[pkg-apparmor] Bug#995367: Acknowledgement (Re-enable apparmor on Debian Live?)

Trent W. Buck trentbuck at gmail.com
Thu Sep 30 12:14:29 BST 2021 

The original bug report complained about LibreOffice and Evince.
I tested those specifically.

LibreOffice is in "complain" mode.
It's rules fail, but there is no user-visible impact.

Evince is in "enforce" mode.
I couldn't generate an error by just opening PDFs, saving them, and printing them (to files).

Is this a sufficient test?
I can do a bit more, but I don't want to exhaustively test EVERY app with a profile. :-)
-------------- next part --------------
bash5$ ssh bootstrap2020
Warning: Permanently added '[localhost]:2022' (ED25519) to the list of known hosts.
root at desktop:~# cat /proc/cmdline
cat /proc/cmdline
boot=live plainroot root=/dev/vda quiet splash 
root at desktop:~# aa-status
aa-status
apparmor module is loaded.
20 profiles are loaded.
18 profiles are in enforce mode.
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince//sanitized_helper
   /usr/bin/man
   /usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session
   /usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session//chromium
   libreoffice-senddoc
   libreoffice-soffice//gpg
   libreoffice-xpdfimport
   lsb_release
   man_filter
   man_groff
   msmtp
   msmtp//helpers
   nvidia_modprobe
   nvidia_modprobe//kmod
2 profiles are in complain mode.
   libreoffice-oosplash
   libreoffice-soffice
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
root at desktop:~# adduser x
adduser x
Adding user `x' ...
Adding new group `x' (1000) ...
Adding new user `x' (1000) with group `x' ...
Creating home directory `/home/x' ...
Copying files from `/etc/skel' ...
New password: 
Retype new password: 
passwd: password updated successfully
Changing the user information for x
Enter the new value, or press ENTER for the default
	Full Name []: 

	Room Number []: 

	Work Phone []: 

	Home Phone []: 

	Other []: 

Is the information correct? [Y/n] 

