[upstream] mozilla cert8.db and key3.db are denied by apparmor

Description:
When opening a docx,xlsx,pptx file, LibreOffice tries to access my Firefox's certificate store and keychain (as reported by default AppArmor rules provided by Canonical on Ubuntu 18.04)
Said files has no digital signature to check, if it were the case, it would be required to use system's certificate store and/or seahorse's certificate store.

Affected versions are 6.0.3 provided by Canonical and 6.0.6 provided by document foundation launchpad PPA.

There are no visible reasons for LibreOffice to try to read anything from Firefox.

Here are the logs produced by AppArmor when opening such files :

home/Magissia/.mozilla/firefox/mwad0hks.default/cert8.db" pid=19509 comm="soffice.bin" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Sep 11 18:25:31 Marshmallow kernel: [18154.693846] audit: type=1400 audit(1536683131.498:70): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/Magissia/.mozilla/firefox/mwad0hks.default/key3.db" pid=19509 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
Sep 11 18:25:40 Marshmallow kernel: [18163.215743] audit: type=1400 audit(1536683140.018:71): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/version" pid=19509 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Steps to Reproduce:
1. Open any docx file created with Microsoft Word 2013 or superior
2. Enjoy invasion of privacy

Actual Results:
LibreOffice tries to read private files that has nothing to do with the document or LibreOffice

Expected Results:
Not reading Firefox's files when opening documents

Reproducible: Always

User Profile Reset: Yes

OpenGL enabled: Yes

Additional Info:
Version: 6.0.6.2
Build ID: 1:6.0.6-0ubuntu0.18.04.1
Threads CPU : 2; OS : Linux 4.15; UI Render : par défaut; VCL: gtk3;
Locale : fr-FR (fr_FR.UTF-8); Calc: group

*** This bug has been marked as a duplicate of bug 118593 ***

I'm removing the duplicate status: bug 118593 is about loading xmlsecurity at startup even when not needed, whereas this one is a concern about what xmlsecurity does to access firefox's certificates DB.

I'm not a security expert but this looks like a valid concern to me, especially since libreoffice requests write mode to cert8.db and key3.db. Is this really needed? Is there a design doc that explains why?

Feb 6 20:53:48 dinar-Lenovo-G580 kernel: [104675.599346] audit: type=1400 audit(1581011628.880:900): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/dinar/.mozilla/firefox/sge95l3o.default/cert8.db" pid=16630 comm="soffice.bin" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Feb 6 20:53:48 dinar-Lenovo-G580 kernel: [104675.600771] audit: type=1400 audit(1581011628.880:901): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/dinar/.mozilla/firefox/sge95l3o.default/key3.db" pid=16630 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000

This is the update for all players exited for this just look site here https://fundecade.com/pyramid-solitaire great fun forever here to you seen the hurry to more enjoyments

well, obviously the firefox profile is used because NSS wants to find its certificates for digital signing.

I would also argue that it shouldn't request "w" permissions, but "r" is expected.

I also suggested using ~/.pki/nssdb but...

16:41 < _rene_> is there any plan to be able to use ~/.pki/nssdb? (see https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX)
16:41 < _rene_> instead of the mozilla profile?
16:42 -!- hallnknight [~hallnknig@2401:4900:3b30:951d:983d:6f8:9c88:2aef] has joined #libreoffice-dev
16:42 < _rene_> (context: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975951 and https://bugs.documentfoundation.org/show_bug.cgi?id=119811)
16:42 < IZBot> bug 119811: LibreOffice-LibreOffice normal/medium NEW LibreOffice 6.0.6 spies on my Firefox keychain when opening MS documents
16:43 < mst___> _rene_, if there's some UI for users to add their certs to that location then sure
16:44 < _rene_> one can do so without a UI? not everything needs a UI?
16:44 < _rene_> at least make it honour that path in addition
16:45 < _rene_> mst___: users nowadays also don't use firefox :)
16:48 <@thorsten> _rene_: thought nss can only use one path?
16:49 < _rene_> no idea, can't one initialize nss two times and use one instance for firefox and the other for that one?
16:49 < _rene_> I mean, there must be more application not relying only on firefox?
16:50 <@thorsten> we had similar issues with thunderbird vs. firefox cert stores,
16:50 < _rene_> mmh
16:50 <@thorsten> IIRC the suggestion was for users to set the proper env var,
16:50 <@thorsten> and we're off the hook?
16:50 <@vmiklos> or just set their preferred path in LO, using tools -> options
16:51 < _rene_> but MOZILLA_CERTIFICATE_FOLDER if you mean that will expect a firefox profile and not work with ~/.pki/nssdb, will it?
16:52 <@vmiklos> you would have to check, possibly both just contain files like certX.db and keyY.db, so perhaps works out of the box
16:52 -!- OlegShtch [~Thunderbi@37.112.63.140] has joined #libreoffice-dev
16:52 < _rene_> ah, right, there's the "Options", didn't know
16:54 < _rene_> ok, related to this:
16:54 < _rene_> why does LO request w permissions?
16:54 < _rene_> r should simply suffice, shouldn't it?
16:55 < _rene_> or is this nss actually opening it? (I guess so...)
16:56 -!- hallnknight [~hallnknig@2401:4900:3b30:951d:983d:6f8:9c88:2aef] has quit [Ping timeout: 264 seconds]
16:56 -!- sberg [~<email address hidden>] has quit [Quit: Leaving]
16:56 <@vmiklos> i guess ideally it should be read-only, right.
16:56 -!- hallnknight [~hallnknig@223.187.154.213] has joined #libreoffice-dev
16:57 * _rene_ writes that into https://bugs.documentfoundation.org/show_bug.cgi?id=119811
16:57 < IZBot> bug 119811: LibreOffice-LibreOffice normal/medium NEW LibreOffice 6.0.6 spies on my Firefox keychain when opening MS documents
16:57 < _rene_> (with the chat here cut'n'pasted)

the UI btw would be "certutil"

Dear libreoffice,

To make sure we're focusing on the bugs that affect our users today, LibreOffice QA is asking bug reporters and confirmers to retest open, confirmed bugs which have not been touched for over a year.

There have been thousands of bug fixes and commits since anyone checked on this bug report. During that time, it's possible that the bug has been fixed, or the details of the problem have changed. We'd really appreciate your help in getting confirmation that the bug is still present.

If you have time, please do the following:

Test to see if the bug is still present with the latest version of LibreOffice from https://www.libreoffice.org/download/

If the bug is present, please leave a comment that includes the information from Help - About LibreOffice.

If the bug is NOT present, please set the bug's Status field to RESOLVED-WORKSFORME and leave a comment that includes the information from Help - About LibreOffice.

Please DO NOT

Update the version field
Reply via email (please reply directly on the bug tracker)
Set the bug's Status field to RESOLVED - FIXED (this status has a particular meaning that is not
appropriate in this case)

If you want to do more to help you can test to see if your issue is a REGRESSION. To do so:
1. Download and install oldest version of LibreOffice (usually 3.3 unless your bug pertains to a feature added after 3.3) from https://downloadarchive.documentfoundation.org/libreoffice/old/

2. Test your bug
3. Leave a comment with your results.
4a. If the bug was present with 3.3 - set version to 'inherited from OOo';
4b. If the bug was not present in 3.3 - add 'regression' to keyword

Feel free to come ask questions or to say hello in our QA chat: https://web.libera.chat/?settings=#libreoffice-qa

Thank you for helping us make LibreOffice even better for everyone!

Warm Regards,
QA Team

MassPing-UntouchedBug