LibreOffice user to get their # work done while blocking some advanced usage # Namely not tested and likely not working : embedded plugins, # Using the LibreOffice SDK and other development tasks @@ -73,26 +74,30 @@ @{libo_user_dirs} = @{HOME} /mnt /media -#include <tunables/global> +include <tunables/global> -profile libreoffice-soffice INSTDIR-program/soffice.bin { - #include <abstractions/private-files> +profile libreoffice-soffice INSTDIR-program/soffice.bin flags=(complain) { + include <abstractions/private-files> - #include <abstractions/audio> - #include <abstractions/bash> - #include <abstractions/cups-client> - #include <abstractions/dbus> - #include <abstractions/dbus-session> - #include <abstractions/dbus-accessibility> - #include <abstractions/ibus> - #include <abstractions/nameservice> - #include <abstractions/gnome> + include <abstractions/audio> + include <abstractions/bash> + include <abstractions/cups-client> + include <abstractions/dbus> + include <abstractions/dbus-session> + include <abstractions/dbus-accessibility> + include <abstractions/dri-enumerate> + include <abstractions/gnome> # GnuPG1 only... -# #include <abstractions/gnupg> - #include <abstractions/python> - #include <abstractions/p11-kit> - - #include <abstractions/user-tmp> +##include <abstractions/gnupg> + include <abstractions/ibus> + include <abstractions/mesa> + include <abstractions/nameservice> + include <abstractions/opencl-intel> + include <abstractions/opencl-mesa> + include <abstractions/opencl-nvidia> + include <abstractions/p11-kit> + include <abstractions/python> + include <abstractions/user-tmp> #List directories for file browser / r, @@ -101,7 +106,7 @@ profile libreoffice-soffice INSTDIR-program/soffice.bin { owner @{libo_user_dirs}/**/ rw, #allow creating directories that we own owner @{libo_user_dirs}/**~lock.* rw, #lock file support owner @{libo_user_dirs}/**.@{libreoffice_ext} rwk, #Open files rw with the right exts - owner @{libo_user_dirs}/{,**/}lu??????????{,?}.tmp rwk, #Temporary file used when saving + owner @{libo_user_dirs}/{,**/}lu*.tmp rwk, #Temporary file used when saving owner @{libo_user_dirs}/{,**/}.directory r, #Read directory settings on KDE # Settings @@ -120,11 +125,12 @@ profile libreoffice-soffice INSTDIR-program/soffice.bin { owner @{HOME}/.cache/fontconfig/** rw, owner @{HOME}/.config/gtk-???/bookmarks r, #Make bookmarks work - owner /{,var/}run/user/*/dconf/user rw, + owner @{run}/user/*/dconf/user rw, owner @{HOME}/.config/dconf/user r, + owner @{run}/user/@{uid}/gvfsd/socket-* rw, + # allow schema to be read - /usr/share/glib-*/schemas/ r, /usr/share/glib-*/schemas/** r, # bluetooth send to @@ -148,9 +154,9 @@ profile libreoffice-soffice INSTDIR-program/soffice.bin { /dev/tty rw, /usr/lib{,32,64}/@{multiarch}/gstreamer???/gstreamer-???/gst-plugin-scanner rmPUx, - owner @{HOME}/.cache/gstreamer-???/** rw, - unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined), #Gstreamer doesn't work without this + owner @{HOME}/.cache/gstreamer-???