From: Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
Date: Tue, 26 Jun 2018 23:10:17 +0000 (+0100)
Subject: apparmor-fixes
X-Git-Tag: archive/raspbian/1%6.0.6_rc1-1+rpi1~6
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=7dd14bb946f99f849bd68096a120a55d72a772b5;p=libreoffice.git

apparmor-fixes

see https://gerrit.libreoffice.org/#/c/49614/.

sysui/desktop/apparmor/program.senddoc
Line 19:
why do we need to allow dbus, chrome, .. here?

See https://sources.debian.org/src/apparmor/2.12-2/profiles/apparmor.d/abstractions/ubuntu-helpers/.

(Besides that I don't like the "ubuntu" there at all, but that is another story)

sysui/desktop/apparmor/program.senddoc
Line 19:
The other (easy) option is to have xdg-* just go to unconfined.  I'm not sure there will be a huge difference in security.

The initial version got merged to libreoffice-6-0 without the master one being
merged...


Gbp-Pq: Name apparmor-fixes.diff
---

diff --git a/sysui/desktop/apparmor/program.senddoc b/sysui/desktop/apparmor/program.senddoc
index b67d69c6315..7b384d73111 100644
--- a/sysui/desktop/apparmor/program.senddoc
+++ b/sysui/desktop/apparmor/program.senddoc
@@ -14,7 +14,6 @@
 
 profile libreoffice-senddoc INSTDIR-program/senddoc {
   #include <abstractions/base>
-  #include <abstractions/ubuntu-helpers>
 
   owner /tmp/lu**       rw,    #makes files like luRRRRR.tmp/lubRRRR.tmp where R is random
                                #Note, usually it's lub or luc, don't know why.
@@ -26,8 +25,8 @@ profile libreoffice-senddoc INSTDIR-program/senddoc {
   /usr/bin/basename     rmix,
   /{usr/,}bin/grep      rmix,
   /{usr/,}bin/uname     rmix,
-  /usr/bin/xdg-open     Cxr -> sanitized_helper,
-  /usr/bin/xdg-email    Cxr -> sanitized_helper,
+  /usr/bin/xdg-open     rPUx,
+  /usr/bin/xdg-email    rPUx,
   /dev/null             rw,
   INSTDIR-program/uri-encode rmpux,
   /usr/share/libreoffice/share/config/* r,