Ubuntu
libreoffice package

apparmor profile for libreoffice

Bug #1284507 reported by Ritesh Khadgaray
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
AppArmor Profiles
Invalid
Undecided
Unassigned
libreoffice (Ubuntu)
Fix Released
High
Bryan Quigley

Bug Description

Support for apparmor profile for lo . Would be nice, if this was included under disabled until this receives wider testing.

Why -
To limit the amount of damage from "virus" -
http://www.openoffice.org/press/statement-proof-of-concept-virus.html

Adolfo Jayme Barrientos (fitojb)
Changed in libreoffice (Ubuntu):
importance: Undecided → High
milestone: none → ubuntu-14.04-beta-1
status: New → Triaged
Adolfo Jayme Barrientos (fitojb)
Changed in libreoffice (Ubuntu):
milestone: ubuntu-14.04-beta-1 → ubuntu-14.04-beta-2
Revision history for this message
Ritesh Khadgaray (khadgaray) wrote :

This fails to open document in home directory for me, and others are opened in read only mode.

Revision history for this message
Ritesh Khadgaray (khadgaray) wrote :

support file locking locking

Ritesh Khadgaray (khadgaray)
tags: added: trusty
Revision history for this message
Bryan Quigley (bryanquigley) wrote :

The $HOMEDIR/.execoooXXXXXX issue is being discussed here: https://bugs.freedesktop.org/show_bug.cgi?id=72755

Kip Warner (kip)
Changed in libreoffice (Ubuntu):
assignee: nobody → Kip Warner (kip)
Bryan Quigley (bryanquigley)
Changed in libreoffice (Ubuntu):
assignee: Kip Warner (kip) → Bryan Quigley (bryanquigley)
Revision history for this message
Bryan Quigley (bryanquigley) wrote :
Revision history for this message
Bryan Quigley (bryanquigley) wrote :
Revision history for this message
Bryan Quigley (bryanquigley) wrote :

I went through opening and closing every filetype I could get save.
Only tested running Unity.

I also ran parts of the built-in tests. For me it eventually segfaults (on a normal install), but previously their were some apparmor errors that it helped catch. (This requires a build environment).
soffice "--accept=pipe,name=$USER;urp;" &
make subsequentcheck OOO_TEST_SOFFICE="connect:pipe,name=$USER"

There are some known not to be fixed issues like:
Will not open a file without an extension
Will not open rw a file if it's not under /media or /home.

Revision history for this message
Bryan Quigley (bryanquigley) wrote :

Not sure where it's best to go (libo packaging or apparmor-profiles).

Jamie Strandboge (jdstrand)
tags: added: apparmor
tags: added: policy
no longer affects: apparmor (Ubuntu)
Bryan Quigley (bryanquigley)
Changed in libreoffice (Ubuntu):
milestone: ubuntu-14.04-beta-2 → none
Bryan Quigley (bryanquigley)
tags: added: vivid
Mathew Hodson (mhodson)
tags: removed: policy
Revision history for this message
Bryan Quigley (bryanquigley) wrote :

This can't be included in LibreOffice by default, so it makes more sense in the profiles package.

Revision history for this message
Bryan Quigley (bryanquigley) wrote :

I'll be posting an updated version of these profiles to the mailing list.

Bryan Quigley (bryanquigley)
Changed in apparmor-profiles:
status: New → Invalid
Revision history for this message
Bryan Quigley (bryanquigley) wrote :

Got AppArmor profiles committed upstream https://gerrit.libreoffice.org/#/c/15452/

New plan from AppArmor list seems to indicate the best way forward might be to make a libreoffice-apparmor package that includes and enables the libreoffice apparmor profiles.

[1] http://lists.freedesktop.org/archives/libreoffice/2015-April/067669.html

Revision history for this message
Björn Michaelsen (bjoern-michaelsen) wrote :

see also: http://nabble.documentfoundation.org/minutes-of-ESC-call-td4146452.html

Revision history for this message
Bryan Quigley (bryanquigley) wrote :

This was partially done. unfortunately the profiles are all missing a /
/usr/lib/libreofficeprogram/soffice.bin

should be
/usr/lib/libreoffice/program/soffice.bin

Revision history for this message
intrigeri (intrigeri) wrote : Re: [Bug 1284507] Re: apparmor profile for libreoffice

> This was partially done. unfortunately the profiles are all missing a /

I think that's been fixed in Debian already.

Revision history for this message
Olivier Tilloy (osomon) wrote :

Yes, that's https://salsa.debian.org/libreoffice-team/libreoffice/libreoffice/commit/6a18e204a.

Revision history for this message
Olivier Tilloy (osomon) wrote :

This is now fixed in 6.0.1 (currently in bionic-proposed) and 5.4.5 in artful-updates.

