apparmor-fixes

see https://gerrit.libreoffice.org/#/c/49614/.

sysui/desktop/apparmor/program.senddoc
Line 19:
why do we need to allow dbus, chrome, .. here?

See https://sources.debian.org/src/apparmor/2.12-2/profiles/apparmor.d/abstractions/ubuntu-helpers/.

(Besides that I don't like the "ubuntu" there at all, but that is an other story)

sysui/desktop/apparmor/program.senddoc
Line 19:
The other (easy) option is to have xdg-* just go to unconfined.  I'm not sure there will be a huge difference in security.

The initial version got merged to libreoffice-6-0 without the master one being
merged...

Gbp-Pq: Name apparmor-fixes.diff

diff --git a/sysui/desktop/apparmor/program.senddoc b/sysui/desktop/apparmor/program.senddoc
index b67d69c6315c0065c7a85834deb4dc8476c604e0..7b384d73111eb04a2af6f0094319f698434dcd44 100644 (file)
--- a/sysui/desktop/apparmor/program.senddoc
+++ b/sysui/desktop/apparmor/program.senddoc
@@ -14,7 +14,6 @@
 
 profile libreoffice-senddoc INSTDIR-program/senddoc {
   #include <abstractions/base>
-  #include <abstractions/ubuntu-helpers>
 
   owner /tmp/lu**       rw,    #makes files like luRRRRR.tmp/lubRRRR.tmp where R is random
                                #Note, usually it's lub or luc, don't know why.
@@ -26,8 +25,8 @@ profile libreoffice-senddoc INSTDIR-program/senddoc {
   /usr/bin/basename     rmix,
   /{usr/,}bin/grep      rmix,
   /{usr/,}bin/uname     rmix,
-  /usr/bin/xdg-open     Cxr -> sanitized_helper,
-  /usr/bin/xdg-email    Cxr -> sanitized_helper,
+  /usr/bin/xdg-open     rPUx,
+  /usr/bin/xdg-email    rPUx,
   /dev/null             rw,
   INSTDIR-program/uri-encode rmpux,
   /usr/share/libreoffice/share/config/* r,