diff --git a/apparmor.d/groups/apps/usr.lib.libreoffice.program.oosplash b/apparmor.d/groups/apps/usr.lib.libreoffice.program.oosplash deleted file mode 100644 index 3bd6df6f..00000000 --- a/apparmor.d/groups/apps/usr.lib.libreoffice.program.oosplash +++ /dev/null @@ -1,36 +0,0 @@ -# ------------------------------------------------------------------ -# -# Copyright (C) 2016 Canonical Ltd. -# Copyright (C) 2018 Software in the Public Interest, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -# -# Author: Bryan Quigley -# Rene Engelhard -# -# ------------------------------------------------------------------ - -#include - -profile libreoffice-oosplash /usr/lib/libreoffice/program/oosplash flags=(complain) { - #include - #include - - /etc/libreoffice/ r, - /etc/libreoffice/** r, - /etc/passwd r, - /etc/nsswitch.conf r, - @{run}/nscd/passwd r, - /sys/devices/{virtual,pci[0-9]*}/**/queue/rotational r, # for isRotational() in desktop/unx/source/pagein.c - /usr/lib{,32,64}/ure/bin/javaldx rmpux, - /usr/share/libreoffice/program/* r, - /usr/lib/libreoffice/program/** r, - /usr/lib/libreoffice/program/soffice.bin rmpx, - /usr/lib/libreoffice/program/javaldx rmpux, - owner @{HOME}/.Xauthority r, - owner @{user_config_dirs}/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw, - unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined), - unix peer=(addr=@/tmp/.X11-unix/* label=unconfined), -} diff --git a/apparmor.d/groups/apps/usr.lib.libreoffice.program.senddoc b/apparmor.d/groups/apps/usr.lib.libreoffice.program.senddoc deleted file mode 100644 index 8e931f34..00000000 --- a/apparmor.d/groups/apps/usr.lib.libreoffice.program.senddoc +++ /dev/null @@ -1,37 +0,0 @@ -# ------------------------------------------------------------------ -# -# Copyright (C) 2016 Canonical Ltd. -# Copyright (C) 2017 Software in the Public Interest, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -# -# Authors: Bryan Quigley -# Rene Engelhard -# -# ------------------------------------------------------------------ - -include - -profile libreoffice-senddoc /usr/lib/libreoffice/program/senddoc flags=(complain) { - include - - include - - /{usr/,}bin/sh rmix, - /{usr/,}bin/bash rmix, - /{usr/,}bin/dash rmix, - /{usr/,}bin/sed rmix, - /usr/bin/dirname rmix, - /usr/bin/basename rmix, - /{usr/,}bin/grep rmix, - /{usr/,}bin/uname rmix, - /usr/bin/xdg-open rPx, - /usr/bin/xdg-email rPx, - /dev/null rw, - /usr/lib/libreoffice/program/uri-encode rmpux, - /usr/share/libreoffice/share/config/* r, - owner @{user_config_dirs}/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw, -} - diff --git a/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin b/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin deleted file mode 100644 index e57eca1a..00000000 --- a/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin +++ /dev/null @@ -1,273 +0,0 @@ -# ------------------------------------------------------------------ -# -# Copyright (C) 2016 Canonical Ltd. -# Copyright (C) 2018 Software in the Public Interest, Inc. -# Copyright (C) 2021 Google LLC -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -# -# Authors: Jonathan Davies -# Bryan Quigley -# Rene Engelhard -# -# ------------------------------------------------------------------ - -# This profile should enable the average LibreOffice user to get their -# work done while blocking some advanced usage -# Namely not tested and likely not working : embedded plugins, -# Using the LibreOffice SDK and other development tasks -# Everything else should be working - -#Defines all common supported file formats -#Some obscure ones we're excluded (mostly input) - -#Generic -#.txt -@{libreoffice_ext} = [tT][xX][tT] -#All the open document format -@{libreoffice_ext} += {,f,F}[oO][dDtT][tTsSpPbBgGfF] -#.xml and xsl -@{libreoffice_ext} += [xX][mMsS][lL] -#.pdf -@{libreoffice_ext} += [pP][dD][fF] -#Unified office format -@{libreoffice_ext} += [uU][oO][fFtTsSpP] -#(x)htm(l) -@{libreoffice_ext} += {,x,X}[hH][tT][mM]{,l,L} -#.epub -@{libreoffice_ext} += [eE][pP][uU][bB] -#.ps (printing to file) -@{libreoffice_ext} += [pP][sS] - -#Images -@{libreoffice_ext} += [jJ][pP][gG] -@{libreoffice_ext} += [jJ][pP][eE][gG] -@{libreoffice_ext} += [pP][nN][gG] -@{libreoffice_ext} += [sS][vV][gG] -@{libreoffice_ext} += [sS][vV][gG][zZ]99251 -@{libreoffice_ext} += [tT][iI][fF] -@{libreoffice_ext} += [tT][iI][fF][fF] - -#Writer -@{libreoffice_ext} += [dD][oO][cCtT]{,x,X} -@{libreoffice_ext} += [rR][tT][fF] - -#Calc -@{libreoffice_ext} += [xX][lL][sStT]{,x,X,m,M} -@{libreoffice_ext} += [xX][lL][wW] -#.dif dbf -@{libreoffice_ext} += [dD][iIbB][fF] -#.tsv .csv -@{libreoffice_ext} += [cCtT][sS][vV] -@{libreoffice_ext} += [sS][lL][kK] - -#Impress/Draw -@{libreoffice_ext} += [pP][pP][tTsS]{,x,X} -@{libreoffice_ext} += [pP][oO][tT]{,m,M} -#Photoshop -@{libreoffice_ext} += [pP][sS][dD] - -#Math -@{libreoffice_ext} += [mM][mM][lL] - -@{libo_user_dirs} = @{HOME} /mnt /media - -#include - -profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(complain) { - #include - - #include - #include - #include - #include - #include - #include - #include - #include - #include - #include - #include -# GnuPG1 only... -# #include - #include - #include - - #include - - #include - #include - #include - - #List directories for file browser - / r, - /**/ r, - - owner @{libo_user_dirs}/**/ rw, #allow creating directories that we own - owner @{libo_user_dirs}/**~lock.* rw, #lock file support - owner @{libo_user_dirs}/**.@{libreoffice_ext} rwk, #Open files rw with the right exts - owner @{libo_user_dirs}/{,**/}lu????????{,?,??,???,????}.tmp rwk, #Temporary file used when saving - owner @{libo_user_dirs}/{,**/}.directory r, #Read directory settings on KDE - - # Settings - /etc/libreoffice/ r, - /etc/libreoffice/** r, - - /etc/cups/ppd/*.ppd r, - /etc/xml/catalog r, #exporting to .xhtml, for libxml2 - /proc/*/status r, - - owner @{user_config_dirs}/libreoffice{,dev}/** rwk, - owner @{user_config_dirs}/soffice.binrc rwl -> @{user_config_dirs}/#[0-9]*, - owner @{user_config_dirs}/soffice.binrc.* rwl -> @{user_config_dirs}/#[0-9]*, - owner @{user_config_dirs}/soffice.binrc.lock rwk, - owner @{user_cache_dirs}/fontconfig/** rw, - owner @{user_config_dirs}/gtk-???