sysui/desktop/apparmor/libreoffice-oosplash | 10 ++++++---- sysui/desktop/apparmor/libreoffice-senddoc | 6 ++++-- sysui/desktop/apparmor/libreoffice-soffice.bin | 16 +++++++++------- sysui/desktop/apparmor/libreoffice-xpdfimport | 6 ++++-- sysui/desktop/share/apparmor.sh | 11 ++--------- 5 files changed, 25 insertions(+), 24 deletions(-)
New commits: commit 435c8a4b21d893db6275cd437c89ac516949a58b Author: Daniel Richard G <[email protected]> AuthorDate: Thu Sep 11 17:49:30 2025 -0400 Commit: Ilmari Lauhakangas <[email protected]> CommitDate: Sat Sep 20 16:07:03 2025 +0200 apparmor: Rename profiles, use variable for install dir * Switch to using filenames for the profiles that do not embed the path of the confined executable, in line with upstream AppArmor * Use an AppArmor variable for the installation directory, that only needs to be substituted once into each profile file * Update the `apparmor.sh` installation script in line with the above, tweak the sed pattern to avoid the need to escape the install-directory string, and don't let trailing slashes in the arguments lead to double slashes in the outputs. Change-Id: I3400290659a4dd56aa8b7efb2aecf2cf4cd8c49d Reviewed-on: https://gerrit.libreoffice.org/c/core/+/190843 Tested-by: Jenkins Reviewed-by: René Engelhard <[email protected]> Tested-by: René Engelhard <[email protected]> diff --git a/sysui/desktop/apparmor/program.oosplash b/sysui/desktop/apparmor/libreoffice-oosplash similarity index 82% rename from sysui/desktop/apparmor/program.oosplash rename to sysui/desktop/apparmor/libreoffice-oosplash index 4c040cec25d6..8d243d7f81cd 100644 --- a/sysui/desktop/apparmor/program.oosplash +++ b/sysui/desktop/apparmor/libreoffice-oosplash @@ -12,9 +12,11 @@ # # ------------------------------------------------------------------ +@{libo_inst_dir} = @INSTDIR@ + include <tunables/global> -profile libreoffice-oosplash INSTDIR-program/oosplash flags=(complain) { +profile libreoffice-oosplash @{libo_inst_dir}/program/oosplash flags=(complain) { include <abstractions/base> include <abstractions/nameservice> include <abstractions/X> @@ -24,9 +26,9 @@ profile libreoffice-oosplash INSTDIR-program/oosplash flags=(complain) { /sys/devices/{virtual,pci[0-9]*}/**/queue/rotational r, # for isRotational() in desktop/unx/source/pagein.c /usr/lib{,32,64}/ure/bin/javaldx rmpux, /usr/share/libreoffice/program/* r, - INSTDIR-program/** r, - INSTDIR-program/soffice.bin rmpx, - INSTDIR-program/javaldx rmpux, + @{libo_inst_dir}/program/** r, + @{libo_inst_dir}/program/soffice.bin rmpx, + @{libo_inst_dir}/program/javaldx rmpux, owner @{HOME}/.config/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw, # Site-specific additions and overrides. See local/README for details. diff --git a/sysui/desktop/apparmor/program.senddoc b/sysui/desktop/apparmor/libreoffice-senddoc similarity index 89% rename from sysui/desktop/apparmor/program.senddoc rename to sysui/desktop/apparmor/libreoffice-senddoc index ac193d563120..9216c4766016 100644 --- a/sysui/desktop/apparmor/program.senddoc +++ b/sysui/desktop/apparmor/libreoffice-senddoc @@ -12,9 +12,11 @@ # # ------------------------------------------------------------------ +@{libo_inst_dir} = @INSTDIR@ + include <tunables/global> -profile libreoffice-senddoc INSTDIR-program/senddoc { +profile libreoffice-senddoc @{libo_inst_dir}/program/senddoc { include <abstractions/base> include <abstractions/user-tmp> @@ -29,7 +31,7 @@ profile libreoffice-senddoc INSTDIR-program/senddoc { /usr/bin/xdg-open rPUx, /usr/bin/xdg-email rPUx, /dev/null rw, - INSTDIR-program/uri-encode rmpux, + @{libo_inst_dir}/program/uri-encode