Debian Bug report logs - #887593
libreoffice-common: apparmor profiles triggers lot of ALLOWED entries

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Félix Sipma <felix+debian@gueux.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libreoffice-common: apparmor profiles triggers lot of ALLOWED entries

Date: Thu, 18 Jan 2018 11:29:19 +0100

[Message part 1 (text/plain, inline)]

Package: libreoffice-common
Version: 1:5.4.4-1
Severity: normal

I get a lot of warnings in my logs concerning libreoffice and apparmor. They
appear as ALLOWED, but that would mean they would be DENIED if apparmor was
enabled.

I'm reporting to libreoffice-common, because that's the package shipping
/etc/apparmor.d/usr.lib.libreoffice.program.*.

Here are the log entries:

    Jan 18 10:41:06 laptop audit[1020]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-senddoc" pid=1020 comm="apparmor_parser"
    Jan 18 10:41:06 laptop audit[1019]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-oopslash" pid=1019 comm="apparmor_parser"
    Jan 18 10:41:06 laptop audit[1022]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-xpdfimport" pid=1022 comm="apparmor_parser"
    Jan 18 10:41:06 laptop audit[1021]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-soffice" pid=1021 comm="apparmor_parser"
    Jan 18 11:09:25 laptop audit[21088]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-oopslash" name="/run/user/1000/X11/Xauthority" pid=21088 comm="oosplash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
    Jan 18 11:09:25 laptop kernel: audit: type=1400 audit(1516270165.099:85): apparmor="ALLOWED" operation="open" profile="libreoffice-oopslash" name="/run/user/1000/X11/Xauthority" pid=21088 comm="oosplash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
    Jan 18 11:09:25 laptop audit[21088]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-oopslash" name="/sys/devices/virtual/block/dm-0/queue/rotational" pid=21088 comm="oosplash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:25 laptop kernel: audit: type=1400 audit(1516270165.107:86): apparmor="ALLOWED" operation="open" profile="libreoffice-oopslash" name="/sys/devices/virtual/block/dm-0/queue/rotational" pid=21088 comm="oosplash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:25 laptop audit[21106]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:25 laptop kernel: audit: type=1400 audit(1516270165.351:87): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:25 laptop kernel: audit: type=1400 audit(1516270165.351:88): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/vendor" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:25 laptop kernel: audit: type=1400 audit(1516270165.351:89): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/device" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:25 laptop kernel: audit: type=1400 audit(1516270165.351:90): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/subsystem_vendor" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:25 laptop kernel: audit: type=1400 audit(1516270165.351:91): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/subsystem_device" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:25 laptop kernel: audit: type=1400 audit(1516270165.355:92): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:25 laptop kernel: audit: type=1400 audit(1516270165.355:93): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/vendor" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:25 laptop kernel: audit: type=1400 audit(1516270165.355:94): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/device" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:25 laptop audit[21106]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/vendor" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:25 laptop audit[21106]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/device" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:25 laptop audit[21106]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/subsystem_vendor" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:25 laptop audit[21106]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/subsystem_device" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:25 laptop audit[21106]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:25 laptop audit[21106]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/vendor" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:25 laptop audit[21106]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/device" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:25 laptop audit[21106]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/subsystem_vendor" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:25 laptop audit[21106]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/subsystem_device" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:25 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.config/X11/XCompose" pid=21105 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
    Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/profiles.ini" pid=21105 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
    Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/secmod.db" pid=21105 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
    Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/cert8.db" pid=21105 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
    Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/key3.db" pid=21105 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="exec" profile="libreoffice-soffice" name="/usr/bin/gpg" pid=21125 comm="soffice.bin" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="libreoffice-soffice//null-/usr/bin/gpg"
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_inherit" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/dev/null" pid=21125 comm="gpg" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/bin/gpg" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/ld-2.26.so" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/etc/ld.so.preload" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/etc/ld.so.cache" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libz.so.1.2.8" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libz.so.1.2.8" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libbz2.so.1.0.4" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libbz2.so.1.0.4" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libgcrypt.so.20.2.1" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libgcrypt.so.20.2.1" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libreadline.so.7.0" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libreadline.so.7.0" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libassuan.so.0.8.1" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libassuan.so.0.8.1" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libgpg-error.so.0.22.0" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libgpg-error.so.0.22.0" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libc-2.26.so" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libc-2.26.so" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libm-2.26.so" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libm-2.26.so" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libpthread-2.26.so" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libpthread-2.26.so" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libdl-2.26.so" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libdl-2.26.so" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libtinfo.so.5.9" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libtinfo.so.5.9" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/locale/locale-archive" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/home/gueux/.gnupg/gpg.conf" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
    Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/etc/locale.alias" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="exec" profile="libreoffice-soffice" name="/usr/bin/gpgsm" pid=21127 comm="soffice.bin" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="libreoffice-soffice//null-/usr/bin/gpgsm"
    Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="file_inherit" profile="libreoffice-soffice//null-/usr/bin/gpgsm" name="/dev/null" pid=21127 comm="gpgsm" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/bin/gpgsm" pid=21127 comm="gpgsm" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/ld-2.26.so" pid=21127 comm="gpgsm" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpgsm" name="/etc/ld.so.preload" pid=21127 comm="gpgsm" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpgsm" name="/etc/ld.so.cache" pid=21127 comm="gpgsm" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/libgcrypt.so.20.2.1" pid=21127 comm="gpgsm" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/libgcrypt.so.20.2.1" pid=21127 comm="gpgsm" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/libksba.so.8.11.6" pid=21127 comm="gpgsm" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/libksba.so.8.11.6" pid=21127 comm="gpgsm" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/libgpg-error.so.0.22.0" pid=21127 comm="gpgsm" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/libgpg-error.so.0.22.0" pid=21127 comm="gpgsm" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/libassuan.so.0.8.1" pid=21127 comm="gpgsm" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/libassuan.so.0.8.1" pid=21127 comm="gpgsm" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/libreadline.so.7.0" pid=21127 comm="gpgsm" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/libreadline.so.7.0" pid=21127 comm="gpgsm" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/libc-2.26.so" pid=21127 comm="gpgsm" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/libc-2.26.so" pid=21127 comm="gpgsm" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/libtinfo.so.5.9" pid=21127 comm="gpgsm" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/libtinfo.so.5.9" pid=21127 comm="gpgsm" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/locale/locale-archive" pid=21127 comm="gpgsm" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpgsm" name="/etc/locale.alias" pid=21127 comm="gpgsm" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (600, 'testing'), (500, 'stable'), (100, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libreoffice-common depends on:
ii  libreoffice-style-tango  1:5.4.4-1
ii  ure                      5.4.4-1

Versions of packages libreoffice-common recommends:
ii  fonts-liberation    1:1.07.4-5
ii  libexttextcat-data  3.4.5-1
ii  python3-uno         1:5.4.4-1

Versions of packages libreoffice-common suggests:
ii  libreoffice-style-galaxy [libreoffice-style]  1:5.4.4-1
ii  libreoffice-style-tango [libreoffice-style]   1:5.4.4-1

Versions of packages python3-uno depends on:
ii  libc6             2.26-4
ii  libgcc1           1:7.2.0-19
ii  libpython3.6      3.6.4-3
ii  libreoffice-core  1:5.4.4-1
ii  libstdc++6        7.2.0-19
ii  python3           3.6.4-1
ii  python3.6         3.6.4-3
ii  uno-libs3         5.4.4-1
ii  ure               5.4.4-1

-- no debconf information

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 887593@bugs.debian.org (full text, mbox, reply):

From: Rene Engelhard <rene@debian.org>

To: Félix Sipma <felix+debian@gueux.org>, 887593@bugs.debian.org

Subject: Re: Bug#887593: libreoffice-common: apparmor profiles triggers lot of ALLOWED entries

Date: Thu, 18 Jan 2018 14:05:02 +0100

severity 887593 minor
block 886548 by 887953
thanks

On Thu, Jan 18, 2018 at 11:29:19AM +0100, Félix Sipma wrote:
> I get a lot of warnings in my logs concerning libreoffice and apparmor. They
> appear as ALLOWED, but that would mean they would be DENIED if apparmor was
> enabled.

Which is the reason it's in complain mode :)

>     Jan 18 11:09:25 laptop audit[21088]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-oopslash" name="/run/user/1000/X11/Xauthority" pid=21088 comm="oosplash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
>     Jan 18 11:09:25 laptop kernel: audit: type=1400 audit(1516270165.099:85): apparmor="ALLOWED" operation="open" profile="libreoffice-oopslash" name="/run/user/1000/X11/Xauthority" pid=21088 comm="oosplash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
>     Jan 18 11:09:25 laptop audit[21088]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-oopslash" name="/sys/devices/virtual/block/dm-0/queue/rotational" pid=21088 comm="oosplash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:25 laptop kernel: audit: type=1400 audit(1516270165.107:86): apparmor="ALLOWED" operation="open" profile="libreoffice-oopslash" name="/sys/devices/virtual/block/dm-0/queue/rotational" pid=21088 comm="oosplash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:25 laptop audit[21106]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:25 laptop kernel: audit: type=1400 audit(1516270165.351:87): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:25 laptop kernel: audit: type=1400 audit(1516270165.351:88): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/vendor" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:25 laptop kernel: audit: type=1400 audit(1516270165.351:89): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/device" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:25 laptop kernel: audit: type=1400 audit(1516270165.351:90): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/subsystem_vendor" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:25 laptop kernel: audit: type=1400 audit(1516270165.351:91): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/subsystem_device" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:25 laptop kernel: audit: type=1400 audit(1516270165.355:92): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:25 laptop kernel: audit: type=1400 audit(1516270165.355:93): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/vendor" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:25 laptop kernel: audit: type=1400 audit(1516270165.355:94): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/device" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:25 laptop audit[21106]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/vendor" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:25 laptop audit[21106]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/device" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:25 laptop audit[21106]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/subsystem_vendor" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:25 laptop audit[21106]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/subsystem_device" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:25 laptop audit[21106]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/uevent" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:25 laptop audit[21106]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/vendor" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:25 laptop audit[21106]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/device" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:25 laptop audit[21106]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/subsystem_vendor" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:25 laptop audit[21106]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/pci0000:00/0000:00:02.0/subsystem_device" pid=21106 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:25 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.config/X11/XCompose" pid=21105 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000


X stuff....

>     Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/profiles.ini" pid=21105 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
>     Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/secmod.db" pid=21105 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
>     Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/cert8.db" pid=21105 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
>     Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/key3.db" pid=21105 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000

Here it gets interesting. That's for digital signing with X.509. The
certificates are supposed to come from mozilla...

>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="exec" profile="libreoffice-soffice" name="/usr/bin/gpg" pid=21125 comm="soffice.bin" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="libreoffice-soffice//null-/usr/bin/gpg"
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_inherit" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/dev/null" pid=21125 comm="gpg" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/bin/gpg" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/ld-2.26.so" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/etc/ld.so.preload" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/etc/ld.so.cache" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libz.so.1.2.8" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libz.so.1.2.8" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libbz2.so.1.0.4" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libbz2.so.1.0.4" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libgcrypt.so.20.2.1" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libgcrypt.so.20.2.1" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libreadline.so.7.0" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libreadline.so.7.0" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libassuan.so.0.8.1" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libassuan.so.0.8.1" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libgpg-error.so.0.22.0" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libgpg-error.so.0.22.0" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libc-2.26.so" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libc-2.26.so" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libm-2.26.so" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libm-2.26.so" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libpthread-2.26.so" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libpthread-2.26.so" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libdl-2.26.so" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libdl-2.26.so" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libtinfo.so.5.9" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/libtinfo.so.5.9" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/locale/locale-archive" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/home/gueux/.gnupg/gpg.conf" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
>     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpg" name="/etc/locale.alias" pid=21125 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="exec" profile="libreoffice-soffice" name="/usr/bin/gpgsm" pid=21127 comm="soffice.bin" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="libreoffice-soffice//null-/usr/bin/gpgsm"
>     Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="file_inherit" profile="libreoffice-soffice//null-/usr/bin/gpgsm" name="/dev/null" pid=21127 comm="gpgsm" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/bin/gpgsm" pid=21127 comm="gpgsm" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0

gpg and gpg list/stuff gpg uses for digital signing/encryption with
gpg... Did already add gpgconf when I saw that one in the logs, but...
I wasn't aware one needs to allow locale stuff here explicitely too...

>     Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/ld-2.26.so" pid=21127 comm="gpgsm" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpgsm" name="/etc/ld.so.preload" pid=21127 comm="gpgsm" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpgsm" name="/etc/ld.so.cache" pid=21127 comm="gpgsm" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

... or the linker ...

>     Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/libgcrypt.so.20.2.1" pid=21127 comm="gpgsm" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/libgcrypt.so.20.2.1" pid=21127 comm="gpgsm" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0

.. or openssl used by gpg ...