root at desktop:~# # Now I'm going to log into the GUI and try to run evince and libreoffice...
# Now I'm going to log into the GUI and try to run evince and libreoffice...
root at desktop:~# journalctl -kfn0
journalctl -kfn0
-- Journal begins at Thu 2021-09-30 20:58:47 AEST. --
Sep 30 21:00:41 desktop.lan kernel: kauditd_printk_skb: 10 callbacks suppressed
Sep 30 21:00:41 desktop.lan kernel: audit: type=1400 audit(1632999641.308:22): apparmor="ALLOWED" operation="mkdir" profile="libreoffice-soffice" name="/run/user/1000/dconf/" pid=663 comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Sep 30 21:01:06 desktop.lan kernel: audit: type=1400 audit(1632999666.497:23): apparmor="ALLOWED" operation="mknod" profile="libreoffice-soffice" name="/home/x/lu6776ttnwo.tmp" pid=677 comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Sep 30 21:01:06 desktop.lan kernel: audit: type=1400 audit(1632999666.497:24): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/x/lu6776ttnwo.tmp" pid=677 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000
Sep 30 21:01:06 desktop.lan kernel: audit: type=1400 audit(1632999666.497:25): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/x/lu6776ttnwo.tmp" pid=677 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
Sep 30 21:01:06 desktop.lan kernel: audit: type=1400 audit(1632999666.497:26): apparmor="ALLOWED" operation="file_lock" profile="libreoffice-soffice" name="/home/x/lu6776ttnwo.tmp" pid=677 comm="soffice.bin" requested_mask="wk" denied_mask="wk" fsuid=1000 ouid=1000
Sep 30 21:01:06 desktop.lan kernel: audit: type=1400 audit(1632999666.581:27): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/x/lu6776ttnwo.tmp" pid=677 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 30 21:01:06 desktop.lan kernel: audit: type=1400 audit(1632999666.581:28): apparmor="ALLOWED" operation="unlink" profile="libreoffice-soffice" name="/home/x/lu6776ttnwo.tmp" pid=677 comm="soffice.bin" requested_mask="d" denied_mask="d" fsuid=1000 ouid=1000
# OK WELL THAT DID NOT WORK, BUT BECAUSE IT WAS IN COMPLAIN MODE, THERE WAS NO USER-VISIBLE PROBLEM.
# OK WELL THAT DID NOT WORK, BUT BECAUSE IT WAS IN COMPLAIN MODE, THERE WAS NO USER-VISIBLE PROBLEM.
# NOW LET'S TRY EVINCE, WHICH IS IN ENFORCE MODE.
# NOW LET'S TRY EVINCE, WHICH IS IN ENFORCE MODE.
# Correction: first let's make a PDF using libreoffice...
# Correction: first let's make a PDF using libreoffice...
Sep 30 21:03:25 desktop.lan kernel: audit: type=1400 audit(1632999805.972:29): apparmor="ALLOWED" operation="mknod" profile="libreoffice-soffice" name="/home/x/lu8156twu3d.tmp" pid=815 comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Sep 30 21:03:25 desktop.lan kernel: audit: type=1400 audit(1632999805.972:30): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/x/lu8156twu3d.tmp" pid=815 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000
Sep 30 21:03:25 desktop.lan kernel: audit: type=1400 audit(1632999805.972:31): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/x/lu8156twu3d.tmp" pid=815 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000
Sep 30 21:03:26 desktop.lan kernel: audit: type=1400 audit(1632999806.000:32): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/x/lu8156twu3d.tmp" pid=815 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 30 21:03:26 desktop.lan kernel: audit: type=1400 audit(1632999806.000:33): apparmor="ALLOWED" operation="unlink" profile="libreoffice-soffice" name="/home/x/lu8156twu3d.tmp" pid=815 comm="soffice.bin" requested_mask="d" denied_mask="d" fsuid=1000 ouid=1000
# OK now let's try evince ~x/Untitled 1.pdf
# OK now let's try evince ~x/Untitled 1.pdf
# THat opened fine with nothing logged
# THat opened fine with nothing logged
# Saving a PDF also worked fine.
# Saving a PDF also worked fine.
# Is there a PDF not in $HOME that I can try?
# Is there a PDF not in $HOME that I can try?
  C-c C-c^C
root at desktop:~# find / -xdev -name '*.pdf' -ls -quit
find / -xdev -name '*.pdf' -ls -quit
      484     12 -rw-r--r--   1 x        x            9712 Sep 30 21:03 /home/x/Untitled\ 2.pdf
root at desktop:~# find / -xdev -name home -prune -o -name '*.pdf' -ls -quit
find / -xdev -name home -prune -o -name '*.pdf' -ls -quit
    10503     21 -rw-r--r--   1 root     root        21204 Sep  9 03:53 /usr/lib/libreoffice/share/xpdfimport/xpdfimport_err.pdf
root at desktop:~# # That also worked fine.
# That also worked fine.
root at desktop:~# journalctl -fn10
journalctl -fn10
-- Journal begins at Thu 2021-09-30 20:58:47 AEST. --
Sep 30 21:03:26 desktop.lan kernel: audit: type=1400 audit(1632999806.000:33): apparmor="ALLOWED" operation="unlink" profile="libreoffice-soffice" name="/home/x/lu8156twu3d.tmp" pid=815 comm="soffice.bin" requested_mask="d" denied_mask="d" fsuid=1000 ouid=1000
Sep 30 21:03:36 desktop.lan dbus-daemon[553]: [session uid=1000 pid=553] Activating service name='org.gnome.evince.Daemon' requested by ':1.41' (uid=1000 pid=852 comm="evince Untitled 1.pdf ")
Sep 30 21:03:36 desktop.lan dbus-daemon[553]: [session uid=1000 pid=553] Successfully activated service 'org.gnome.evince.Daemon'
Sep 30 21:05:01 desktop.lan dbus-daemon[379]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' requested by ':1.25' (uid=1000 pid=852 comm="evince Untitled 1.pdf ")
Sep 30 21:05:01 desktop.lan systemd[1]: Starting Hostname Service...
Sep 30 21:05:01 desktop.lan dbus-daemon[379]: [system] Successfully activated service 'org.freedesktop.hostname1'
Sep 30 21:05:01 desktop.lan systemd[1]: Started Hostname Service.
Sep 30 21:05:31 desktop.lan systemd[1]: systemd-hostnamed.service: Succeeded.
Sep 30 21:08:35 desktop.lan dbus-daemon[553]: [session uid=1000 pid=553] Activating service name='org.gnome.evince.Daemon' requested by ':1.48' (uid=1000 pid=900 comm="evince /usr/lib/libreoffice/share/xpdfimport/xpdfi")
Sep 30 21:08:35 desktop.lan dbus-daemon[553]: [session uid=1000 pid=553] Successfully activated service 'org.gnome.evince.Daemon'
  C-c C-c^C
root at desktop:~# journalctl -kfn10
journalctl -kfn10
-- Journal begins at Thu 2021-09-30 20:58:47 AEST. --
Sep 30 21:01:06 desktop.lan kernel: audit: type=1400 audit(1632999666.497:24): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/x/lu6776ttnwo.tmp" pid=677 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000
Sep 30 21:01:06 desktop.lan kernel: audit: type=1400 audit(1632999666.497:25): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/x/lu6776ttnwo.tmp" pid=677 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
Sep 30 21:01:06 desktop.lan kernel: audit: type=1400 audit(1632999666.497:26): apparmor="ALLOWED" operation="file_lock" profile="libreoffice-soffice" name="/home/x/lu6776ttnwo.tmp" pid=677 comm="soffice.bin" requested_mask="wk" denied_mask="wk" fsuid=1000 ouid=1000
Sep 30 21:01:06 desktop.lan kernel: audit: type=1400 audit(1632999666.581:27): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/x/lu6776ttnwo.tmp" pid=677 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 30 21:01:06 desktop.lan kernel: audit: type=1400 audit(1632999666.581:28): apparmor="ALLOWED" operation="unlink" profile="libreoffice-soffice" name="/home/x/lu6776ttnwo.tmp" pid=677 comm="soffice.bin" requested_mask="d" denied_mask="d" fsuid=1000 ouid=1000
Sep 30 21:03:25 desktop.lan kernel: audit: type=1400 audit(1632999805.972:29): apparmor="ALLOWED" operation="mknod" profile="libreoffice-soffice" name="/home/x/lu8156twu3d.tmp" pid=815 comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Sep 30 21:03:25 desktop.lan kernel: audit: type=1400 audit(1632999805.972:30): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/x/lu8156twu3d.tmp" pid=815 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000
Sep 30 21:03:25 desktop.lan kernel: audit: type=1400 audit(1632999805.972:31): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/x/lu8156twu3d.tmp" pid=815 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000
Sep 30 21:03:26 desktop.lan kernel: audit: type=1400 audit(1632999806.000:32): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/x/lu8156twu3d.tmp" pid=815 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 30 21:03:26 desktop.lan kernel: audit: type=1400 audit(1632999806.000:33): apparmor="ALLOWED" operation="unlink" profile="libreoffice-soffice" name="/home/x/lu8156twu3d.tmp" pid=815 comm="soffice.bin" requested_mask="d" denied_mask="d" fsuid=1000 ouid=1000

More information about the pkg-apparmor-team mailing list