Changed in libreoffice (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
fw114 (p-post-k) wrote :
Download full text (3.7 KiB)

Bug not solved in libreoffice 5.4.5-0ubuntu0.17.10.1

also disable apparmor does not wok:

 Feb 22 23:20:54 kid systemd[1]: Starting AppArmor initialization...
Feb 22 23:20:54 kid apparmor[4221]: * Starting AppArmor profiles
Feb 22 23:20:54 kid apparmor[4221]: Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox
Feb 22 23:20:54 kid apparmor[4221]: Skipping profile in /etc/apparmor.d/disable: usr.lib.libreoffice.program.oosplash
Feb 22 23:20:54 kid apparmor[4221]: Skipping profile in /etc/apparmor.d/disable: usr.lib.libreoffice.program.senddoc
Feb 22 23:20:54 kid apparmor[4221]: Skipping profile in /etc/apparmor.d/disable: usr.lib.libreoffice.program.soffice.bin
Feb 22 23:20:54 kid apparmor[4221]: Skipping profile in /etc/apparmor.d/disable: usr.lib.libreoffice.program.xpdfimport
Feb 22 23:20:55 kid apparmor[4221]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Feb 22 23:20:58 kid apparmor[4221]: ...done.
Feb 22 23:20:58 kid systemd[1]: Started AppArmor initialization.

syslog:
Feb 22 23:23:07 kid kernel: [ 1712.294720] audit: type=1400 audit(1519338187.355:962): apparmor="DENIED" operation="open" profile="libreoffice-soffice" name="/etc/kde4rc" pid=4317 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Feb 22 23:23:07 kid kernel: [ 1712.294730] audit: type=1400 audit(1519338187.355:963): apparmor="DENIED" operation="open" profile="libreoffice-soffice" name="/home/torsten/.kde/share/config/kdeglobals" pid=4317 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Feb 22 23:23:07 kid kernel: [ 1712.296547] audit: type=1400 audit(1519338187.357:964): apparmor="DENIED" operation="open" profile="libreoffice-soffice" name="/etc/kde4rc" pid=4317 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Feb 22 23:23:07 kid kernel: [ 1712.296596] audit: type=1400 audit(1519338187.357:965): apparmor="DENIED" operation="open" profile="libreoffice-soffice" name="/home/torsten/.kde/share/config/kdeglobals" pid=4317 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Feb 22 23:23:07 kid kernel: [ 1712.299552] audit: type=1400 audit(1519338187.360:966): apparmor="DENIED" operation="exec" profile="libreoffice-soffice" name="/usr/bin/kdeinit4" pid=4330 comm="soffice.bin" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Feb 22 23:23:07 kid kernel: [ 1712.303184] audit: type=1400 audit(1519338187.363:967): apparmor="DENIED" operation="open" profile="libreoffice-soffice" name="/home/torsten/.config/Trolltech.conf" pid=4317 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000
Feb 22 23:23:07 kid kernel: [ 1712.303209] audit: type=1400 audit(1519338187.363:968): apparmor="DENIED" operation="open" profile="libreoffice-soffice" name="/home/torsten/.config/Trolltech.conf" pid=4317 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Feb 22 23:23:07 kid kernel: [ 1712.303885] audit: type=1400 audit(1519338187.364:969): apparmor="DENIED" operation="file_mmap" profile="libreoffice-soffice" name="/usr/lib/kde4/kfilemodule.so" pid=4317 comm="soffice.bin" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
Feb 22 ...

Read more...

Revision history for this message
Olivier Tilloy (osomon) wrote :

You appear to have symlinks in /etc/apparmor.d/disable/ to the libreoffice profiles, which explains why they are not being loaded.

Revision history for this message
fw114 (p-post-k) wrote :

It does not matter. with symlinks and without.

apparmor blocks libreoffice no matter what is set, thats the point. and that after the updates.

if libreoffice is enabled in apparmor, libreoffice is not able to oben any files. ouput from logwhere apparmor was enabled:

eb 22 10:58:07 kid kernel: [ 721.264143] audit: type=1400 audit(1519293487.771:238): apparmor="DENIED" operation="open" profile="libreoffice-soffice" name="/etc/kde4rc" pid=3383 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Feb 22 10:58:07 kid kernel: [ 721.264147] audit: type=1400 audit(1519293487.771:239): apparmor="DENIED" operation="open" profile="libreoffice-soffice" name="/home/torsten/.kde/share/config/kdeglobals" pid=3383 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Feb 22 10:58:07 kid kernel: [ 721.265771] audit: type=1400 audit(1519293487.772:240): apparmor="DENIED" operation="open" profile="libreoffice-soffice" name="/etc/kde4rc" pid=3383 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Feb 22 10:58:07 kid kernel: [ 721.265796] audit: type=1400 audit(1519293487.772:241): apparmor="DENIED" operation="open" profile="libreoffice-soffice" name="/home/torsten/.kde/share/config/kdeglobals" pid=3383 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Feb 22 10:58:07 kid kernel: [ 721.271664] audit: type=1400 audit(1519293487.778:242): apparmor="DENIED" operation="exec" profile="libreoffice-soffice" name="/usr/lib/kde4/libexec/lnusertemp" pid=3394 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Feb 22 10:58:07 kid kernel: [ 721.276967] audit: type=1400 audit(1519293487.783:243): apparmor="DENIED" operation="exec" profile="libreoffice-soffice" name="/usr/bin/kdeinit4" pid=3396 comm="soffice.bin" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Feb 22 10:58:07 kid kernel: [ 721.282745] audit: type=1400 audit(1519293487.789:244): apparmor="DENIED" operation="open" profile="libreoffice-soffice" name="/home/torsten/.config/Trolltech.conf" pid=3383 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000
Feb 22 10:58:07 kid kernel: [ 721.282754] audit: type=1400 audit(1519293487.789:245): apparmor="DENIED" operation="open" profile="libreoffice-soffice" name="/home/torsten/.config/Trolltech.conf" pid=3383 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

Revision history for this message
Olivier Tilloy (osomon) wrote :

That's bug #1751005.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.