>     Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/libksba.so.8.11.6" pid=21127 comm="gpgsm" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/libksba.so.8.11.6" pid=21127 comm="gpgsm" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/libgpg-error.so.0.22.0" pid=21127 comm="gpgsm" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/libgpg-error.so.0.22.0" pid=21127 comm="gpgsm" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/libassuan.so.0.8.1" pid=21127 comm="gpgsm" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/libassuan.so.0.8.1" pid=21127 comm="gpgsm" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/libreadline.so.7.0" pid=21127 comm="gpgsm" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/libreadline.so.7.0" pid=21127 comm="gpgsm" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/libc-2.26.so" pid=21127 comm="gpgsm" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/libc-2.26.so" pid=21127 comm="gpgsm" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/libtinfo.so.5.9" pid=21127 comm="gpgsm" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/x86_64-linux-gnu/libtinfo.so.5.9" pid=21127 comm="gpgsm" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpgsm" name="/usr/lib/locale/locale-archive" pid=21127 comm="gpgsm" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>     Jan 18 11:09:27 laptop audit[21127]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/usr/bin/gpgsm" name="/etc/locale.alias" pid=21127 comm="gpgsm" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

More gpg binaries/libs and locale stuff....

Regards,

Rene

Message #17 received at 887593@bugs.debian.org (full text, mbox, reply):

From: Rene Engelhard <rene@debian.org>

To: Félix Sipma <felix+debian@gueux.org>, 887593@bugs.debian.org

Subject: Re: Bug#887593: libreoffice-common: apparmor profiles triggers lot of ALLOWED entries

Date: Thu, 18 Jan 2018 14:47:55 +0100

Hi again,

On Thu, Jan 18, 2018 at 02:05:02PM +0100, Rene Engelhard wrote:
> X stuff....

diff --git a/sysui/desktop/apparmor/program.oosplash b/sysui/desktop/apparmor/program.oosplash
index fef54b7ee384..d68fa776de8f 100644
--- a/sysui/desktop/apparmor/program.oosplash
+++ b/sysui/desktop/apparmor/program.oosplash
@@ -14,6 +14,7 @@
 
 profile libreoffice-oopslash INSTDIR-program/oosplash {
   #include <abstractions/base>
+  #include <abstractions/X>
 
   /etc/libreoffice/                     r,
   /etc/libreoffice/**                   r,

might do at least parts of it. (Xauthority for example.)

> >     Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/profiles.ini" pid=21105 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
> >     Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/secmod.db" pid=21105 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
> >     Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/cert8.db" pid=21105 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
> >     Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/key3.db" pid=21105 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
> 
> Here it gets interesting. That's for digital signing with X.509. The
> certificates are supposed to come from mozilla...
> 
> >     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="exec" profile="libreoffice-soffice" name="/usr/bin/gpg" pid=21125 comm="soffice.bin" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="libreoffice-soffice//null-/usr/bin/gpg"
[...]

diff --git a/sysui/desktop/apparmor/program.soffice.bin b/sysui/desktop/apparmor/program.soffice.bin
index ff2c4b08cd4b..efa801445e6b 100644
--- a/sysui/desktop/apparmor/program.soffice.bin
+++ b/sysui/desktop/apparmor/program.soffice.bin
@@ -114,6 +114,8 @@ profile libreoffice-soffice INSTDIR-program/soffice.bin {
   /usr/bin/lpr                          rmPUx,
   /usr/bin/paperconf                    rmix,
   /usr/bin/gpgconf                      rmix,
+  /usr/bin/gpg                          rmix,
+  /usr/bin/gpgsm                        rmix,
 
   /dev/tty                              rw,
 
is trivial, though I still wonder about

> >     Jan 18 11:09:27 laptop audit[21125]: AVC apparmor="ALLOWED" operation="file_mmap" profile= libreoffice-soffice//null-/usr/bin/gpg" name="/usr/lib/x86_64-linux-gnu/ld-2.26.so" pid=21125 comm="gpg" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0

stuff like this and the following (libc, locale.alias, etc.)...

Regards,

Rene

Message #24 received at 887593@bugs.debian.org (full text, mbox, reply):

From: Rene Engelhard <rene@debian.org>

To: Félix Sipma <felix+debian@gueux.org>, 887593@bugs.debian.org

Subject: Re: Bug#887593: libreoffice-common: apparmor profiles triggers lot of ALLOWED entries

Date: Thu, 18 Jan 2018 15:33:21 +0100

On Thu, Jan 18, 2018 at 11:29:19AM +0100, Félix Sipma wrote:
>     Jan 18 11:09:25 laptop audit[21088]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-oopslash" name="/sys/devices/virtual/block/dm-0/queue/rotational" pid=21088 comm="oosplash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

15:07 < _rene_>     Jan 18 11:09:25 laptop audit[21088]: AVC apparmor="ALLOWED"
                operation="open" profile="libreoffice-oopslash" 
                name="/sys/devices/virtual/block/dm-0/queue/rotational" 
                pid=21088 comm="oosplash" requested_mask="r" denied_mask="r" 
                fsuid=1000 ouid=0
[...]
15:09 <@jmux> _rene_: desktop/unx/source/pagein.c:61:    
sprintf(fullpath,"/sys/dev/block/%d:%d/queue/rotational",major,minor);
15:09 < _rene_> shrugs.
15:10 <@jmux> I stumbled about this code a while ago and quickly wiped my 
              memory of it
15:11 < mst_> jmux: it probably calls SfxBaseModel::close
15:11 < _rene_> ok, shouldn't do bad things at least when this is disallowed

>     Jan 18 11:09:25 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.config/X11/XCompose" pid=21105 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
>     Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/profiles.ini" pid=21105 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
>     Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/secmod.db" pid=21105 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
>     Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/cert8.db" pid=21105 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
>     Jan 18 11:09:27 laptop audit[21105]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/gueux/.mozilla/firefox/g5to00w2.default-1471855693129/key3.db" pid=21105 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000

Leaves (assuming the simple adding of gpg and gpgsm suffices) just this one.

https://github.com/mk-fg/apparmor-profiles/blob/master/profiles/usr.bin.firefox
has

owner @{HOME}/.mozilla/firefox/** rwk,

in the profile...

Thinking about it, we probably also would need owner "@{HOME}/.gnupg/* rwk,"
then for gpg. This gets interesting...

Regards,

Rene

Message #31 received at 887593@bugs.debian.org (full text, mbox, reply):

From: Christian Boltz <debian-bugs@cboltz.de>

To: 887593@bugs.debian.org

Subject: Re: Bug#887593: libreoffice-common: apparmor profiles triggers lot of ALLOWED entries

Date: Fri, 19 Jan 2018 12:52:32 +0100

[Message part 1 (text/plain, inline)]

Hello,

just a quick note:

> +  /usr/bin/gpg                          rmix,
> +  /usr/bin/gpgsm                        rmix,

and in a later comment

> Thinking about it, we probably also would need owner 
> "@{HOME}/.gnupg/* rwk," then for gpg. This gets interesting...

I'd recommend to use Cx (child profile) rules for gpg so that only gpg 
(and not libreoffice) get access to ~/.gnupg/


Regards,

Christian Boltz
-- 
| $ rpm -q --whatrequires kernel
| no package requires kernel
Ach ja, dascha interessant! Kein RPM braucht das? Ja wie? Dann kann
ich das RPM ja also beruhigt loeschen? Braucht ja keiner... *lol*
[David Haller in suse-linux]

[signature.asc (application/pgp-signature, inline)]

Message #36 received at 887593@bugs.debian.org (full text, mbox, reply):

From: Rene Engelhard <rene@debian.org>

To: Christian Boltz <debian-bugs@cboltz.de>, 887593@bugs.debian.org

Subject: Re: Bug#887593: libreoffice-common: apparmor profiles triggers lot of ALLOWED entries

Date: Fri, 19 Jan 2018 13:16:57 +0100

On Fri, Jan 19, 2018 at 12:52:32PM +0100, Christian Boltz wrote:
> just a quick note:
> 
> > +  /usr/bin/gpg                          rmix,
> > +  /usr/bin/gpgsm                        rmix,
> 
> and in a later comment
> 
> > Thinking about it, we probably also would need owner 
> > "@{HOME}/.gnupg/* rwk," then for gpg. This gets interesting...
> 
> I'd recommend to use Cx (child profile) rules for gpg so that only gpg 
> (and not libreoffice) get access to ~/.gnupg/

So you basically say this should be

/usr/bin/gpg                          rmCx,
/usr/bin/gpgsm                        rmCx,

?

At least that is how I read
https://github.com/coderbunker/linux/wiki/Apparmor-how-to

Something special for .gnupg then? Right now there is
https://cgit.freedesktop.org/libreoffice/core/commit/?id=c6a19889e91f2585453636667e3d5779b153ab86:

owner @{HOME}/.gnupg/* r,

Regards,

Rene

Message #41 received at 887593@bugs.debian.org (full text, mbox, reply):

From: Christian Boltz <debian-bugs@cboltz.de>

To: Rene Engelhard <rene@debian.org>, 887593@bugs.debian.org

Subject: Re: Bug#887593: libreoffice-common: apparmor profiles triggers lot of ALLOWED entries

Date: Fri, 19 Jan 2018 23:24:56 +0100

[Message part 1 (text/plain, inline)]

Hello,

Am Freitag, 19. Januar 2018, 13:16:57 CET schrieb Rene Engelhard:
> On Fri, Jan 19, 2018 at 12:52:32PM +0100, Christian Boltz wrote:
> > I'd recommend to use Cx (child profile) rules for gpg so that only
> > gpg (and not libreoffice) get access to ~/.gnupg/
> 
> So you basically say this should be
> 
> /usr/bin/gpg                          rmCx,
> /usr/bin/gpgsm                        rmCx,

I prefer mrCx because rm tends to confuse people not familiar with 
AppArmor (no, 'rm' does not mean delete permissions ;-) but in general 
you are right.

Note that this will result in two child profiles - one for each binary:

  profile /usr/bin/gpg {
    # whatever is needed
  }

  profile /usr/bin/gpgsm {
    # whatever is needed
  }

If you want to have a common child profile for gpg and gpgsm, use

  /usr/bin/gpg                          mrCx -> gpg,
  /usr/bin/gpgsm                        mrCx -> gpg,

  profile gpg {
      # whatever is needed
  }

> At least that is how I read
> https://github.com/coderbunker/linux/wiki/Apparmor-how-to

I didn't read all text on that page, but on a quick look it looks good.
<shameless plug>
Actually it *must* be good because it links to my presentation ;-))
(If you prefer to only read the slides, you can download them from
https://blog.cboltz.de/archives/70-openSUSE-Conference-2016.html )
</shameless plug>

> Something special for .gnupg then? Right now there is
> https://cgit.freedesktop.org/libreoffice/core/commit/?id=c6a19889e91f2
> 585453636667e3d5779b153ab86:

nice[tm]

+  # there is abstractions/gnupg but that's just for gpg1...

In such cases, it's a good idea to open a bugreport upstream [1] or to 
send a merge request on gitlab to get the abstraction updated ;-)
You might still want/need to add it in your profile as a temporary 
solution until everybody has a new-enough abstraction.

> owner @{HOME}/.gnupg/* r,

Indeed, giving gpg read access to all files in ~/.gnupg/ makes sense. 
I'd be very surprised if this directory contains a file gpg should not 
be allowed to read ;-)


Regards,

Christian Boltz

[1] actually a bugreport against the Debian AppArmor package also works.
    Even if I don't use Debian, I read all AppArmor-related Debian 
    bugreports.

