[pkg-apparmor] Bug#882597: libreoffice: Failed to start when apparmor is running because of user rights

[Vincas Dargis]

On 2017-11-28 12:19, intrigeri wrote:
>      → In this case, I would argue that we're talking about a corner
>      case, that only rather advanced users will hit, and I find it sad
>      that everyone else can't benefit from AppArmor security benefits
>      due to that, so I'm leaning towards:
> 
>        1. keep the AppArmor profile enforced by default, so the vast
>           majority of users benefit from it;
>        2. ensure the AppArmor profile supports customization and
>           affected users can learn how to tweak it; in this case,
>           I think adding in README.Debian "add your custom
>           env:UserInstallation to @{libo_user_dirs}" would be sufficient.
> 
> What do you think? If you agree with my reasoning, then I could
> provide a patch to implement the proposed change in README.Debian.

It's the same story as with Thunderbird's #882218, we really should think about adding customization points to these GUI 
applications.

I've read about AppArmor variables, and man page states that variables has to be modified before profile:

 > Variables may have multiple values assigned, but any variable assignments must be made before the start of the profile.

So that means that LO, and Thunderbird must have some extra include, as <local/foo> include is too late (within profile 
itself)?

Something like:

```
@{libo_user_dirs} = @{HOME} /mnt /media
#include <tunables/usr.lib.libreofficeprogram.soffice.bin.d>

```

Right?

How are you planning to patch it?