mir/libreoffice
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tdf#99251 Update AppArmor Profiles

Browse Source 
Make them less resrictive when executing other exes
This lets the splash screen work again.

Modify AppArmor.sh to be more useful.

Change-Id: Icf06910c845d9389b9b75c1623037e1d07489728
Reviewed-on: https://gerrit.libreoffice.org/24043
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Björn Michaelsen <bjoern.michaelsen@canonical.com>
This commit is contained in:
Bryan Quigley
2016-04-12 15:08:51 -04:00
committed by Björn Michaelsen
parent a2b289c403
commit 577fbba417
5 changed files with 32 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
sysui/desktop/apparmor/program.oosplash
View File

@@ -1,6 +1,6 @@
# ------------------------------------------------------------------ # ------------------------------------------------------------------
# #
# Copyright (C) 2015 Canonical Ltd. # Copyright (C) 2016 Canonical Ltd.
# #
# This Source Code Form is subject to the terms of the Mozilla Public # This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this # License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -20,10 +20,11 @@ profile libreoffice-oopslash INSTDIR-program/oosplash {
/etc/passwd r, /etc/passwd r,
/etc/nsswitch.conf r, /etc/nsswitch.conf r,
/run/nscd/passwd r, /run/nscd/passwd r,
/usr/lib{,32,64}/ure/bin/javaldx Cx, /usr/lib{,32,64}/ure/bin/javaldx rmpux,
/usr/share/libreoffice/program/* r, /usr/share/libreoffice/program/* r,
INSTDIR-program/soffice.bin rmPUx, INSTDIR-program/** r,
INSTDIR-program/javaldx rmPUx, INSTDIR-program/soffice.bin rmpx,
INSTDIR-program/javaldx rmpux,
owner @{HOME}/.Xauthority r, owner @{HOME}/.Xauthority r,
owner @{HOME}/.config/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw, owner @{HOME}/.config/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw,
unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined), unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined),

4
sysui/desktop/apparmor/program.senddoc
View File

@@ -1,6 +1,6 @@
# ------------------------------------------------------------------ # ------------------------------------------------------------------
# #
# Copyright (C) 2015 Canonical Ltd. # Copyright (C) 2016 Canonical Ltd.
# #
# This Source Code Form is subject to the terms of the Mozilla Public # This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this # License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -27,7 +27,7 @@ profile libreoffice-senddoc INSTDIR-/usr/lib{,32,64}/libreoffice/program/senddoc
/bin/uname rmix, /bin/uname rmix,
/usr/bin/xdg-open Cxr -> sanitized_helper, /usr/bin/xdg-open Cxr -> sanitized_helper,
/dev/null rw, /dev/null rw,
INSTDIR-program/uri-encode rmPUx, INSTDIR-program/uri-encode rmpux,
/usr/share/libreoffice/share/config/* r, /usr/share/libreoffice/share/config/* r,
owner @{HOME}/.config/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw, owner @{HOME}/.config/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw,
} }

11
sysui/desktop/apparmor/program.soffice.bin
View File

@@ -1,6 +1,6 @@
# ------------------------------------------------------------------ # ------------------------------------------------------------------
# #
# Copyright (C) 2015 Canonical Ltd. # Copyright (C) 2016 Canonical Ltd.
# #
# This Source Code Form is subject to the terms of the Mozilla Public # This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this # License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -33,7 +33,7 @@
@{libreoffice_ext} += [jJ][pP][eE][gG] @{libreoffice_ext} += [jJ][pP][eE][gG]
@{libreoffice_ext} += [pP][nN][gG] @{libreoffice_ext} += [pP][nN][gG]
@{libreoffice_ext} += [sS][vV][gG] @{libreoffice_ext} += [sS][vV][gG]
@{libreoffice_ext} += [sS][vV][gG][zZ] @{libreoffice_ext} += [sS][vV][gG][zZ]99251
@{libreoffice_ext} += [tT][iI][fF] @{libreoffice_ext} += [tT][iI][fF]
@{libreoffice_ext} += [tT][iI][fF][fF] @{libreoffice_ext} += [tT][iI][fF][fF]
@@ -50,7 +50,7 @@
#Impress/Draw #Impress/Draw
@{libreoffice_ext} += [pP][pP][tTsS]{,x,X} @{libreoffice_ext} += [pP][pP][tTsS]{,x,X}
@{libreoffice_ext} += [pP][oO][tT]{,m,M} @{libreoffice_ext} += [pP][oO][tT]{,m,M}
@{libreoffice_ext} += [sS][wW][fF] @{libreoffice_ext} += [sS][wW][fF] #Flash
@{libreoffice_ext} += [pP][sS][dD] #Photoshop @{libreoffice_ext} += [pP][sS][dD] #Photoshop
#Math #Math
@@ -122,10 +122,11 @@ profile libreoffice-soffice INSTDIR-program/soffice.bin {
/usr/lib{,32,64}/jvm/** r, /usr/lib{,32,64}/jvm/** r,
INSTDIR-** ra, INSTDIR-** ra,
INSTDIR-**.so rm, INSTDIR-**.so rm,
INSTDIR-share/uno_packages/cache/* rw,
INSTDIR-program/soffice.bin rmix, INSTDIR-program/soffice.bin rmix,
INSTDIR-program/xpdfimport rPx, INSTDIR-program/xpdfimport rpx,
/usr/bin/xdg-open rPUx, /usr/bin/xdg-open rPUx,
INSTDIR-program/senddoc rPx, INSTDIR-program/senddoc rpx,
/usr/share/java/**.jar r, /usr/share/java/**.jar r,
/usr/share/hunspell/ r, /usr/share/hunspell/ r,