-- 
Tja, in der Urzeit war vieles einfacher.
Da musste man sich nicht um die korrekte Uhrzeit seiner Rechner-Uhr
kümmern, weil es noch keine Mailing-Listen gab. ;-)
[Carsten Neumann in opensuse-de]

[signature.asc (application/pgp-signature, inline)]

Message #46 received at 887593@bugs.debian.org (full text, mbox, reply):

From: Rene Engelhard <rene@debian.org>

To: Christian Boltz <debian-bugs@cboltz.de>

Cc: 887593@bugs.debian.org

Subject: Re: Bug#887593: libreoffice-common: apparmor profiles triggers lot of ALLOWED entries

Date: Sat, 20 Jan 2018 16:45:15 +0100

Hi,

On Fri, Jan 19, 2018 at 11:24:56PM +0100, Christian Boltz wrote:
> If you want to have a common child profile for gpg and gpgsm, use
> 
>   /usr/bin/gpg                          mrCx -> gpg,
>   /usr/bin/gpgsm                        mrCx -> gpg,
> 
>   profile gpg {
>       # whatever is needed
>   }

OK, done

https://cgit.freedesktop.org/libreoffice/core/commit/?id=24702687433842a6e9e8a1070ead46c035192bf3

and

https://salsa.debian.org/libreoffice-team/libreoffice/libreoffice/commit/f823c912e69cb0611a009f49c

Regards,

Rene

Message #51 received at 887593@bugs.debian.org (full text, mbox, reply):

From: Vincas Dargis <vindrg@gmail.com>

To: 887593@bugs.debian.org

Subject: Re: Bug#887593: libreoffice-common: apparmor profiles triggers lot of ALLOWED entries

Date: Sun, 21 Jan 2018 16:02:37 +0200

For the record, these */uevent files are accessed by libdrm

Here's breakpoint while opening `/sys/dev/char/226:0/device/ueven` file:

```
Thread 2.1 "soffice.bin" hit Catchpoint 1 (call to syscall openat), 0x00007fa253f6961e in __libc_open64 
(file=0x7ffe077e8900 "/sys/dev/char/226:0/device/uevent", oflag=<optimized out>) at ../sysdeps/unix/sysv/linux/open64.c:46
46	in ../sysdeps/unix/sysv/linux/open64.c
$9 = 0x7ffe077e8900 "/sys/dev/char/226:0/device/uevent"
#0  0x00007fa253f6961e in __libc_open64 (file=0x7ffe077e8900 "/sys/dev/char/226:0/device/uevent", oflag=<optimized out>) 
at ../sysdeps/unix/sysv/linux/open64.c:46
#1  0x00007fa253efc7f3 in __GI__IO_file_open (fp=fp@entry=0x55c7416935d0, filename=<optimized out>, 
posix_mode=<optimized out>, prot=prot@entry=438, read_write=8, is32not64=is32not64@entry=1) at fileops.c:229
#2  0x00007fa253efc9c2 in _IO_new_file_fopen (fp=fp@entry=0x55c7416935d0, filename=filename@entry=0x7ffe077e8900 
"/sys/dev/char/226:0/device/uevent", mode=<optimized out>, mode@entry=0x7fa23f942280 "r", is32not64=is32not64@entry=1) 
at fileops.c:334
#3  0x00007fa253ef02f4 in __fopen_internal (filename=0x7ffe077e8900 "/sys/dev/char/226:0/device/uevent", 
mode=0x7fa23f942280 "r", is32=1) at iofopen.c:86
#4  0x00007fa23f939500 in  () at /lib/x86_64-linux-gnu/libdrm.so.2
#5  0x00007fa23f93a1c0 in  () at /lib/x86_64-linux-gnu/libdrm.so.2
#6  0x00007fa23f93a2c1 in  () at /lib/x86_64-linux-gnu/libdrm.so.2
#7  0x00007fa23f93e143 in drmGetDevice2 () at /lib/x86_64-linux-gnu/libdrm.so.2
#8  0x00007fa24140c00d in  () at /lib/x86_64-linux-gnu/libGLX_mesa.so.0
#9  0x00007fa24140c6af in  () at /lib/x86_64-linux-gnu/libGLX_mesa.so.0
#10 0x00007fa2414063ec in  () at /lib/x86_64-linux-gnu/libGLX_mesa.so.0
#11 0x00007fa2413de664 in  () at /lib/x86_64-linux-gnu/libGLX_mesa.so.0
#12 0x00007fa2413d9d84 in  () at /lib/x86_64-linux-gnu/libGLX_mesa.so.0
#13 0x00007fa2413dac55 in  () at /lib/x86_64-linux-gnu/libGLX_mesa.so.0
#14 0x00007fa257ac57e5 in glxtest() () at ./vcl/unx/glxtest.cxx:176
#15 0x00007fa257ac5acf in fire_glxtest_process() () at ./vcl/unx/glxtest.cxx:264
#16 0x00007fa2566ae09f in soffice_main() () at ./desktop/source/app/sofficemain.cxx:129
#17 0x000055c740c7278b in sal_main () at ./desktop/source/app/main.c:48
#18 0x000055c740c7278b in main (argc=<optimized out>, argv=<optimized out>) at ./desktop/source/app/main.c:47
```

I'm working for upstream fix.

Message #56 received at 887593@bugs.debian.org (full text, mbox, reply):

From: Vincas Dargis <vindrg@gmail.com>

To: 887593@bugs.debian.org

Subject: Re: Bug#887593: libreoffice-common: apparmor profiles triggers lot of ALLOWED entries

Date: Sun, 21 Jan 2018 16:28:42 +0200

https://gerrit.libreoffice.org/#/c/48265/

Message #61 received at 887593@bugs.debian.org (full text, mbox, reply):

From: Rene Engelhard <rene@debian.org>

To: Vincas Dargis <vindrg@gmail.com>, 887593@bugs.debian.org

Subject: Re: Bug#887593: libreoffice-common: apparmor profiles triggers lot of ALLOWED entries

Date: Sun, 21 Jan 2018 19:33:53 +0100

HI,

On Sun, Jan 21, 2018 at 04:28:42PM +0200, Vincas Dargis wrote:
> https://gerrit.libreoffice.org/#/c/48265/

Merged upstream (and submitted it for -6-0, too), and created
https://gitlab.com/apparmor/apparmor/merge_requests/59

Want to do a MR or should I just backport the patch myself?

Regards,

Rene

Message #66 received at 887593@bugs.debian.org (full text, mbox, reply):

From: Vincas Dargis <vindrg@gmail.com>

To: Rene Engelhard <rene@debian.org>

Cc: 887593@bugs.debian.org

Subject: Re: Bug#887593: libreoffice-common: apparmor profiles triggers lot of ALLOWED entries

Date: Sun, 21 Jan 2018 20:50:22 +0200

On 2018-01-21 20:33, Rene Engelhard wrote:
> Want to do a MR or should I just backport the patch myself?

I would like to try to backport it within upcoming week.

Message #71 received at 887593-close@bugs.debian.org (full text, mbox, reply):

