[pkg-apparmor] Bug#882597: libreoffice: Failed to start when apparmor is running because of user rights

Tue Nov 28 10:31:18 UTC 2017

Hi,

On Tue, Nov 28, 2017 at 11:19:05AM +0100, intrigeri wrote:
> (context for pkg-apparmor folks: the last upload of libreoffice to
> sid disabled the AppArmor profile by default due to #882597)
> 
> Rene Engelhard:
> > On Fri, Nov 24, 2017 at 02:33:20PM +0100, Michael Ott wrote:
> >> start libreoffice with
> >> soffice -env:UserInstallation=file:///srv/home/michael/tmp/
> >> does not work. Home folder is srv/home/michael
> 
> > Sigh. Feared something like this.
> 
> > So you try to access stuff outside the LO profile?
> 
> My understanding is that Michael tries to access stuff inside his user
> LO profile path, *but* that profile is stored in a custom location
> which is not supported by the AppArmor profile. When such issues

Yes.

> arise, the general thought process in distros that use AppArmor is:
> 
>   Is it common to use such a custom location?
> 
>     → In this case, I don't know. I assume Rene will know better :)

It is, when people start soffice for listening on stuff. Document
conversion etc. As you say below, "advanced users". But also
LibreOffices testsuite...

>     → In this case, I would argue that we're talking about a corner
>     case, that only rather advanced users will hit, and I find it sad

Yup.

>     that everyone else can't benefit from AppArmor security benefits
>     due to that, so I'm leaning towards:
> 
>       1. keep the AppArmor profile enforced by default, so the vast
>          majority of users benefit from it;
>       2. ensure the AppArmor profile supports customization and
>          affected users can learn how to tweak it; in this case,
>          I think adding in README.Debian "add your custom
>          env:UserInstallation to @{libo_user_dirs}" would be sufficient.
> 
> What do you think? If you agree with my reasoning, then I could
> provide a patch to implement the proposed change in README.Debian.

Would be nice.

> > Unfortunately there seems no way to install a profile but keep it
> > "unconfined), only to just disable it..
> 
> Actually there is.
> 
> If the AppArmor profile is shipped in the upstream tarball, at package

Yes, partly.
https://anonscm.debian.org/cgit/pkg-openoffice/libreoffice.git/tree/rules#n3256

> built time, you can either use aa-complain or manually patch the

That's what I didn't want. Didn't want to stick manual aa-* calls into
the postinst

> profile, for example:
> 
> https://anonscm.debian.org/cgit/collab-maint/apparmor-profiles-extra.git/tree/debian/rules#n20
> 
> Otherwise, if the AppArmor profile lives in the debian/ directory,
> you can directly edit it so it looks like this:
> 
>    /usr/bin/irssi flags=(complain) {

Aaah. Asked various times on IRC, no answer :-). Thanks.

Regards,

Rene