/** rw, + /etc/java-*-openjdk/security/java.security r, /usr/lib{,32,64}/jvm/ r, /usr/lib{,32,64}/jvm/** r, /usr/lib{,32,64}/jvm/**/jre/bin/java mix, @@ -163,33 +169,26 @@ profile libreoffice-soffice INSTDIR-program/soffice.bin { /usr/bin/xdg-open rPUx, /usr/share/java/**.jar r, - /usr/share/hunspell/ r, /usr/share/hunspell/** r, - /usr/share/hyphen/ r, /usr/share/hyphen/** r, - /usr/share/mythes/ r, /usr/share/mythes/** r, - /usr/share/liblangtag/ r, /usr/share/liblangtag/** r, - /usr/share/libreoffice/ r, /usr/share/libreoffice/** r, /usr/share/yelp-xsl/xslt/mallard/** r, /usr/share/libexttextcat/* r, /usr/share/icu/** r, /usr/share/locale-bundle/* r, - /var/spool/libreoffice/ r, /var/spool/libreoffice/** rw, /var/cache/fontconfig/ rw, #Likely moving to abstractions in the future owner @{HOME}/.icons/*/cursors/* r, /etc/fstab r, # Solid::DeviceNotifier::instance() TODO: deny? - /sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r, # for libdrm /usr/share/*-fonts/conf.avail/*.conf r, /usr/share/fonts-config/conf.avail/*.conf r, - /{,var/}run/udev/data/+usb:* r, # Solid::Device::listFromQuery() - /{,var/}run/udev/data/{c,b}*:* r, # Solid::Device::description(), Solid::Device::listFromQuery() + @{run}/udev/data/+usb:* r, # Solid::Device::listFromQuery() + @{run}/udev/data/{c,b}*:* r, # Solid::Device::description(), Solid::Device::listFromQuery() @{PROC}/sys/kernel/random/boot_id r, # KRecentDocument::add() -> QSysInfo::bootUniqueId() #To avoid "Unable to create io-slave." for file dialog @@ -204,18 +203,24 @@ profile libreoffice-soffice INSTDIR-program/soffice.bin { # firefox >= 58 owner @{HOME}/.mozilla/firefox/*/cert9.db r, + # same as above, for thunderbird + owner @{HOME}/.thunderbird/profiles.ini r, + owner @{HOME}/.thunderbird/*/cert9.db r, + owner @{HOME}/.local/share/user-places.xbel r, # there is abstractions/gnupg but that's just for gpg1... profile gpg { - #include <abstractions/base> + include <abstractions/base> - /usr/bin/gpgconf rm, - /usr/bin/gpg rm, - /usr/bin/gpgsm rm, + /usr/bin/gpgconf rm, + /usr/bin/gpg rm, + /usr/bin/gpgsm rm, owner @{HOME}/.gnupg/* r, owner @{HOME}/.gnupg/random_seed rk, + owner @{HOME}/.gnupg/tofu.db rwk, + owner @{run}/user/[0-9]*/gnupg/* rw, } # probably should become a subprofile like gpg above, but then it doesn't @@ -261,4 +266,7 @@ profile libreoffice-soffice INSTDIR-program/soffice.bin { owner @{HOME}/.config/kdeglobals rw, owner @{HOME}/.config/kdeglobals.* rwl -> @{HOME}/.config/#[0-9]*, owner @{HOME}/.config/kdeglobals.lock rwk, + + # Site-specific additions and overrides. See local/README for details. + include if exists <local/libreoffice-soffice> } diff --git a/sysui/desktop/apparmor/program.xpdfimport b/sysui/desktop/apparmor/program.xpdfimport index f8bfbfe8fa49..2f155fcd554b 100644 --- a/sysui/desktop/apparmor/program.xpdfimport +++ b/sysui/desktop/apparmor/program.xpdfimport @@ -12,12 +12,11 @@ # # ------------------------------------------------------------------ -#include <tunables/global> +include <tunables/global> profile libreoffice-xpdfimport INSTDIR-program/xpdfimport { - #include <abstractions/base> - - #include <abstractions/user-tmp> + include <abstractions/base> + include <abstractions/user-tmp> /usr/share/poppler/** r, /usr/share/libreoffice/share/config/* r, @@ -27,5 +26,7 @@ profile libreoffice-xpdfimport INSTDIR-program/xpdfimport { #Uncomment for build testing (should be one directory <- of instdir) #/mnt/store/git/libo/** r, -} + # Site-specific additions and overrides. See local/README for details. + include if exists <local/libreoffice-xpdfimport> +}