From: Rene Engelhard <rene@debian.org>

To: 887593-close@bugs.debian.org

Subject: Bug#887593: fixed in libreoffice 1:6.0.0~rc3-1

Date: Sat, 27 Jan 2018 11:52:39 +0000

Source: libreoffice
Source-Version: 1:6.0.0~rc3-1

We believe that the bug you reported is fixed in the latest version of
libreoffice, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 887593@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Rene Engelhard <rene@debian.org> (supplier of updated libreoffice package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 27 Jan 2018 11:36:59 +0100
Source: libreoffice
Binary: libreoffice libreoffice-l10n-za libreoffice-l10n-in libreoffice-core libreoffice-common libreoffice-java-common libreoffice-writer libreoffice-calc libreoffice-impress libreoffice-draw libreoffice-math libreoffice-base-core libreoffice-base libreoffice-style-breeze libreoffice-style-tango libreoffice-style-hicontrast libreoffice-style-sifr libreoffice-style-galaxy libreoffice-style-elementary libreoffice-gnome python3-uno libreoffice-officebean libreoffice-script-provider-python libreoffice-script-provider-bsh libreoffice-script-provider-js libreoffice-avmedia-backend-gstreamer libreoffice-avmedia-backend-vlc libreoffice-sdbc-hsqldb libreoffice-base-drivers libreoffice-l10n-af libreoffice-l10n-am libreoffice-l10n-ar libreoffice-l10n-as libreoffice-l10n-ast libreoffice-l10n-be libreoffice-l10n-bg libreoffice-l10n-bn libreoffice-l10n-br libreoffice-l10n-bs libreoffice-l10n-ca libreoffice-l10n-cs libreoffice-l10n-cy libreoffice-l10n-da libreoffice-l10n-de
 libreoffice-l10n-dz libreoffice-l10n-el libreoffice-l10n-en-gb libreoffice-l10n-en-za libreoffice-l10n-eo libreoffice-l10n-es libreoffice-l10n-et libreoffice-l10n-eu libreoffice-l10n-fa libreoffice-l10n-fi libreoffice-l10n-fr libreoffice-l10n-ga libreoffice-l10n-gd libreoffice-l10n-gl libreoffice-l10n-gu libreoffice-l10n-gug libreoffice-l10n-he libreoffice-l10n-hi libreoffice-l10n-hr libreoffice-l10n-hu libreoffice-l10n-id libreoffice-l10n-is libreoffice-l10n-it libreoffice-l10n-ja libreoffice-l10n-ka libreoffice-l10n-kk libreoffice-l10n-km libreoffice-l10n-kmr libreoffice-l10n-kn libreoffice-l10n-ko libreoffice-l10n-lt libreoffice-l10n-lv libreoffice-l10n-mk libreoffice-l10n-mn libreoffice-l10n-ml libreoffice-l10n-mr libreoffice-l10n-nb libreoffice-l10n-ne libreoffice-l10n-nl libreoffice-l10n-nn libreoffice-l10n-nr libreoffice-l10n-nso libreoffice-l10n-oc libreoffice-l10n-om libreoffice-l10n-or libreoffice-l10n-pa-in libreoffice-l10n-pl libreoffice-l10n-pt
 libreoffice-l10n-pt-br libreoffice-l10n-ro libreoffice-l10n-ru libreoffice-l10n-rw libreoffice-l10n-si libreoffice-l10n-sk libreoffice-l10n-sl libreoffice-l10n-sr libreoffice-l10n-ss libreoffice-l10n-st libreoffice-l10n-sv libreoffice-l10n-ta libreoffice-l10n-te libreoffice-l10n-tg libreoffice-l10n-th libreoffice-l10n-tn libreoffice-l10n-tr libreoffice-l10n-ts libreoffice-l10n-ug libreoffice-l10n-uk libreoffice-l10n-uz libreoffice-l10n-ve libreoffice-l10n-vi libreoffice-l10n-xh libreoffice-l10n-zh-cn libreoffice-l10n-zh-tw libreoffice-l10n-zu libreoffice-help-en-us libreoffice-help-ca libreoffice-help-cs libreoffice-help-da libreoffice-help-de libreoffice-help-dz libreoffice-help-el libreoffice-help-en-gb libreoffice-help-es libreoffice-help-et libreoffice-help-eu libreoffice-help-fi libreoffice-help-fr libreoffice-help-gl libreoffice-help-hi libreoffice-help-hu libreoffice-help-it libreoffice-help-ja libreoffice-help-km libreoffice-help-ko libreoffice-help-nl
 libreoffice-help-om libreoffice-help-pl libreoffice-help-pt libreoffice-help-pt-br libreoffice-help-ru libreoffice-help-sk libreoffice-help-sl libreoffice-help-sv libreoffice-help-tr libreoffice-help-vi libreoffice-help-zh-cn libreoffice-help-zh-tw uno-libs3 ure libreoffice-ogltrans libreoffice-wiki-publisher libreoffice-report-builder libreoffice-report-builder-bin libreoffice-nlpsolver fonts-opensymbol libreoffice-dev libreoffice-dev-common libreoffice-dev-doc libreofficekit-dev libreoffice-gtk2 libreoffice-gtk3 gir1.2-lokdocview-0.1 liblibreofficekitgtk libreofficekit-data libreoffice-sdbc-postgresql libreoffice-mysql-connector libreoffice-evolution libreoffice-subsequentcheckbase libreoffice-librelogo libreoffice-sdbc-firebird
 libreoffice-pdfimport
Architecture: source
Version: 1:6.0.0~rc3-1
Distribution: experimental
Urgency: medium
Maintainer: Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
Changed-By: Rene Engelhard <rene@debian.org>
Description:
 fonts-opensymbol - OpenSymbol TrueType font
 gir1.2-lokdocview-0.1 - GTK3 widget wrapping LibreOffice functionality - introspection
 liblibreofficekitgtk - GTK3 widget wrapping LibreOffice functionality
 libreoffice - office productivity suite (metapackage)
 libreoffice-avmedia-backend-gstreamer - GStreamer backend for LibreOffice
 libreoffice-avmedia-backend-vlc - VLC backend for LibreOffice
 libreoffice-base - office productivity suite -- database
 libreoffice-base-core - office productivity suite -- shared library
 libreoffice-base-drivers - Database connectivity drivers for LibreOffice
 libreoffice-calc - office productivity suite -- spreadsheet
 libreoffice-common - office productivity suite -- arch-independent files
 libreoffice-core - office productivity suite -- arch-dependent files
 libreoffice-dev - office productivity suite -- SDK -- architecture-dependent parts
 libreoffice-dev-common - office productivity suite -- SDK -- architecture-independent part
 libreoffice-dev-doc - office productivity suite -- SDK documentation
 libreoffice-draw - office productivity suite -- drawing
 libreoffice-evolution - office productivity suite -- Evolution addressbook support
 libreoffice-gnome - office productivity suite -- GNOME integration
 libreoffice-gtk2 - office productivity suite -- GTK+ 2 integration
 libreoffice-gtk3 - office productivity suite -- GTK+ 3 integration
 libreoffice-help-ca - office productivity suite -- Catalan help
 libreoffice-help-cs - office productivity suite -- Czech help
 libreoffice-help-da - office productivity suite -- Danish help
 libreoffice-help-de - office productivity suite -- German help
 libreoffice-help-dz - office productivity suite -- Dzongkha help
 libreoffice-help-el - office productivity suite -- Greek help
 libreoffice-help-en-gb - office productivity suite -- English_british help
 libreoffice-help-en-us - office productivity suite -- English_american help
 libreoffice-help-es - office productivity suite -- Spanish help
 libreoffice-help-et - office productivity suite -- Estonian help
 libreoffice-help-eu - office productivity suite -- Basque help
 libreoffice-help-fi - office productivity suite -- Finnish help
 libreoffice-help-fr - office productivity suite -- French help
 libreoffice-help-gl - office productivity suite -- Galician help
 libreoffice-help-hi - office productivity suite -- Hindi help
 libreoffice-help-hu - office productivity suite -- Hungarian help
 libreoffice-help-it - office productivity suite -- Italian help
 libreoffice-help-ja - office productivity suite -- Japanese help
 libreoffice-help-km - office productivity suite -- Khmer help
 libreoffice-help-ko - office productivity suite -- Korean help
 libreoffice-help-nl - office productivity suite -- Dutch help
 libreoffice-help-om - office productivity suite -- Oromo help
 libreoffice-help-pl - office productivity suite -- Polish help
 libreoffice-help-pt - office productivity suite -- Portuguese help
 libreoffice-help-pt-br - office productivity suite -- Portuguese_brazilian help
 libreoffice-help-ru - office productivity suite -- Russian help
 libreoffice-help-sk - office productivity suite -- Slovak help
 libreoffice-help-sl - office productivity suite -- Slovenian help
 libreoffice-help-sv - office productivity suite -- Swedish help
 libreoffice-help-tr - office productivity suite -- Turkish help
 libreoffice-help-vi - office productivity suite -- Vietnamese help
 libreoffice-help-zh-cn - office productivity suite -- Chinese_simplified help
 libreoffice-help-zh-tw - office productivity suite -- Chinese_traditional help
 libreoffice-impress - office productivity suite -- presentation
 libreoffice-java-common - office productivity suite -- arch-independent Java support files
 libreoffice-l10n-af - office productivity suite -- Afrikaans language package
 libreoffice-l10n-am - office productivity suite -- Amharic language package
 libreoffice-l10n-ar - office productivity suite -- Arabic language package
 libreoffice-l10n-as - office productivity suite -- Assamese language package
 libreoffice-l10n-ast - office productivity suite -- Asturian language package
 libreoffice-l10n-be - office productivity suite -- Belarussian language package
 libreoffice-l10n-bg - office productivity suite -- Bulgarian language package
 libreoffice-l10n-bn - office productivity suite -- Bengali language package
 libreoffice-l10n-br - office productivity suite -- Breton language package
 libreoffice-l10n-bs - office productivity suite -- Bosnian language package
 libreoffice-l10n-ca - office productivity suite -- Catalan language package
 libreoffice-l10n-cs - office productivity suite -- Czech language package
 libreoffice-l10n-cy - office productivity suite -- Welsh language package
 libreoffice-l10n-da - office productivity suite -- Danish language package
 libreoffice-l10n-de - office productivity suite -- German language package
 libreoffice-l10n-dz - office productivity suite -- Dzongkha language package
 libreoffice-l10n-el - office productivity suite -- Greek language package
 libreoffice-l10n-en-gb - office productivity suite -- English_british language package
 libreoffice-l10n-en-za - office productivity suite -- English_southafrican language packag
 libreoffice-l10n-eo - office productivity suite -- Esperanto language package
 libreoffice-l10n-es - office productivity suite -- Spanish language package
 libreoffice-l10n-et - office productivity suite -- Estonian language package
 libreoffice-l10n-eu - office productivity suite -- Basque language package
 libreoffice-l10n-fa - office productivity suite -- Farsi language package
 libreoffice-l10n-fi - office productivity suite -- Finnish language package
 libreoffice-l10n-fr - office productivity suite -- French language package
 libreoffice-l10n-ga - office productivity suite -- Gaelic language package
 libreoffice-l10n-gd - office productivity suite -- Scottish_gaelic language package
 libreoffice-l10n-gl - office productivity suite -- Galician language package
 libreoffice-l10n-gu - office productivity suite -- Gujarati language package
 libreoffice-l10n-gug - office productivity suite -- Guarani language package
 libreoffice-l10n-he - office productivity suite -- Hebrew language package
 libreoffice-l10n-hi - office productivity suite -- Hindi language package
 libreoffice-l10n-hr - office productivity suite -- Croatian language package
 libreoffice-l10n-hu - office productivity suite -- Hungarian language package
 libreoffice-l10n-id - office productivity suite -- Indonesian language package
 libreoffice-l10n-in - office productivity suite -- Indic language packages
 libreoffice-l10n-is - office productivity suite -- Icelandic language package
 libreoffice-l10n-it - office productivity suite -- Italian language package
 libreoffice-l10n-ja - office productivity suite -- Japanese language package
 libreoffice-l10n-ka - office productivity suite -- Georgian language package
 libreoffice-l10n-kk - office productivity suite -- Kazakh language package
 libreoffice-l10n-km - office productivity suite -- Khmer language package
 libreoffice-l10n-kmr - office productivity suite -- Kurmanji language package
 libreoffice-l10n-kn - office productivity suite -- Kannada language package
 libreoffice-l10n-ko - office productivity suite -- Korean language package
 libreoffice-l10n-lt - office productivity suite -- Lithuanian language package
 libreoffice-l10n-lv - office productivity suite -- Latvian language package
 libreoffice-l10n-mk - office productivity suite -- Macedonian language package
 libreoffice-l10n-ml - office productivity suite -- Malayalam language package
 libreoffice-l10n-mn - office productivity suite -- Mongolian language package
 libreoffice-l10n-mr - office productivity suite -- Marathi language package
 libreoffice-l10n-nb - office productivity suite -- Norwegian language package
 libreoffice-l10n-ne - office productivity suite -- Nepalese language package
 libreoffice-l10n-nl - office productivity suite -- Dutch language package
 libreoffice-l10n-nn - office productivity suite -- Norwegian_nynorsk language package
 libreoffice-l10n-nr - office productivity suite -- Ndebele language package
 libreoffice-l10n-nso - office productivity suite -- Northern_sotho language package
 libreoffice-l10n-oc - office productivity suite -- Occitan language package
 libreoffice-l10n-om - office productivity suite -- Oromo language package
 libreoffice-l10n-or - office productivity suite -- Odia language package
 libreoffice-l10n-pa-in - office productivity suite -- Punjabi language package
 libreoffice-l10n-pl - office productivity suite -- Polish language package
 libreoffice-l10n-pt - office productivity suite -- Portuguese language package
 libreoffice-l10n-pt-br - office productivity suite -- Portuguese_brazilian language packag
 libreoffice-l10n-ro - office productivity suite -- Romanian language package
 libreoffice-l10n-ru - office productivity suite -- Russian language package
 libreoffice-l10n-rw - office productivity suite -- Kinarwanda language package
 libreoffice-l10n-si - office productivity suite -- Sinhala language package
 libreoffice-l10n-sk - office productivity suite -- Slovak language package
 libreoffice-l10n-sl - office productivity suite -- Slovenian language package
 libreoffice-l10n-sr - office productivity suite -- Serbian language package
 libreoffice-l10n-ss - office productivity suite -- Swazi language package
 libreoffice-l10n-st - office productivity suite -- Southern_sotho language package
 libreoffice-l10n-sv - office productivity suite -- Swedish language package
 libreoffice-l10n-ta - office productivity suite -- Tamil language package
 libreoffice-l10n-te - office productivity suite -- Telugu language package
 libreoffice-l10n-tg - office productivity suite -- Tajik language package
 libreoffice-l10n-th - office productivity suite -- Thai language package
 libreoffice-l10n-tn - office productivity suite -- Tswana language package
 libreoffice-l10n-tr - office productivity suite -- Turkish language package
 libreoffice-l10n-ts - office productivity suite -- Tsonga language package
 libreoffice-l10n-ug - office productivity suite -- Uighur language package
 libreoffice-l10n-uk - office productivity suite -- Ukrainian language package
 libreoffice-l10n-uz - office productivity suite -- Uzbek language package
 libreoffice-l10n-ve - office productivity suite -- Venda language package
 libreoffice-l10n-vi - office productivity suite -- Vietnamese language package
 libreoffice-l10n-xh - office productivity suite -- Xhosa language package
 libreoffice-l10n-za - office productivity suite -- South African language packages
 libreoffice-l10n-zh-cn - office productivity suite -- Chinese_simplified language package
 libreoffice-l10n-zh-tw - office productivity suite -- Chinese_traditional language package
 libreoffice-l10n-zu - office productivity suite -- Zulu language package
 libreoffice-librelogo - Logo-like progamming language for LibreOffice
 libreoffice-math - office productivity suite -- equation editor
 libreoffice-mysql-connector - MariaDB/MySQL Connector extension for LibreOffice
 libreoffice-nlpsolver - "Solver for Nonlinear Programming" extension for LibreOffice
 libreoffice-officebean - office productivity suite -- Java bean
 libreoffice-ogltrans - LibreOffice Impress extension for slide transitions using OpenGL
 libreoffice-pdfimport - transitional package for PDF Import component for LibreOffice
 libreoffice-report-builder - LibreOffice component for building database reports
 libreoffice-report-builder-bin - LibreOffice component for building database reports -- libraries
 libreoffice-script-provider-bsh - BeanShell script support provider for LibreOffice scripting frame
 libreoffice-script-provider-js - JavaScript script support provider for LibreOffice scripting fram
 libreoffice-script-provider-python - Python script support provider for LibreOffice scripting framewor
 libreoffice-sdbc-firebird - Firebird SDBC driver for LibreOffice
 libreoffice-sdbc-hsqldb - HSQLDB SDBC driver for LibreOffice
 libreoffice-sdbc-postgresql - PostgreSQL SDBC driver for LibreOffice
 libreoffice-style-breeze - office productivity suite -- Breeze symbol style
 libreoffice-style-elementary - office productivity suite -- Elementary symbol style
 libreoffice-style-galaxy - office productivity suite -- Galaxy (Default) symbol style
 libreoffice-style-hicontrast - office productivity suite -- Hicontrast symbol style
 libreoffice-style-sifr - office productivity suite -- Sifr symbol style
 libreoffice-style-tango - office productivity suite -- Tango symbol style
 libreoffice-subsequentcheckbase - LibreOffice java test libraries
 libreoffice-wiki-publisher - LibreOffice extension for working with MediaWiki articles
 libreoffice-writer - office productivity suite -- word processor
 libreofficekit-data - common data for LOKDocView
 libreofficekit-dev - LibreOfficeKit -- headers
 python3-uno - Python-UNO bridge
 uno-libs3  - LibreOffice UNO runtime environment -- public shared libraries
 ure        - LibreOffice UNO runtime environment
Closes: 887593
Changes:
 libreoffice (1:6.0.0~rc3-1) experimental; urgency=medium
 .
   * New upstream release candidate
 .
   * debian/patches/apparmor-fixes.diff: add patch from master with syntax
     fixes. Also include X abstractions and allow .mozilla/firefox/** reading
   * debian/patches/apparmor-updates.diff: more gpg stuff: gpg(sm), .gnupg/*
   (both together closes: #887593)
   * debian/rules, debian/source/include-binaries: temporarily use internal glm;
     configure check fails since the gcc 7.3 upload
Checksums-Sha1:
 82d3308080ad6ce5ae46057fd0fd0ccd175834d9 27116 libreoffice_6.0.0~rc3-1.dsc
 872204f19c908d84071838416f922ff6d0adf7f1 2437076 libreoffice_6.0.0~rc3.orig-helpcontent2.tar.xz
 d117bf21d63b19396caca88380539532408b3be7 139437344 libreoffice_6.0.0~rc3.orig-translations.tar.xz
 98656b1889ef577c05e75734692dfc59152bca91 203284136 libreoffice_6.0.0~rc3.orig.tar.xz
 1426b6971758f712207ee2219adc2dba8af4925d 801 libreoffice_6.0.0~rc3.orig.tar.xz.asc
 81e4926ff1615e5cc6ce93227a6e7549add66172 13580336 libreoffice_6.0.0~rc3-1.debian.tar.xz
 b849a4d2832fb95263008ae7c0feddf00acdf6cf 33238 libreoffice_6.0.0~rc3-1_source.buildinfo
Checksums-Sha256:
 58964cb6fc816b8bbbde31a5305a0d0fb7ea6f46f2cbb20da4153185b8db89fb 27116 libreoffice_6.0.0~rc3-1.dsc
 cdd5bf989788c570873915dd6b5f59b98f7a05a7b1b4e39befdc651f5e93da32 2437076 libreoffice_6.0.0~rc3.orig-helpcontent2.tar.xz
 6ceeaef827c54b57ec09a45eaaae39d703cdef43f529d54359592f4b24abedbb 139437344 libreoffice_6.0.0~rc3.orig-translations.tar.xz
 dc2171845ec19d5a0cece2c0052172011b2ec435cac80cb47637f2af94e19e3d 203284136 libreoffice_6.0.0~rc3.orig.tar.xz
 278b553986e70efd9ab34308dcc0fae639d4ecbe3129f12a372a9faa893ddd08 801 libreoffice_6.0.0~rc3.orig.tar.xz.asc
 b8757c9b89e6110c34510a963fa2b2a44e2759658ede571ee39132d619e77cdb 13580336 libreoffice_6.0.0~rc3-1.debian.tar.xz
 b332ce37dc9b332b7f9acac124013b1c696afb528e5624658ad2d3846ff9a970 33238 libreoffice_6.0.0~rc3-1_source.buildinfo
Files:
 d6c78d29cf994030123ca292f36d0d0d 27116 editors optional libreoffice_6.0.0~rc3-1.dsc
 59fb86c6274e6c8ef076e34356317118 2437076 editors optional libreoffice_6.0.0~rc3.orig-helpcontent2.tar.xz
 1a612294c3279ea16d3ae4ed8cfb97e7 139437344 editors optional libreoffice_6.0.0~rc3.orig-translations.tar.xz
 36e417cf7f0c2a0a3b6af6d4435b687a 203284136 editors optional libreoffice_6.0.0~rc3.orig.tar.xz
 eea15fecf4c5f73b145c6d9fbd4a3bfb 801 editors optional libreoffice_6.0.0~rc3.orig.tar.xz.asc
 bee970ecc9db58fa64a7e4a0b142a784 13580336 editors optional libreoffice_6.0.0~rc3-1.debian.tar.xz
 0e31e6634cc8e14b961f9988a72e99aa 33238 editors optional libreoffice_6.0.0~rc3-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE4S3qRnUGcM+pYIAdCqBFcdA+PnAFAlpsYHsACgkQCqBFcdA+
PnDR0xAAqaQ/r1UeM8CSE+7OU3OrqC69eSptdRrZcv+Xekkxz6o/K6Xj2ri5s6+t
ydI/LYSV7Sk3nYx+NfJTeDFeFr1rcNgflYf6sWApABrnQFu4MrOI2xO78JDkH1JC
zkOC9BfA+Bo7bpm8s5zNdoP4vgV6gRvUDGU8u9xAdebJOXMRvdfcCFfrxnJQfaxW
ej0cpfFYf6X5m7eakcxJJHCJJepvs0brTLYTaVXMs+OxS95FdJ+7IBR6dsbgokhx
4MYyWeawo/EmCCHzB9saYAS3mrMu/P0iarOObvZc8YDdEuvyvcjAdrFDmNEThEju
hDvjcHUxc+JYZug7uJ2UncAgF2vwknStAVLUTZ8fPCTRDPEj7ZVAO67rq0jHoHTs
Upwu38AxmlgbsoizK7zARg1IhB+u5XGzjUULmaTmiqk45uQ6MoA9VW4qC7f7SZXG
QuO0CKN4xD7BdAzVT0QzqkC8iY1f0cWEwP/FJoiVonAxr4szUJw4vGmL7sE2OhPA
p4P8tvdUMGuVuMJLV5De11K5PhswPuFcBpRCxJxxbBq8HqD0FMmtZwAsyHO+wud1
Tkx4AWaJ9QQiDu3pU5Mv85Ln0bY8jpk19XxVfqWXtRxf7/IZ9aGF3XQCjocrLPBu
5aiXVKlkRtHqXqpF8Iu3HrDoia+oUrdqrjgbKme/mdXGz0A9QPY=
=hpYA
-----END PGP SIGNATURE-----

