Support tofu+pgp trust model in GnuPG

Bug-Debian: https://bugs.debian.org/955271
Forwarded: no

GnuPG supports a trust-on-first-use layer that sits on top of the
standard PGP trust model. If this is enabled, 'gpg --list-keys' needs
write and lock permissions on the TOFU database to return any useful
data. Allow this access through AppArmor.

Gbp-Pq: Name apparmor-gnupg-tofu.diff

diff --git a/sysui/desktop/apparmor/program.soffice.bin b/sysui/desktop/apparmor/program.soffice.bin
index 4d1d7323918e6be199794cc75b0faf6af21a54f2..6aa4b18503aa8f9aefbebb3e171ca7ffb65825e3 100644 (file)
--- a/sysui/desktop/apparmor/program.soffice.bin
+++ b/sysui/desktop/apparmor/program.soffice.bin
@@ -2,6 +2,7 @@
 #
 #    Copyright (C) 2016 Canonical Ltd.
 #    Copyright (C) 2018 Software in the Public Interest, Inc.
+#    Copyright (C) 2021 Google LLC
 #
 #    This Source Code Form is subject to the terms of the Mozilla Public
 #    License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -224,6 +225,7 @@ profile libreoffice-soffice INSTDIR-program/soffice.bin flags=(complain) {
 
     owner @{HOME}/.gnupg/* r,
     owner @{HOME}/.gnupg/random_seed rk,
+    owner @{HOME}/.gnupg/tofu.db rwk,
   }
 
   # probably should become a subprofile like gpg above, but then it doesn't