2
sysui/desktop/apparmor/program.xpdfimport
View File

@@ -1,6 +1,6 @@
# ------------------------------------------------------------------ # ------------------------------------------------------------------
# #
# Copyright (C) 2015 Canonical Ltd. # Copyright (C) 2016 Canonical Ltd.
# #
# This Source Code Form is subject to the terms of the Mozilla Public # This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this # License, v. 2.0. If a copy of the MPL was not distributed with this

33
sysui/desktop/share/apparmor.sh
View File

@@ -2,7 +2,7 @@
# This file is part of the LibreOffice project. # This file is part of the LibreOffice project.
# ------------------------------------------------------------------ # ------------------------------------------------------------------
# #
# Copyright (C) 2015 Canonical Ltd. # Copyright (C) 2016 Canonical Ltd.
# #
# This Source Code Form is subject to the terms of the Mozilla Public # This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this # License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -13,36 +13,39 @@
# ------------------------------------------------------------------ # ------------------------------------------------------------------
# This is a simple script to help get AppArmor working on different distros # This is a simple script to help get AppArmor working on different distros
# Generally these apparmor profiles target the latest LibreOffice
INST_ROOT=$1 #Where libreoffice program folder can be found INST_ROOT=$1 #Where libreoffice program folder can be found
PROFILESFROM=$2 #Where the profile files are PROFILESFROM=$2 #Where the profile files are
INSTALLTO=$3 #Where should the apparmor profiles live (to be be linked to) INSTALLTO=$3 #Where should the apparmor profiles (For manual use should be /etc/apparmor.d)
INSTALL=$4 #True means try to run sudo to link (doesn't reload profiles) RESTART=$4 #Should we restart apparmor using service?
#For example to get this to work on Ubuntu 15.10 with stock LibreOffice: #Example uses:
# ./sysui/desktop/share/apparmor.sh /usr/lib/libreoffice/ sysui/desktop/apparmor/ /mnt/store/git/libo/instdir/apparmor-testing/ true #Ubuntu 16.04 with stock LibreOffice:
# sudo ./sysui/desktop/share/apparmor.sh /usr/lib/libreoffice/ sysui/desktop/apparmor/ /etc/apparmor.d/ true
#For example on Ubuntu 15.10, with built debs from the LibreOffice website #Ubuntu 16.04, with built debs from LibreOffice git
# At the current time you need run /opt/libreofficedev5.1/program/soffice.bin directly - splash screen doesn't work # sudo ./sysui/desktop/share/apparmor.sh /opt/libreofficedev5.2/ sysui/desktop/apparmor/ /etc/apparmor.d/ true
# ./sysui/desktop/share/apparmor.sh /opt/libreofficedev5.1/ sysui/desktop/apparmor/ /mnt/store/git/libo/instdir/apparmor-testing/ true
mkdir -p $INSTALLTO #Ubuntu 16.04, running from git!
# sudo ./sysui/desktop/share/apparmor.sh /mnt/store/git/libo/instdir/ sysui/desktop/apparmor/ /etc/apparmor.d/ true
#Need to convert / to . for profile names #Need to convert / to . for profile names
INST_ROOT_FORMAT=${INST_ROOT/\//} INST_ROOT_FORMAT=${INST_ROOT/\//}
INST_ROOT_FORMAT=${INST_ROOT_FORMAT////.} INST_ROOT_FORMAT=${INST_ROOT_FORMAT////.}
#Need to escale / for sed #Need to escape / for sed
INST_ROOT_SED=${INST_ROOT////\\/} INST_ROOT_SED=${INST_ROOT////\\/}
for filename in `ls $PROFILESFROM` for filename in `ls $PROFILESFROM`
do do
tourl=$INSTALLTO$INST_ROOT_FORMAT$filename tourl=$INSTALLTO$INST_ROOT_FORMAT$filename
cat $PROFILESFROM$filename | sed "s/INSTDIR-/$INST_ROOT_SED/g" > $tourl cat $PROFILESFROM$filename | sed "s/INSTDIR-/$INST_ROOT_SED/g" > $tourl
echo "$tourl"
if [ "$INSTALL" = true ] ; then
sudo rm /etc/apparmor.d/$INST_ROOT_FORMAT$filename
sudo ln -s $tourl /etc/apparmor.d/$INST_ROOT_FORMAT$filename
fi
done done
if [ "$RESTART" = true ] ; then
echo "Restarting AppArmor"
service apparmor restart
fi