Message #76 received at 887593@bugs.debian.org (full text, mbox, reply):

From: Thomas Vaughan <tevaughan@gmail.com>

To: 887593@bugs.debian.org

Subject: More apparmor="ALLOWED" messages in syslog.

Date: Fri, 16 Feb 2018 08:48:06 -0700

I see that this bug is closed, but I see something similar in my
system log.  I am running Debian unstable updated as of yesterday.  It
seems that libreoffice is trying to make use of OpenCL, and I have a
couple of OpenCL ICDs installed.

After opening a PDF file in LibreOffice Draw, I saw the following from logcheck:

Feb 15 17:41:31 foo-machine kernel: [85508.697711] kauditd_printk_skb:
8 callbacks suppressed
Feb 15 17:41:31 foo-machine kernel: [85508.697712] audit: type=1400
audit(1518741691.452:20): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice" name="/etc/OpenCL/vendors/pocl.icd"
pid=11676 comm="soffice.bin" requested_mask="r" denied_mask="r"
fsuid=1000 ouid=0
Feb 15 17:41:31 foo-machine kernel: [85509.116067] audit: type=1400
audit(1518741691.868:21): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/sys/devices/system/node/node0/meminfo" pid=11676
comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
Feb 15 17:41:32 foo-machine kernel: [85509.881791] audit: type=1400
audit(1518741692.636:22): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice" name="/etc/OpenCL/vendors/mesa.icd"
pid=11676 comm="soffice.bin" requested_mask="r" denied_mask="r"
fsuid=1000 ouid=0
Feb 15 17:41:33 foo-machine kernel: [85510.820260] audit: type=1400
audit(1518741693.572:23): apparmor="ALLOWED" operation="file_mmap"
profile="libreoffice-soffice"
name="/usr/lib/x86_64-linux-gnu/gallium-pipe/pipe_nouveau.so"
pid=11676 comm="soffice.bin" requested_mask="m" denied_mask="m"
fsuid=1000 ouid=0
Feb 15 17:41:33 foo-machine kernel: [85510.877083] audit: type=1400
audit(1518741693.628:24): apparmor="ALLOWED" operation="file_mmap"
profile="libreoffice-soffice"
name="/usr/lib/x86_64-linux-gnu/gallium-pipe/pipe_nouveau.so"
pid=11676 comm="soffice.bin" requested_mask="m" denied_mask="m"
fsuid=1000 ouid=0
Feb 15 17:41:33 foo-machine kernel: [85510.883425] audit: type=1400
audit(1518741693.636:25): apparmor="ALLOWED" operation="file_mmap"
profile="libreoffice-soffice"
name="/usr/lib/x86_64-linux-gnu/gallium-pipe/pipe_swrast.so" pid=11676
comm="soffice.bin" requested_mask="m" denied_mask="m" fsuid=1000
ouid=0
Feb 15 17:41:33 foo-machine kernel: [85510.975466] audit: type=1400
audit(1518741693.728:26): apparmor="ALLOWED" operation="mknod"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/mesa_shader_cache/index" pid=11676
comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000
ouid=1000
Feb 15 17:41:33 foo-machine kernel: [85510.975479] audit: type=1400
audit(1518741693.728:27): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/mesa_shader_cache/index" pid=11676
comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000
ouid=1000
Feb 15 17:41:33 foo-machine kernel: [85510.975481] audit: type=1400
audit(1518741693.728:28): apparmor="ALLOWED" operation="truncate"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/mesa_shader_cache/index" pid=11676
comm="soffice.bin" requested_mask="w" denied_mask="w" fsuid=1000
ouid=1000
Feb 15 17:41:33 foo-machine kernel: [85511.100060] audit: type=1400
audit(1518741693.852:29): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/etc/OpenCL/vendors/intel-beignet-x86_64-linux-gnu.icd"
pid=11676 comm="soffice.bin" requested_mask="r" denied_mask="r"
fsuid=1000 ouid=0
Feb 15 17:41:36 foo-machine kernel: [85513.938456] kauditd_printk_skb:
321 callbacks suppressed
Feb 15 17:41:36 foo-machine kernel: [85513.938457] audit: type=1400
audit(1518741696.692:351): apparmor="ALLOWED" operation="mknod"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000
ouid=1000
Feb 15 17:41:36 foo-machine kernel: [85513.938476] audit: type=1400
audit(1518741696.692:352): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000
ouid=1000
Feb 15 17:41:36 foo-machine kernel: [85513.938502] audit: type=1400
audit(1518741696.692:353): apparmor="ALLOWED" operation="unlink"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
comm="soffice.bin" requested_mask="d" denied_mask="d" fsuid=1000
ouid=1000
Feb 15 17:41:36 foo-machine kernel: [85513.938522] audit: type=1400
audit(1518741696.692:354): apparmor="ALLOWED" operation="mknod"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl.tmp"
pid=11676 comm="soffice.bin" requested_mask="c" denied_mask="c"
fsuid=1000 ouid=1000
Feb 15 17:41:36 foo-machine kernel: [85513.938531] audit: type=1400
audit(1518741696.692:355): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl.tmp"
pid=11676 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc"
fsuid=1000 ouid=1000
Feb 15 17:41:36 foo-machine kernel: [85513.938556] audit: type=1400
audit(1518741696.692:356): apparmor="ALLOWED" operation="rename_src"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl.tmp"
pid=11676 comm="soffice.bin" requested_mask="wrd" denied_mask="wrd"
fsuid=1000 ouid=1000
Feb 15 17:41:36 foo-machine kernel: [85513.938558] audit: type=1400
audit(1518741696.692:357): apparmor="ALLOWED" operation="rename_dest"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
comm="soffice.bin" requested_mask="wc" denied_mask="wc" fsuid=1000
ouid=1000
Feb 15 17:41:36 foo-machine kernel: [85513.938573] audit: type=1400
audit(1518741696.692:358): apparmor="ALLOWED" operation="mknod"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_WAx5lA.cl" pid=11676
comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000
ouid=1000
Feb 15 17:41:36 foo-machine kernel: [85513.938583] audit: type=1400
audit(1518741696.692:359): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_WAx5lA.cl" pid=11676
comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000
ouid=1000
Feb 15 17:41:36 foo-machine kernel: [85513.990375] audit: type=1400
audit(1518741696.744:360): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000
ouid=1000
Feb 15 17:42:25 foo-machine kernel: [85562.858570] kauditd_printk_skb:
80 callbacks suppressed
Feb 15 17:42:25 foo-machine kernel: [85562.858571] audit: type=1400
audit(1518741745.613:441): apparmor="DENIED" operation="file_inherit"
profile="libreoffice-xpdfimport"
name="/home/tevaugha/Documents/Downloads/ICUSB2324852.pdf" pid=11960
comm="xpdfimport" requested_mask="wr" denied_mask="wr" fsuid=1000
ouid=1000
Feb 15 17:42:26 foo-machine kernel: [85563.650059] audit: type=1400
audit(1518741746.405:442): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/cert9.db"
pid=11946 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc"
fsuid=1000 ouid=1000
Feb 15 17:42:26 foo-machine kernel: [85563.650122] audit: type=1400
audit(1518741746.405:443): apparmor="ALLOWED" operation="file_lock"
profile="libreoffice-soffice"
name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/cert9.db"
pid=11946 comm="soffice.bin" requested_mask="k" denied_mask="k"
fsuid=1000 ouid=1000
Feb 15 17:42:26 foo-machine kernel: [85563.650551] audit: type=1400
audit(1518741746.405:444): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/key4.db"
pid=11946 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc"
fsuid=1000 ouid=1000
Feb 15 17:42:26 foo-machine kernel: [85563.650599] audit: type=1400
audit(1518741746.405:445): apparmor="ALLOWED" operation="file_lock"
profile="libreoffice-soffice"
name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/key4.db"
pid=11946 comm="soffice.bin" requested_mask="k" denied_mask="k"
fsuid=1000 ouid=1000

-- 
Thomas E. Vaughan

Message #81 received at 887593@bugs.debian.org (full text, mbox, reply):

From: Rene Engelhard <rene@debian.org>

To: Thomas Vaughan <tevaughan@gmail.com>, 887593@bugs.debian.org

Subject: Re: Bug#887593: More apparmor="ALLOWED" messages in syslog.

Date: Fri, 16 Feb 2018 19:08:15 +0100

On Fri, Feb 16, 2018 at 08:48:06AM -0700, Thomas Vaughan wrote:
> I see that this bug is closed, but I see something similar in my
> system log.  I am running Debian unstable updated as of yesterday.  It
> seems that libreoffice is trying to make use of OpenCL, and I have a
> couple of OpenCL ICDs installed.

And I don't believe we should fix anything in one bug. This bug is
fixed, all messages it talked about are gone.

If you want to have more stuff fixed, please use a new bug.

But yes, I am aware not all apparmor issues are gone. There always will
be stuff denied. That's why it's still in complain mode.
We also shouldn't allow anything.

> After opening a PDF file in LibreOffice Draw, I saw the following from logcheck:

To be honest, I consider this feature to be existing a bug per se.

