From 833fbdc422bbe1b60f7d13be247c0603372ab084 Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 6 Jun 2024 16:15:43 +0200 Subject: [PATCH] add libreoffice --- apparmor.d/profiles-g-l/libreoffice-oosplash | 87 +++++++++++++++++++ apparmor.d/profiles-g-l/libreoffice-soffice | 89 ++++++++++++++++++++ 2 files changed, 176 insertions(+) create mode 100644 apparmor.d/profiles-g-l/libreoffice-oosplash create mode 100644 apparmor.d/profiles-g-l/libreoffice-soffice diff --git a/apparmor.d/profiles-g-l/libreoffice-oosplash b/apparmor.d/profiles-g-l/libreoffice-oosplash new file mode 100644 index 000000000..b6ac416f2 --- /dev/null +++ b/apparmor.d/profiles-g-l/libreoffice-oosplash @@ -0,0 +1,87 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/libreoffice/program/oosplash +profile libreoffice-oosplash @{exec_path} { + include + include + include + include + include + include + include + + @{exec_path} mr, + @{bin}/paperconf rix, + + @{lib}/libreoffice/program/javaldx rix, # no new privs + @{lib}/libreoffice/program/soffice.bin rPx -> libreoffice-soffice, + @{lib}/libreoffice/** r, + @{lib}/jvm/java-@{int}-openjdk/bin/java rix, + @{lib}/gconv/gconv-modules.cache r, + + /usr/share/libreoffice/{,**} r, + /usr/share/libexttextcat/{,**} r, + /usr/share/liblangtag/{,**} r, + /usr/share/hunspell/{,**} r, + /usr/share/hyphen/{,**} r, + /usr/share/mythes/{,**} r, + + /etc/libreoffice/{,**} r, + /etc/java{,-*}-openjdk/{,**} r, + /etc/paperspecs r, + /etc/machine-id r, + /etc/ca-certificates/{,**} r, + + owner /var/spool/libreoffice/{,**} rw, + + owner @{user_cache_dirs}/libreoffice/{,**} rw, + owner @{user_config_dirs}/libreoffice/{,**} rwk, + + /tmp/ r, + owner @{tmp}/@{rand6} rwk, + owner @{tmp}/*.tmp/{,**} rwk, + owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} w, + owner @{tmp}/.java_pid@{int}{,.tmp} rw, + owner @{tmp}/hsperfdata_@{user}/ rw, + owner @{tmp}/hsperfdata_@{user}/@{int} rwk, + + owner /dev/pts/@{int} r, + + @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, + @{sys}/devices/virtual/block/**/queue/rotational r, + @{sys}/kernel/mm/hugepages/ r, + @{sys}/kernel/mm/transparent_hugepage/enabled r, + @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r, + owner @{sys}/fs/cgroup/user.slice/user-@{int}.slice/user@@{int}.service/app.slice/**/memory.max r, + + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r, + + @{PROC}/cgroups r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/coredump_filter rw, + owner @{PROC}/@{pid}/mountinfo r, + + @{sys}/devices/@{pci_bus}/**/nvme/** r, + + profile paperconf { + @{bin}/paperconf r, + + @{lib}/libreoffice/program/types.rdb r, # file_inherit + @{lib}/libreoffice/program/types/offapi.rdb r, # file_inherit + @{lib}/libreoffice/program/types/oovbaapi.rdb r, # file_inherit + @{lib}/libreoffice/share/config/images_elementary.zip r, # file_inherit + + /etc/paperspecs r, + + owner @{user_config_dirs}/libreoffice/@{int}/user/extensions/bundled/extensions.pmap rw, # file_inherit + } + + include if exists +} diff --git a/apparmor.d/profiles-g-l/libreoffice-soffice b/apparmor.d/profiles-g-l/libreoffice-soffice new file mode 100644 index 000000000..96f6263db --- /dev/null +++ b/apparmor.d/profiles-g-l/libreoffice-soffice @@ -0,0 +1,89 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/libreoffice/program/soffice.bin +profile libreoffice-soffice @{exec_path} { + include + include + include + include + include + include + include + + @{exec_path} mr, + @{bin}/paperconf rix, + + @{sh_path} rix, + + @{lib}/libreoffice/{,**} r, + @{lib}/gconv/gconv-modules.cache r, + # aa-log requested, but should not be user writeable + owner @{lib}/libreoffice/share/uno_packages/cache/stamp.sys w, + + /usr/share/libreoffice/{,**} r, + /usr/share/libexttextcat/{,**} r, + /usr/share/liblangtag/{,**} r, + /usr/share/ca-certificates/trust-source/{,**} r, + /usr/share/hunspell/{,**} r, + /usr/share/hyphen/{,**} r, + /usr/share/mythes/{,**} r, + + /etc/libreoffice/{,**} r, + /etc/java@{int}-openjdk/{,**} r, + /etc/paperspecs r, + /etc/machine-id r, + /etc/ca-certificates/trust-source/{,**} r, + + owner /var/spool/libreoffice/{,**} rw, + owner @{user_cache_dirs}/libreoffice/{,**} rw, + owner @{user_config_dirs}/libreoffice/{,**} rwk, + + /tmp/ r, + owner @{tmp}/@{rand6} rwk, + owner @{tmp}/*.tmp/{,**} rwk, + owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} w, + owner @{tmp}/.java_pid@{int}{,.tmp} rw, + owner @{tmp}/hsperfdata_@{user}/ rw, + owner @{tmp}/hsperfdata_@{user}/@{int} rwk, + + # /dev/tty rw, + + owner /dev/pts/@{int} r, + + @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, + @{sys}/devices/virtual/block/**/queue/rotational r, + @{sys}/kernel/mm/hugepages/ r, + @{sys}/kernel/mm/transparent_hugepage/enabled r, + @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r, + owner @{sys}/fs/cgroup/user.slice/user-@{int}.slice/user@@{int}.service/app.slice/**/memory.max r, + + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r, + + @{PROC}/cgroups r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/coredump_filter rw, + owner @{PROC}/@{pid}/mountinfo r, + + profile paperconf { + @{bin}/paperconf r, + + @{lib}/libreoffice/program/types.rdb r, # file_inherit + @{lib}/libreoffice/program/types/offapi.rdb r, # file_inherit + @{lib}/libreoffice/program/types/oovbaapi.rdb r, # file_inherit + @{lib}/libreoffice/share/config/images_elementary.zip r, # file_inherit + + /etc/paperspecs r, + + owner @{user_config_dirs}/libreoffice/4/user/extensions/bundled/extensions.pmap rw, # file_inherit + } + + + include if exists +}