Ubuntu
libreoffice package

apparmor messages for libreoffice 1:6.0.7-0ubuntu0.18.04.10 etc

Bug #1863151 reported by dinar qurbanov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libreoffice (Ubuntu)
New
Undecided
Unassigned

Bug Description

i have reported 3 bugs for apparmor's libreoffice profile:
https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/1862331
https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/1863097
https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/1863103
i am afraid i make too much bug reports, so i am going to write other reports here, if they appear.

i have now seen this message:

Feb 13 20:56:25 dinar-Lenovo-G580 kernel: [29200.067772] audit: type=1400 audit(1581616585.668:272): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/dinar/.config/dconf/user" pid=14211 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Revision history for this message
Heather Ellsworth (hellsworth) wrote :

I understand the issue with cert8.db and key3.db being used (#1862331) but I don't see what the problem is with the other apparmor messages you see in journalctl. Can you please make clear what the problem with these messages are?

Revision history for this message
dinar qurbanov (qdinar) wrote :

i think that that means that apparmor profile lags behind libreoffice and should be updated.

if it is by design, than there could be comments about that, and it is possible to remove the logs by "deny" keywords.

that messages are bad because they use space in syslog making it harder to read, and they appear on desktop if aa-notify is used.

Revision history for this message
dinar qurbanov (qdinar) wrote :

messages when opening a file:

several lines of type

Jul 8 09:28:31 dinar-comp kernel: [436272.154664] audit: type=1400 audit(1594189711.176:1784): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name=.... pid=194987 comm="pool-soffice" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

with file names in /home/dinar/Загрузки/ with different extensions, which are not allowed for libreoffice. is it possible to hide this messages with audit deny?

messages when saving a file:

Jul 8 09:29:25 dinar-comp kernel: [436326.363734] audit: type=1400 audit(1594189765.369:1806): apparmor="ALLOWED" operation="mknod" profile="libreoffice-soffice" name=2F686F6D652F64696E61722FD097D0B0D0B3D180D183D0B7D0BAD0B82F6C75313934393837637A647636682E746D70 pid=194987 comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jul 8 09:29:25 dinar-comp kernel: [436326.363772] audit: type=1400 audit(1594189765.369:1807): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name=2F686F6D652F64696E61722FD097D0B0D0B3D180D183D0B7D0BAD0B82F6C75313934393837637A647636682E746D70 pid=194987 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000
Jul 8 09:29:25 dinar-comp kernel: [436326.364023] audit: type=1400 audit(1594189765.369:1808): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name=2F686F6D652F64696E61722FD097D0B0D0B3D180D183D0B7D0BAD0B82F6C75313934393837637A647636682E746D70 pid=194987 comm="soffice.bin" :

the code decoded is /home/dinar/Загрузки/lu194987czdv6h.tmp

there is this corresponding rule in /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin :

owner @{libo_user_dirs}/{,**/}lu??????????{,?}.tmp rwk, #Temporary file used when saving

with man apparmor.d i see:

{ab,cd} will expand to one rule to match ab, one rule to match cd

so, the rule allows only 10 or 11 chars after lu, before dot, but there is 12.

Revision history for this message
dinar qurbanov (qdinar) wrote :

i modified it to this:

owner @{libo_user_dirs}/{,**/}lu??????????*.tmp rwk, #Temporary file used when saving

and reloaded profile with this

sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin

and the messages (of the last type) disappeared.

Revision history for this message
dinar qurbanov (qdinar) wrote :

this appeared on libreoffice 6.4.6.2 on linux mint 20 (1:6.4.6-0ubuntu0.20.04.1):

Feb 3 12:30:34 dinar-HP-Pavilion-g7-Notebook-PC kernel: [79901.149664] audit: type=1400 audit(1612344634.103:584): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/zoneinfo-icu/44/le/zoneinfo64.res" pid=43909 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Feb 3 12:30:34 dinar-HP-Pavilion-g7-Notebook-PC kernel: [79901.149678] audit: type=1400 audit(1612344634.103:585): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/zoneinfo-icu/44/le/timezoneTypes.res" pid=43909 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Revision history for this message
dinar qurbanov (qdinar) wrote :

and

Feb 3 18:05:11 dinar-HP-Pavilion-g7-Notebook-PC kernel: [83143.894148] audit: type=1400 audit(1612364711.925:597): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/version" pid=45709 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.