> Feb 15 17:41:31 foo-machine kernel: [85508.697711] kauditd_printk_skb:
> 8 callbacks suppressed
> Feb 15 17:41:31 foo-machine kernel: [85508.697712] audit: type=1400
> audit(1518741691.452:20): apparmor="ALLOWED" operation="open"
> profile="libreoffice-soffice" name="/etc/OpenCL/vendors/pocl.icd"
> pid=11676 comm="soffice.bin" requested_mask="r" denied_mask="r"
> fsuid=1000 ouid=0
> Feb 15 17:41:31 foo-machine kernel: [85509.116067] audit: type=1400
> audit(1518741691.868:21): apparmor="ALLOWED" operation="open"
> profile="libreoffice-soffice"
> name="/sys/devices/system/node/node0/meminfo" pid=11676
> comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000
> ouid=0
> Feb 15 17:41:32 foo-machine kernel: [85509.881791] audit: type=1400
> audit(1518741692.636:22): apparmor="ALLOWED" operation="open"
> profile="libreoffice-soffice" name="/etc/OpenCL/vendors/mesa.icd"
> pid=11676 comm="soffice.bin" requested_mask="r" denied_mask="r"
> fsuid=1000 ouid=0
> Feb 15 17:41:33 foo-machine kernel: [85510.820260] audit: type=1400
> audit(1518741693.572:23): apparmor="ALLOWED" operation="file_mmap"
> profile="libreoffice-soffice"
> name="/usr/lib/x86_64-linux-gnu/gallium-pipe/pipe_nouveau.so"
> pid=11676 comm="soffice.bin" requested_mask="m" denied_mask="m"
> fsuid=1000 ouid=0
> Feb 15 17:41:33 foo-machine kernel: [85510.877083] audit: type=1400
> audit(1518741693.628:24): apparmor="ALLOWED" operation="file_mmap"
> profile="libreoffice-soffice"
> name="/usr/lib/x86_64-linux-gnu/gallium-pipe/pipe_nouveau.so"
> pid=11676 comm="soffice.bin" requested_mask="m" denied_mask="m"
> fsuid=1000 ouid=0
> Feb 15 17:41:33 foo-machine kernel: [85510.883425] audit: type=1400
> audit(1518741693.636:25): apparmor="ALLOWED" operation="file_mmap"
> profile="libreoffice-soffice"
> name="/usr/lib/x86_64-linux-gnu/gallium-pipe/pipe_swrast.so" pid=11676
> comm="soffice.bin" requested_mask="m" denied_mask="m" fsuid=1000
> ouid=0
> Feb 15 17:41:33 foo-machine kernel: [85510.975466] audit: type=1400
> audit(1518741693.728:26): apparmor="ALLOWED" operation="mknod"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.cache/mesa_shader_cache/index" pid=11676
> comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000
> ouid=1000
> Feb 15 17:41:33 foo-machine kernel: [85510.975479] audit: type=1400
> audit(1518741693.728:27): apparmor="ALLOWED" operation="open"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.cache/mesa_shader_cache/index" pid=11676
> comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000
> ouid=1000
> Feb 15 17:41:33 foo-machine kernel: [85510.975481] audit: type=1400
> audit(1518741693.728:28): apparmor="ALLOWED" operation="truncate"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.cache/mesa_shader_cache/index" pid=11676
> comm="soffice.bin" requested_mask="w" denied_mask="w" fsuid=1000
> ouid=1000
> Feb 15 17:41:33 foo-machine kernel: [85511.100060] audit: type=1400
> audit(1518741693.852:29): apparmor="ALLOWED" operation="open"
> profile="libreoffice-soffice"
> name="/etc/OpenCL/vendors/intel-beignet-x86_64-linux-gnu.icd"
> pid=11676 comm="soffice.bin" requested_mask="r" denied_mask="r"
> fsuid=1000 ouid=0
> Feb 15 17:41:36 foo-machine kernel: [85513.938456] kauditd_printk_skb:
> 321 callbacks suppressed
> Feb 15 17:41:36 foo-machine kernel: [85513.938457] audit: type=1400
> audit(1518741696.692:351): apparmor="ALLOWED" operation="mknod"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
> comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000
> ouid=1000
> Feb 15 17:41:36 foo-machine kernel: [85513.938476] audit: type=1400
> audit(1518741696.692:352): apparmor="ALLOWED" operation="open"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
> comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000
> ouid=1000
> Feb 15 17:41:36 foo-machine kernel: [85513.938502] audit: type=1400
> audit(1518741696.692:353): apparmor="ALLOWED" operation="unlink"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
> comm="soffice.bin" requested_mask="d" denied_mask="d" fsuid=1000
> ouid=1000
> Feb 15 17:41:36 foo-machine kernel: [85513.938522] audit: type=1400
> audit(1518741696.692:354): apparmor="ALLOWED" operation="mknod"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl.tmp"
> pid=11676 comm="soffice.bin" requested_mask="c" denied_mask="c"
> fsuid=1000 ouid=1000
> Feb 15 17:41:36 foo-machine kernel: [85513.938531] audit: type=1400
> audit(1518741696.692:355): apparmor="ALLOWED" operation="open"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl.tmp"
> pid=11676 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc"
> fsuid=1000 ouid=1000
> Feb 15 17:41:36 foo-machine kernel: [85513.938556] audit: type=1400
> audit(1518741696.692:356): apparmor="ALLOWED" operation="rename_src"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl.tmp"
> pid=11676 comm="soffice.bin" requested_mask="wrd" denied_mask="wrd"
> fsuid=1000 ouid=1000
> Feb 15 17:41:36 foo-machine kernel: [85513.938558] audit: type=1400
> audit(1518741696.692:357): apparmor="ALLOWED" operation="rename_dest"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
> comm="soffice.bin" requested_mask="wc" denied_mask="wc" fsuid=1000
> ouid=1000
> Feb 15 17:41:36 foo-machine kernel: [85513.938573] audit: type=1400
> audit(1518741696.692:358): apparmor="ALLOWED" operation="mknod"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.cache/pocl/kcache/tempfile_WAx5lA.cl" pid=11676
> comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000
> ouid=1000
> Feb 15 17:41:36 foo-machine kernel: [85513.938583] audit: type=1400
> audit(1518741696.692:359): apparmor="ALLOWED" operation="open"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.cache/pocl/kcache/tempfile_WAx5lA.cl" pid=11676
> comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000
> ouid=1000
> Feb 15 17:41:36 foo-machine kernel: [85513.990375] audit: type=1400
> audit(1518741696.744:360): apparmor="ALLOWED" operation="open"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
> comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000
> ouid=1000

So OpenCL until here, unless I oversaw something else above...

> Feb 15 17:42:25 foo-machine kernel: [85562.858570] kauditd_printk_skb:
> 80 callbacks suppressed
> Feb 15 17:42:25 foo-machine kernel: [85562.858571] audit: type=1400
> audit(1518741745.613:441): apparmor="DENIED" operation="file_inherit"
> profile="libreoffice-xpdfimport"
> name="/home/tevaugha/Documents/Downloads/ICUSB2324852.pdf" pid=11960
> comm="xpdfimport" requested_mask="wr" denied_mask="wr" fsuid=1000
> ouid=1000

w?

The document opened, though or did that fail?

> Feb 15 17:42:26 foo-machine kernel: [85563.650059] audit: type=1400
> audit(1518741746.405:442): apparmor="ALLOWED" operation="open"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/cert9.db"
> pid=11946 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc"
> fsuid=1000 ouid=1000
> Feb 15 17:42:26 foo-machine kernel: [85563.650122] audit: type=1400
> audit(1518741746.405:443): apparmor="ALLOWED" operation="file_lock"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/cert9.db"
> pid=11946 comm="soffice.bin" requested_mask="k" denied_mask="k"
> fsuid=1000 ouid=1000
> Feb 15 17:42:26 foo-machine kernel: [85563.650551] audit: type=1400
> audit(1518741746.405:444): apparmor="ALLOWED" operation="open"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/key4.db"
> pid=11946 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc"
> fsuid=1000 ouid=1000
> Feb 15 17:42:26 foo-machine kernel: [85563.650599] audit: type=1400
> audit(1518741746.405:445): apparmor="ALLOWED" operation="file_lock"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/key4.db"
> pid=11946 comm="soffice.bin" requested_mask="k" denied_mask="k"
> fsuid=1000 ouid=1000

Hrmpf. more mozilla stuff.

Regards,

Rene

Message #86 received at 887593@bugs.debian.org (full text, mbox, reply):

From: Rene Engelhard <rene@debian.org>

To: Thomas Vaughan <tevaughan@gmail.com>, 887593@bugs.debian.org

Subject: Re: Bug#887593: More apparmor="ALLOWED" messages in syslog.

Date: Fri, 16 Feb 2018 19:13:48 +0100

On Fri, Feb 16, 2018 at 07:08:15PM +0100, Rene Engelhard wrote:
> > Feb 15 17:42:26 foo-machine kernel: [85563.650059] audit: type=1400
> > audit(1518741746.405:442): apparmor="ALLOWED" operation="open"
> > profile="libreoffice-soffice"
> > name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/cert9.db"
> > pid=11946 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc"
> > fsuid=1000 ouid=1000
> > Feb 15 17:42:26 foo-machine kernel: [85563.650122] audit: type=1400
> > audit(1518741746.405:443): apparmor="ALLOWED" operation="file_lock"
> > profile="libreoffice-soffice"
> > name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/cert9.db"
> > pid=11946 comm="soffice.bin" requested_mask="k" denied_mask="k"
> > fsuid=1000 ouid=1000
> > Feb 15 17:42:26 foo-machine kernel: [85563.650551] audit: type=1400
> > audit(1518741746.405:444): apparmor="ALLOWED" operation="open"
> > profile="libreoffice-soffice"
> > name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/key4.db"
> > pid=11946 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc"
> > fsuid=1000 ouid=1000
> > Feb 15 17:42:26 foo-machine kernel: [85563.650599] audit: type=1400
> > audit(1518741746.405:445): apparmor="ALLOWED" operation="file_lock"
> > profile="libreoffice-soffice"
> > name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/key4.db"
> > pid=11946 comm="soffice.bin" requested_mask="k" denied_mask="k"
> > fsuid=1000 ouid=1000
> 
> Hrmpf. more mozilla stuff.

That said

  owner @{HOME}/.mozilla/firefox/profiles.ini r,
  owner @{HOME}/.mozilla/firefox/*/secmod.db r,
   owner @{HOME}/.mozilla/firefox/*/cert8.db r,

sufficed for me to make the Digital Signing dialogue not complain
(see upstream commit
https://cgit.freedesktop.org/libreoffice/core/commit/?id=b6176bde1dc267601839d0d6510beaa07a28d8fa)

Regards,
 
Rene

Message #91 received at 887593@bugs.debian.org (full text, mbox, reply):

From: Vincas Dargis <vindrg@gmail.com>

To: 887593@bugs.debian.org

Subject: Re: Bug#887593: More apparmor="ALLOWED" messages in syslog.