rmpux, /usr/share/libreoffice/share/config/* r, owner @{HOME}/.config/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw, diff --git a/sysui/desktop/apparmor/program.soffice.bin b/sysui/desktop/apparmor/libreoffice-soffice.bin similarity index 95% rename from sysui/desktop/apparmor/program.soffice.bin rename to sysui/desktop/apparmor/libreoffice-soffice.bin index 88d43685f710..1e07e63e7838 100644 --- a/sysui/desktop/apparmor/program.soffice.bin +++ b/sysui/desktop/apparmor/libreoffice-soffice.bin @@ -72,11 +72,13 @@ #Math @{libreoffice_ext} += [mM][mM][lL] +@{libo_inst_dir} = @INSTDIR@ + @{libo_user_dirs} = @{HOME} /mnt /media include <tunables/global> -profile libreoffice-soffice INSTDIR-program/soffice.bin flags=(complain) { +profile libreoffice-soffice @{libo_inst_dir}/program/soffice.bin flags=(complain) { include <abstractions/private-files> include <abstractions/audio> @@ -161,12 +163,12 @@ profile libreoffice-soffice INSTDIR-program/soffice.bin flags=(complain) { /usr/lib{,32,64}/jvm/** r, /usr/lib{,32,64}/jvm/**/jre/bin/java mix, /usr/lib{,32,64}/jvm/**/bin/java mix, - INSTDIR-** rw, - INSTDIR-**.so m, - INSTDIR-program/soffice.bin mix, - INSTDIR-program/xpdfimport px, - INSTDIR-program/senddoc px, - /usr/bin/xdg-open rPUx, + @{libo_inst_dir}/** rw, + @{libo_inst_dir}/**.so m, + @{libo_inst_dir}/program/soffice.bin mix, + @{libo_inst_dir}/program/xpdfimport px, + @{libo_inst_dir}/program/senddoc px, + /usr/bin/xdg-open rPUx, /usr/share/java/**.jar r, /usr/share/hunspell/** r, diff --git a/sysui/desktop/apparmor/program.xpdfimport b/sysui/desktop/apparmor/libreoffice-xpdfimport similarity index 87% rename from sysui/desktop/apparmor/program.xpdfimport rename to sysui/desktop/apparmor/libreoffice-xpdfimport index 2f155fcd554b..fa80140b2d03 100644 --- a/sysui/desktop/apparmor/program.xpdfimport +++ b/sysui/desktop/apparmor/libreoffice-xpdfimport @@ -12,9 +12,11 @@ # # ------------------------------------------------------------------ +@{libo_inst_dir} = @INSTDIR@ + include <tunables/global> -profile libreoffice-xpdfimport INSTDIR-program/xpdfimport { +profile libreoffice-xpdfimport @{libo_inst_dir}/program/xpdfimport { include <abstractions/base> include <abstractions/user-tmp> @@ -22,7 +24,7 @@ profile libreoffice-xpdfimport INSTDIR-program/xpdfimport { /usr/share/libreoffice/share/config/* r, owner @{HOME}/.config/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw, - INSTDIR-program/xpdfimport pxm, + @{libo_inst_dir}/program/xpdfimport pxm, #Uncomment for build testing (should be one directory <- of instdir) #/mnt/store/git/libo/** r, diff --git a/sysui/desktop/share/apparmor.sh b/sysui/desktop/share/apparmor.sh index 90d6ac34fd48..91e4ff21259a 100755 --- a/sysui/desktop/share/apparmor.sh +++ b/sysui/desktop/share/apparmor.sh @@ -31,18 +31,11 @@ CHECK=$5 #Check parsing of the new profile? #Ubuntu 16.04, running from git! # sudo ./sysui/desktop/share/apparmor.sh /mnt/store/git/libo/instdir/ sysui/desktop/apparmor/ /etc/apparmor.d/ true true -#Need to convert / to . for profile names -INST_ROOT_FORMAT=${INST_ROOT/\//} -INST_ROOT_FORMAT=${INST_ROOT_FORMAT////.} - -#Need to escape / for sed -INST_ROOT_SED=${INST_ROOT////\/} - for filename in $PROFILESFROM/* do [[ -e $filename ]] || { echo "No profile files found in ""$PROFILESFROM"; exit 1; } - tourl=$INSTALLTO$INST_ROOT_FORMAT${filename##*/} - sed "s/INSTDIR-/$INST_ROOT_SED/g" "$filename" > "$tourl" + tourl=${INSTALLTO%/}/${filename##*/} + sed "s!@INSTDIR@!${INST_ROOT%/}!g" "$filename" > "$tourl" echo "$tourl" if [ "$CHECK" = "true" ]; then # check profile parsing
