From 7dd14bb946f99f849bd68096a120a55d72a772b5 Mon Sep 17 00:00:00 2001
From: Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
Date: Wed, 27 Jun 2018 00:10:17 +0100
Subject: [PATCH] apparmor-fixes

see https://gerrit.libreoffice.org/#/c/49614/.

sysui/desktop/apparmor/program.senddoc
Line 19:
why do we need to allow dbus, chrome, .. here?

See https://sources.debian.org/src/apparmor/2.12-2/profiles/apparmor.d/abstractions/ubuntu-helpers/.

(Besides that I don't like the "ubuntu" there at all, but that is another story)

sysui/desktop/apparmor/program.senddoc
Line 19:
The other (easy) option is to have xdg-* just go to unconfined.  I'm not sure there will be a huge difference in security.

The initial version got merged to libreoffice-6-0 without the master one being
merged...


Gbp-Pq: Name apparmor-fixes.diff
---
 sysui/desktop/apparmor/program.senddoc | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/sysui/desktop/apparmor/program.senddoc b/sysui/desktop/apparmor/program.senddoc
index b67d69c6315..7b384d73111 100644
--- a/sysui/desktop/apparmor/program.senddoc
+++ b/sysui/desktop/apparmor/program.senddoc
@@ -14,7 +14,6 @@
 
 profile libreoffice-senddoc INSTDIR-program/senddoc {
   #include <abstractions/base>
-  #include <abstractions/ubuntu-helpers>
 
   owner /tmp/lu**       rw,    #makes files like luRRRRR.tmp/lubRRRR.tmp where R is random
                                #Note, usually it's lub or luc, don't know why.
@@ -26,8 +25,8 @@ profile libreoffice-senddoc INSTDIR-program/senddoc {
   /usr/bin/basename     rmix,
   /{usr/,}bin/grep      rmix,
   /{usr/,}bin/uname     rmix,
-  /usr/bin/xdg-open     Cxr -> sanitized_helper,
-  /usr/bin/xdg-email    Cxr -> sanitized_helper,
+  /usr/bin/xdg-open     rPUx,
+  /usr/bin/xdg-email    rPUx,
   /dev/null             rw,
   INSTDIR-program/uri-encode rmpux,
   /usr/share/libreoffice/share/config/* r,
-- 
2.30.2