Date: Sat, 17 Feb 2018 20:05:26 +0200

On 2/16/18 8:08 PM, Rene Engelhard wrote:
> On Fri, Feb 16, 2018 at 08:48:06AM -0700, Thomas Vaughan wrote:
>> Feb 15 17:41:31 foo-machine kernel: [85508.697711] kauditd_printk_skb:
>> 8 callbacks suppressed
>> Feb 15 17:41:31 foo-machine kernel: [85508.697712] audit: type=1400
>> audit(1518741691.452:20): apparmor="ALLOWED" operation="open"
>> profile="libreoffice-soffice" name="/etc/OpenCL/vendors/pocl.icd"
>> pid=11676 comm="soffice.bin" requested_mask="r" denied_mask="r"
>> fsuid=1000 ouid=0
>> Feb 15 17:41:31 foo-machine kernel: [85509.116067] audit: type=1400
>> audit(1518741691.868:21): apparmor="ALLOWED" operation="open"
>> profile="libreoffice-soffice"
>> name="/sys/devices/system/node/node0/meminfo" pid=11676
>> comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000
>> ouid=0
>> Feb 15 17:41:32 foo-machine kernel: [85509.881791] audit: type=1400
>> audit(1518741692.636:22): apparmor="ALLOWED" operation="open"
>> profile="libreoffice-soffice" name="/etc/OpenCL/vendors/mesa.icd"
>> pid=11676 comm="soffice.bin" requested_mask="r" denied_mask="r"
>> fsuid=1000 ouid=0
>> Feb 15 17:41:33 foo-machine kernel: [85510.820260] audit: type=1400
>> audit(1518741693.572:23): apparmor="ALLOWED" operation="file_mmap"
>> profile="libreoffice-soffice"
>> name="/usr/lib/x86_64-linux-gnu/gallium-pipe/pipe_nouveau.so"
>> pid=11676 comm="soffice.bin" requested_mask="m" denied_mask="m"
>> fsuid=1000 ouid=0
>> Feb 15 17:41:33 foo-machine kernel: [85510.877083] audit: type=1400
>> audit(1518741693.628:24): apparmor="ALLOWED" operation="file_mmap"
>> profile="libreoffice-soffice"
>> name="/usr/lib/x86_64-linux-gnu/gallium-pipe/pipe_nouveau.so"
>> pid=11676 comm="soffice.bin" requested_mask="m" denied_mask="m"
>> fsuid=1000 ouid=0
>> Feb 15 17:41:33 foo-machine kernel: [85510.883425] audit: type=1400
>> audit(1518741693.636:25): apparmor="ALLOWED" operation="file_mmap"
>> profile="libreoffice-soffice"
>> name="/usr/lib/x86_64-linux-gnu/gallium-pipe/pipe_swrast.so" pid=11676
>> comm="soffice.bin" requested_mask="m" denied_mask="m" fsuid=1000
>> ouid=0
>> Feb 15 17:41:33 foo-machine kernel: [85510.975466] audit: type=1400
>> audit(1518741693.728:26): apparmor="ALLOWED" operation="mknod"
>> profile="libreoffice-soffice"
>> name="/home/tevaugha/.cache/mesa_shader_cache/index" pid=11676
>> comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000
>> ouid=1000
>> Feb 15 17:41:33 foo-machine kernel: [85510.975479] audit: type=1400
>> audit(1518741693.728:27): apparmor="ALLOWED" operation="open"
>> profile="libreoffice-soffice"
>> name="/home/tevaugha/.cache/mesa_shader_cache/index" pid=11676
>> comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000
>> ouid=1000
>> Feb 15 17:41:33 foo-machine kernel: [85510.975481] audit: type=1400
>> audit(1518741693.728:28): apparmor="ALLOWED" operation="truncate"
>> profile="libreoffice-soffice"
>> name="/home/tevaugha/.cache/mesa_shader_cache/index" pid=11676
>> comm="soffice.bin" requested_mask="w" denied_mask="w" fsuid=1000
>> ouid=1000
>> Feb 15 17:41:33 foo-machine kernel: [85511.100060] audit: type=1400
>> audit(1518741693.852:29): apparmor="ALLOWED" operation="open"
>> profile="libreoffice-soffice"
>> name="/etc/OpenCL/vendors/intel-beignet-x86_64-linux-gnu.icd"
>> pid=11676 comm="soffice.bin" requested_mask="r" denied_mask="r"
>> fsuid=1000 ouid=0
>> Feb 15 17:41:36 foo-machine kernel: [85513.938456] kauditd_printk_skb:
>> 321 callbacks suppressed
>> Feb 15 17:41:36 foo-machine kernel: [85513.938457] audit: type=1400
>> audit(1518741696.692:351): apparmor="ALLOWED" operation="mknod"
>> profile="libreoffice-soffice"
>> name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
>> comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000
>> ouid=1000
>> Feb 15 17:41:36 foo-machine kernel: [85513.938476] audit: type=1400
>> audit(1518741696.692:352): apparmor="ALLOWED" operation="open"
>> profile="libreoffice-soffice"
>> name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
>> comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000
>> ouid=1000
>> Feb 15 17:41:36 foo-machine kernel: [85513.938502] audit: type=1400
>> audit(1518741696.692:353): apparmor="ALLOWED" operation="unlink"
>> profile="libreoffice-soffice"
>> name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
>> comm="soffice.bin" requested_mask="d" denied_mask="d" fsuid=1000
>> ouid=1000
>> Feb 15 17:41:36 foo-machine kernel: [85513.938522] audit: type=1400
>> audit(1518741696.692:354): apparmor="ALLOWED" operation="mknod"
>> profile="libreoffice-soffice"
>> name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl.tmp"
>> pid=11676 comm="soffice.bin" requested_mask="c" denied_mask="c"
>> fsuid=1000 ouid=1000
>> Feb 15 17:41:36 foo-machine kernel: [85513.938531] audit: type=1400
>> audit(1518741696.692:355): apparmor="ALLOWED" operation="open"
>> profile="libreoffice-soffice"
>> name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl.tmp"
>> pid=11676 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc"
>> fsuid=1000 ouid=1000
>> Feb 15 17:41:36 foo-machine kernel: [85513.938556] audit: type=1400
>> audit(1518741696.692:356): apparmor="ALLOWED" operation="rename_src"
>> profile="libreoffice-soffice"
>> name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl.tmp"
>> pid=11676 comm="soffice.bin" requested_mask="wrd" denied_mask="wrd"
>> fsuid=1000 ouid=1000
>> Feb 15 17:41:36 foo-machine kernel: [85513.938558] audit: type=1400
>> audit(1518741696.692:357): apparmor="ALLOWED" operation="rename_dest"
>> profile="libreoffice-soffice"
>> name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
>> comm="soffice.bin" requested_mask="wc" denied_mask="wc" fsuid=1000
>> ouid=1000
>> Feb 15 17:41:36 foo-machine kernel: [85513.938573] audit: type=1400
>> audit(1518741696.692:358): apparmor="ALLOWED" operation="mknod"
>> profile="libreoffice-soffice"
>> name="/home/tevaugha/.cache/pocl/kcache/tempfile_WAx5lA.cl" pid=11676
>> comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000
>> ouid=1000
>> Feb 15 17:41:36 foo-machine kernel: [85513.938583] audit: type=1400
>> audit(1518741696.692:359): apparmor="ALLOWED" operation="open"
>> profile="libreoffice-soffice"
>> name="/home/tevaugha/.cache/pocl/kcache/tempfile_WAx5lA.cl" pid=11676
>> comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000
>> ouid=1000
>> Feb 15 17:41:36 foo-machine kernel: [85513.990375] audit: type=1400
>> audit(1518741696.744:360): apparmor="ALLOWED" operation="open"
>> profile="libreoffice-soffice"
>> name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
>> comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000
>> ouid=1000
> 
> So OpenCL until here, unless I oversaw something else above...

I guess we need yet another abstraction to prepare :) . I could search 
for more OpenCL-using (or simply OpenCL example applications) to 
(cross-)check what more paths it might need.

And there are some Nouveau stuff, that probably should land into 
<abstractions/nvidia>. I have NVIDIA card, though I am running with 
propiertary driver currently, though I could switch to Noveou, or work 
in livecd or simiar for testing.

> 
>> Feb 15 17:42:25 foo-machine kernel: [85562.858570] kauditd_printk_skb:
>> 80 callbacks suppressed
>> Feb 15 17:42:25 foo-machine kernel: [85562.858571] audit: type=1400
>> audit(1518741745.613:441): apparmor="DENIED" operation="file_inherit"
>> profile="libreoffice-xpdfimport"
>> name="/home/tevaugha/Documents/Downloads/ICUSB2324852.pdf" pid=11960
>> comm="xpdfimport" requested_mask="wr" denied_mask="wr" fsuid=1000
>> ouid=1000
> 
> w?
> 
> The document opened, though or did that fail?

Looks like "xpdfimport" inherited file handle from parent (soffice.bin?).

I do not see rules allowing to read PDF files from anywhere in 
`usr.lib.libreoffice.program.xpdfimport`. If `xpdfimport` only actually 
reads PDF's from these `/tmp/*` paths (maybe soffice.bin copies it 
there? I do not know how it works), it might mean that it would work 
without allowing. It could be simply a artifact, inherited file handle 
and would not be allowed for xpdfimport to read/write, but it doesn't 
meen it actually uses it, if I understood explanation myself. I've seen 
this in other profiles, denying these noises could be a solution.

Though I am not sure how could we implement "deny (silence) reading 
*.pdf from everywhere _except_ from /tmp/* (allow from there)". I've 
seen someone mentioning "except" rules, though not sure if these are 
official and supported.

Anyway, testing with enforced profile is needed here (I could do that).

> 
>> Feb 15 17:42:26 foo-machine kernel: [85563.650059] audit: type=1400
>> audit(1518741746.405:442): apparmor="ALLOWED" operation="open"
>> profile="libreoffice-soffice"
>> name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/cert9.db"
>> pid=11946 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc"
>> fsuid=1000 ouid=1000
>> Feb 15 17:42:26 foo-machine kernel: [85563.650122] audit: type=1400
>> audit(1518741746.405:443): apparmor="ALLOWED" operation="file_lock"
>> profile="libreoffice-soffice"
>> name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/cert9.db"
>> pid=11946 comm="soffice.bin" requested_mask="k" denied_mask="k"
>> fsuid=1000 ouid=1000
>> Feb 15 17:42:26 foo-machine kernel: [85563.650551] audit: type=1400
>> audit(1518741746.405:444): apparmor="ALLOWED" operation="open"
>> profile="libreoffice-soffice"
>> name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/key4.db"
>> pid=11946 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc"
>> fsuid=1000 ouid=1000
>> Feb 15 17:42:26 foo-machine kernel: [85563.650599] audit: type=1400
>> audit(1518741746.405:445): apparmor="ALLOWED" operation="file_lock"
>> profile="libreoffice-soffice"
>> name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/key4.db"
>> pid=11946 comm="soffice.bin" requested_mask="k" denied_mask="k"
>> fsuid=1000 ouid=1000
> 
> Hrmpf. more mozilla stuff.

It would be nice if LibreOffice would have utility application for 
dealing with these signing stuff, not accessing these files directly...

Message #96 received at 887593@bugs.debian.org (full text, mbox, reply):

From: Rene Engelhard <rene@debian.org>

To: Vincas Dargis <vindrg@gmail.com>, 887593@bugs.debian.org

Subject: Re: Bug#887593: More apparmor="ALLOWED" messages in syslog.

Date: Sun, 18 Feb 2018 11:33:15 +0100

Hi,

On Sat, Feb 17, 2018 at 08:05:26PM +0200, Vincas Dargis wrote:
> I guess we need yet another abstraction to prepare :) . I could search for

Yeah. And update the kde one...

https://cgit.freedesktop.org/libreoffice/core/commit/?id=b13678b1e1d6f4cac548ae7e088b6030c31cf081

(for 6.1)

> > w?
> > 
> > The document opened, though or did that fail?
> 
> Looks like "xpdfimport" inherited file handle from parent (soffice.bin?).
> 
> I do not see rules allowing to read PDF files from anywhere in
> `usr.lib.libreoffice.program.xpdfimport`. If `xpdfimport` only actually
> reads PDF's from these `/tmp/*` paths (maybe soffice.bin copies it there? I
> do not know how it works), it might mean that it would work without
> allowing. It could be simply a artifact, inherited file handle and would not
> be allowed for xpdfimport to read/write, but it doesn't meen it actually
> uses it, if I understood explanation myself. I've seen this in other
> profiles, denying these noises could be a solution.

Ah, interesting. Yeah, could be, "of course" draw would open stuff rw...

> > Hrmpf. more mozilla stuff.
> 
> It would be nice if LibreOffice would have utility application for dealing
> with these signing stuff, not accessing these files directly...

Jup. That made gpg in a subprofile possible. Then again, for
lo_kde5filepicker above that's also done but we need to allow a shitload
of other stuff, too (see above commit).

Regards,

Rene
> 

Message #101 received at 887593@bugs.debian.org (full text, mbox, reply):

From: Rene Engelhard <rene@debian.org>

To: Thomas Vaughan <tevaughan@gmail.com>, 887593@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#887593: More apparmor="ALLOWED" messages in syslog.

Date: Mon, 19 Feb 2018 16:11:46 +0100

tag 887593 + moreinfo
thanks

Hi,

On Fri, Feb 16, 2018 at 07:08:15PM +0100, Rene Engelhard wrote:
> > Feb 15 17:42:26 foo-machine kernel: [85563.650059] audit: type=1400
> > audit(1518741746.405:442): apparmor="ALLOWED" operation="open"
> > profile="libreoffice-soffice"
> > name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/cert9.db"
> > pid=11946 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc"
> > fsuid=1000 ouid=1000
> > Feb 15 17:42:26 foo-machine kernel: [85563.650122] audit: type=1400
> > audit(1518741746.405:443): apparmor="ALLOWED" operation="file_lock"
> > profile="libreoffice-soffice"
> > name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/cert9.db"
> > pid=11946 comm="soffice.bin" requested_mask="k" denied_mask="k"
> > fsuid=1000 ouid=1000
> > Feb 15 17:42:26 foo-machine kernel: [85563.650551] audit: type=1400
> > audit(1518741746.405:444): apparmor="ALLOWED" operation="open"
> > profile="libreoffice-soffice"
> > name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/key4.db"
> > pid=11946 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc"
> > fsuid=1000 ouid=1000
> > Feb 15 17:42:26 foo-machine kernel: [85563.650599] audit: type=1400
> > audit(1518741746.405:445): apparmor="ALLOWED" operation="file_lock"
> > profile="libreoffice-soffice"
> > name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/key4.db"
> > pid=11946 comm="soffice.bin" requested_mask="k" denied_mask="k"
> > fsuid=1000 ouid=1000
> 
> Hrmpf. more mozilla stuff.

Where did you get those from? Which firefox do you use? (I use ESR). And
that means:

$ dpkg -l firefox-esr
Gewünscht=Unbekannt/Installieren/R=Entfernen/P=Vollständig Löschen/Halten
| Status=Nicht/Installiert/Config/U=Entpackt/halb konFiguriert/
         Halb installiert/Trigger erWartet/Trigger anhängig
|/ Fehler?=(kein)/R=Neuinstallation notwendig (Status, Fehler: GROSS=schlecht)
||/ Name           Version      Architektur  Beschreibung
+++-==============-============-============-=================================
ii  firefox-esr    52.6.0esr-1~ amd64        Mozilla Firefox web browser - Ext
$ find .mozilla/ -name "cert*"
.mozilla/firefox/r02yphkb.default/cert8.db
$ find .mozilla/ -name "key*"
.mozilla/firefox/r02yphkb.default/key3.db

cert8 and key3, not cert9 and key4...

Regards,
 
Rene

Message #108 received at 887593@bugs.debian.org (full text, mbox, reply):

From: Rene Engelhard <rene@debian.org>

To: Thomas Vaughan <tevaughan@gmail.com>, 887593@bugs.debian.org

Subject: Re: Bug#887593: More apparmor="ALLOWED" messages in syslog.

Date: Mon, 19 Feb 2018 16:26:53 +0100

tag 887593 - moreinfo
thanks

On Mon, Feb 19, 2018 at 04:11:46PM +0100, Rene Engelhard wrote:
> cert8 and key3, not cert9 and key4...

Answering myself. Seems key4.db is firefox >= 58...
https://bugzilla.mozilla.org/show_bug.cgi?id=783994

So probably we need to allow both...

Regards,
  
Rene

Message #113 received at 887593@bugs.debian.org (full text, mbox, reply):

From: Rene Engelhard <rene@debian.org>

To: Thomas Vaughan <tevaughan@gmail.com>, 887593@bugs.debian.org

Subject: Re: Bug#887593: More apparmor="ALLOWED" messages in syslog.

Date: Mon, 19 Feb 2018 16:37:52 +0100

Hi,

On Mon, Feb 19, 2018 at 04:26:53PM +0100, Rene Engelhard wrote:
> On Mon, Feb 19, 2018 at 04:11:46PM +0100, Rene Engelhard wrote:
> > cert8 and key3, not cert9 and key4...
> 
> Answering myself. Seems key4.db is firefox >= 58...
> https://bugzilla.mozilla.org/show_bug.cgi?id=783994
> 
> So probably we need to allow both...

To be clear: both = cert8 and cert9.

I am not sure we should allow key3/key4, given it contains passwords.
But cert?.db we definitely need for the certificates.

As said, even with non-allowing key3 the dialogue openened without DENIED for me.

Regards,
  
Rene

Message #118 received at 887593@bugs.debian.org (full text, mbox, reply):

From: Vincas Dargis <vindrg@gmail.com>

To: Thomas Vaughan <tevaughan@gmail.com>

Cc: 887593@bugs.debian.org

Subject: Re: More apparmor="ALLOWED" messages in syslog.

Date: Sat, 3 Mar 2018 15:10:45 +0200

On Fri, 16 Feb 2018 08:48:06 -0700 Thomas Vaughan <tevaughan@gmail.com> 
wrote:
> I see that this bug is closed, but I see something similar in my
> system log.  I am running Debian unstable updated as of yesterday.  It
> seems that libreoffice is trying to make use of OpenCL, and I have a
> couple of OpenCL ICDs installed.

I fail to reproduced that.

I've installed some ICDs too:

```
$ dpkg -l "*icd*" | fgrep ii
ii  beignet-opencl-icd:amd64 1.3.2-1      amd64        OpenCL library 
for Intel GPUs
ii  nvidia-egl-icd:amd64     384.111-4    amd64        NVIDIA EGL 
installable client driver (ICD)
ii  ocl-icd-libopencl1:amd64 2.2.12-1     amd64        Generic OpenCL 
ICD Loader
ii  pocl-opencl-icd          1.0-2        amd64        pocl ICD
```

I'm on switching laptop (Intel + NVIDIA). Maybe I have to enable OpenCL 
for Libreoffice somehow?

Message #123 received at 887593@bugs.debian.org (full text, mbox, reply):

From: fabien delellis <delell77@gmail.com>

To: Vincas Dargis <vindrg@gmail.com>, 887593@bugs.debian.org, zaa@gmail.com

Subject: Re: Bug#887593qq: Moreas je zapparmor="ALLOWED" messages in syslog.

Date: Sat, 3 Mar 2018 15:51:22 +0100

[Message part 1 (text/plain, inline)]

Le 3 mars 2018 14:15, "Vincas Dargis" <vindrg@gmail.com> a écrit :

> On Fri, 16 Feb 2018 08:48:06 -0700 Thomas Vaughan <tevaughan@gmail.com>
> wrote:
>
>> I see that this bug is closed, but I see something similar in my
>> system log.  I am running Debian unstable updated as of yesterday.  It
>> seems that libreoffice is trying to make use of OpenCL, and I have a
>> couple of OpenCL ICDs installed.
>>
>
> I fail to reproduced that.
>
> I've installed some ICDs too:
>
> ```
> $ dpkg -l "*icd*" | fgrep ii
> ii  beignet-opencl-icd:amd64 1.3.2-1      amd64        OpenCL library for
> Intel GPUs
> ii  nvidia-egl-icd:amd64     384.111-4    amd64        NVIDIA EGL
> installable client driver (ICD)
> ii  ocl-icd-libopencl1:amd64 2.2.12-1     amd64        Generic OpenCL ICD
> Loader
> ii  pocl-opencl-icd          1.0-2        amd64        pocl ICD
> ```
>
> I'm on switching laptop (Intel + NVIDIA). Maybe I have to enable OpenCL
> for Libreoffice somehow?
>
>

[Message part 2 (text/html, inline)]

Message #128 received at 887593@bugs.debian.org (full text, mbox, reply):

From: Rene Engelhard <rene@debian.org>

To: Vincas Dargis <vindrg@gmail.com>, 887593@bugs.debian.org

Subject: Re: Bug#887593: More apparmor="ALLOWED" messages in syslog.

Date: Sun, 4 Mar 2018 12:52:17 +0100

Hi,

On Sat, Mar 03, 2018 at 03:10:45PM +0200, Vincas Dargis wrote:
> On Fri, 16 Feb 2018 08:48:06 -0700 Thomas Vaughan <tevaughan@gmail.com>
> wrote:
> > I see that this bug is closed, but I see something similar in my
> > system log.  I am running Debian unstable updated as of yesterday.  It
> > seems that libreoffice is trying to make use of OpenCL, and I have a
> > couple of OpenCL ICDs installed.
> 
> I fail to reproduced that.
> 
> I've installed some ICDs too:
> 
> ```
> $ dpkg -l "*icd*" | fgrep ii
> ii  beignet-opencl-icd:amd64 1.3.2-1      amd64        OpenCL library for
> Intel GPUs
> ii  nvidia-egl-icd:amd64     384.111-4    amd64        NVIDIA EGL
> installable client driver (ICD)
> ii  ocl-icd-libopencl1:amd64 2.2.12-1     amd64        Generic OpenCL ICD
> Loader
> ii  pocl-opencl-icd          1.0-2        amd64        pocl ICD
> ```
> 
> I'm on switching laptop (Intel + NVIDIA). Maybe I have to enable OpenCL for
> Libreoffice somehow?

Tools->Options-OpenCL. Though that setting doesn't persist here,
probably because LO notices I don't have a working OpenCL config..

Though I do have

ii  beignet-opencl-icd:amd64                                    1.3.0-4
amd64        OpenCL library for Intel GPUs
ii  ocl-icd-libopencl1:amd64                                    2.2.11-1
amd64        Generic OpenCL ICD Loader

installed..

Regards,

Rene

Message #133 received at 887593@bugs.debian.org (full text, mbox, reply):

From: Vincas Dargis <vindrg@gmail.com>

To: Rene Engelhard <rene@debian.org>

Cc: 887593@bugs.debian.org

Subject: Re: Bug#887593: More apparmor="ALLOWED" messages in syslog.

Date: Sun, 4 Mar 2018 16:43:00 +0200

On 3/4/18 1:52 PM, Rene Engelhard wrote:
> On Sat, Mar 03, 2018 at 03:10:45PM +0200, Vincas Dargis wrote:
>> I'm on switching laptop (Intel + NVIDIA). Maybe I have to enable OpenCL for
>> Libreoffice somehow?
> 
> Tools->Options-OpenCL. Though that setting doesn't persist here,
> probably because LO notices I don't have a working OpenCL config..

Thanks! Now I got denies too.

I have started to work on opencl abstraction [0] already, by using 
python-pyopencl examples, they allow to select backend and already 
helped to collect number of rules.

Now I will be able to test with LO too. Sadly, not sure how to test with 
Radeon/AMD graphics though.

[0] 
https://gitlab.com/Talkless/apparmor/blob/opencl/profiles/apparmor.d/abstractions/opencl

Message #138 received at 887593@bugs.debian.org (full text, mbox, reply):

From: Vincas Dargis <vindrg@gmail.com>

To: Rene Engelhard <rene@debian.org>

Cc: 887593@bugs.debian.org

Subject: Re: Bug#887593: More apparmor="ALLOWED" messages in syslog.

Date: Sun, 4 Mar 2018 17:23:37 +0200

On 3/4/18 1:52 PM, Rene Engelhard wrote:
> Tools->Options-OpenCL. Though that setting doesn't persist here,
> probably because LO notices I don't have a working OpenCL config..

After some testing, it seems that OpenCL option persist for me only if I 
launch LO through `optirun` command, that enables discrete NVIDIA card.

Maybe LO simply does not support Intel/Mesa OpenCL implementations? It 
could provide some feedback via dialog or console log...

Message #147 received at 887593@bugs.debian.org (full text, mbox, reply):

From: Vincas Dargis <vindrg@gmail.com>

To: intrigeri <intrigeri@debian.org>

Cc: 887593@bugs.debian.org

Subject: Re: Bug#887593: More apparmor="ALLOWED" messages in syslog.

Date: Sat, 4 Aug 2018 17:50:35 +0300

intrigeri, could we get opencl abstractions in 2.13, or we are expecting to get AppArmor 3 in Buster?

BTW I have proposed update to use `dri-enumerate` abstraction and remove backported rule:
https://gerrit.libreoffice.org/#/c/58589/

Message #152 received at 887593@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>

To: Vincas Dargis <vindrg@gmail.com>

Cc: 887593@bugs.debian.org

Subject: Re: Bug#887593: More apparmor="ALLOWED" messages in syslog.

Date: Sat, 04 Aug 2018 23:21:19 +0800

Vincas Dargis:
> intrigeri, could we get opencl abstractions in 2.13, or we are expecting to get AppArmor 3 in Buster?

Sure, gimme a bug against src:apparmor :)

> BTW I have proposed update to use `dri-enumerate` abstraction and remove backported rule:
> https://gerrit.libreoffice.org/#/c/58589/

If I'm supposed to act on this, please clarify what I should do,
otherwise ignore this sentence.

Cheers,
-- 
intrigeri

Message #157 received at 887593@bugs.debian.org (full text, mbox, reply):

From: Vincas Dargis <vindrg@gmail.com>

To: intrigeri <intrigeri@debian.org>, Rene Engelhard <rene@debian.org>

Cc: 887593@bugs.debian.org

Subject: Re: Bug#887593: More apparmor="ALLOWED" messages in syslog.

Date: Sun, 5 Aug 2018 18:02:25 +0300

On Sat, 04 Aug 2018 23:21:19 +0800 intrigeri <intrigeri@debian.org> wrote:
> > BTW I have proposed update to use `dri-enumerate` abstraction and remove backported rule:
> > https://gerrit.libreoffice.org/#/c/58589/
> 
> If I'm supposed to act on this, please clarify what I should do,
> otherwise ignore this sentence.

Sorry for noise, please ignore. This simply means that LibreOffice profile will be cleaner, that's all.

I have proposed https://salsa.debian.org/apparmor-team/apparmor/merge_requests/10 , after which we 
will be closer to closing this bug.

Message #162 received at 887593@bugs.debian.org (full text, mbox, reply):

From: Rene Engelhard <rene@debian.org>

To: Vincas Dargis <vindrg@gmail.com>, 887593@bugs.debian.org

Cc: intrigeri <intrigeri@debian.org>

Subject: Re: Bug#887593: More apparmor="ALLOWED" messages in syslog.

Date: Mon, 6 Aug 2018 22:54:20 +0200

Hi,

On Sat, Aug 04, 2018 at 05:50:35PM +0300, Vincas Dargis wrote:
> intrigeri, could we get opencl abstractions in 2.13, or we are expecting to get AppArmor 3 in Buster?
> 
> BTW I have proposed update to use `dri-enumerate` abstraction and remove backported rule:
> https://gerrit.libreoffice.org/#/c/58589/

As I said upstream I am not sure about this upstream.

But for Debian we could (we know the AA version) do that, sure.

https://salsa.debian.org/libreoffice-team/libreoffice/libreoffice/commit/5e887f9e973f448672befe428d81b0379a00a43c

Regards,

Rene
> 

Message #167 received at 887593@bugs.debian.org (full text, mbox, reply):

From: Vincas Dargis <vindrg@gmail.com>

To: Rene Engelhard <rene@debian.org>, 887593@bugs.debian.org

Cc: intrigeri <intrigeri@debian.org>

Subject: Re: Bug#887593: More apparmor="ALLOWED" messages in syslog.

Date: Tue, 7 Aug 2018 11:03:02 +0300

On 8/6/18 11:54 PM, Rene Engelhard wrote:
> On Sat, Aug 04, 2018 at 05:50:35PM +0300, Vincas Dargis wrote:
>> BTW I have proposed update to use `dri-enumerate` abstraction and remove backported rule:
>> https://gerrit.libreoffice.org/#/c/58589/
> 
> As I said upstream I am not sure about this upstream.
> 
> But for Debian we could (we know the AA version) do that, sure.
> 
> https://salsa.debian.org/libreoffice-team/libreoffice/libreoffice/commit/5e887f9e973f448672befe428d81b0379a00a43c

Hm, right, that seems to be more conservative approach, though question is when "the upstream" :) 
will be allowed to be upgraded?

Maybe LO upstream could consider having multiple "apparmor" directories? For 2.12, 2.13, and 3.x 
(3.x should have tools to "version" policies using conditioanls, etc. Though not sure how actually 
it would work out, I am still waiting for JJ response to some question [0], but he is very busy).

[0] https://lists.ubuntu.com/archives/apparmor/2018-June/011710.html

Send a report that this bug log contains spam.