/bookmarks r, #Make bookmarks work - - owner /{,var/}run/user/@{uid}/dconf/user rw, - owner @{user_config_dirs}/dconf/user r, - - # allow schema to be read - /usr/share/glib-*/schemas/ r, - /usr/share/glib-*/schemas/** r, - - # bluetooth send to - network bluetooth, - - /{usr/,}bin/sh rmix, - /{usr/,}bin/bash rmix, - /{usr/,}bin/dash rmix, - /{usr/,}bin/rm rmix, #deleting /tmp/psp1534203998 (printing to file) - /usr/bin/bluetooth-sendto rmPUx, - /usr/bin/lpr rmPUx, - /usr/bin/paperconf rmix, - /usr/bin/gpgconf rmix, - /usr/bin/gpg rmCx -> gpg, - /usr/bin/gpgsm rmCx -> gpg, - /usr/bin/gpa rix, - /usr/bin/seahorse rix, - /usr/bin/kgpg rix, - /usr/bin/kleopatra rix, - - /dev/tty rw, - - /usr/lib{,32,64}/@{multiarch}/gstreamer???/gstreamer-???/gst-plugin-scanner rmPUx, - owner @{user_cache_dirs}/gstreamer-???/** rw, - unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined), #Gstreamer doesn't work without this - - /usr/lib{,32,64}/jvm/ r, - /usr/lib{,32,64}/jvm/** r, - /usr/lib{,32,64}/jvm/**/jre/bin/java mix, - /usr/lib{,32,64}/jvm/**/bin/java mix, - # should be included in the jvm/** above but there it is - # a symlink, so apparmor still doesn't allow it... - /etc/java-??-openjdk/security/java.security r, - /usr/lib/libreoffice/** rw, - /usr/lib/libreoffice/**.so m, - /usr/lib/libreoffice/program/soffice.bin mix, - /usr/lib/libreoffice/program/xpdfimport px, - /usr/lib/libreoffice/program/senddoc px, - /usr/bin/xdg-open rPx, - - /usr/share/java/**.jar r, - /usr/share/hunspell/ r, - /usr/share/hunspell/** r, - /usr/share/hyphen/ r, - /usr/share/hyphen/** r, - /usr/share/mythes/ r, - /usr/share/mythes/** r, - /usr/share/liblangtag/ r, - /usr/share/liblangtag/** r, - /usr/share/libreoffice/ r, - /usr/share/libreoffice/** r, - /usr/share/yelp-xsl/xslt/mallard/** r, - /usr/share/libexttextcat/* r, - /usr/share/icu/** r, - /usr/share/locale-bundle/* r, - - /var/spool/libreoffice/ r, - /var/spool/libreoffice/** rw, - /var/cache/fontconfig/ rw, - - #Likely moving to abstractions in the future - owner @{HOME}/.icons/*/cursors/* r, - /etc/fstab r, # Solid::DeviceNotifier::instance() TODO: deny? - /usr/share/*-fonts/conf.avail/*.conf r, - /usr/share/fonts-config/conf.avail/*.conf r, - /{,var/}run/udev/data/+usb:* r, # Solid::Device::listFromQuery() - /{,var/}run/udev/data/{c,b}*:* r, # Solid::Device::description(), Solid::Device::listFromQuery() - @{PROC}/sys/kernel/random/boot_id r, # KRecentDocument::add() -> QSysInfo::bootUniqueId() - - #To avoid "Unable to create io-slave." for file dialog - owner /{,var/}run/user/@{uid}/#[0-9]* rw, - #For KIO IO::Slave::createSlave() - owner /{,var/}run/user/@{uid}/soffice.bin*.slave-socket wl -> /{,var/}run/user/@{uid}/#[0-9]*, - - owner @{HOME}/.mozilla/firefox/profiles.ini r, - owner @{HOME}/.mozilla/firefox/*/secmod.db r, - # firefox < 58 - owner @{HOME}/.mozilla/firefox/*/cert8.db r, - # firefox >= 58 - owner @{HOME}/.mozilla/firefox/*/cert9.db r, - - owner @{user_share_dirs}/user-places.xbel r, - - # there is abstractions/gnupg but that's just for gpg1... - profile gpg { - #include - - /usr/bin/gpgconf mr, - /usr/bin/gpg mr, - /usr/bin/gpgsm mr, - - owner @{HOME}/@{XDG_GPG_DIR}/* r, - owner @{HOME}/@{XDG_GPG_DIR}/random_seed rk, - owner @{HOME}/@{XDG_GPG_DIR}/tofu.db rwk, - } - - # probably should become a subprofile like gpg above, but then it doesn't - # work either as it tries to access stuff only allowed above... - owner @{user_config_dirs}/kdeglobals r, - /usr/lib/libreoffice/program/lo_kde5filepicker rPUx, - /usr/share/qt5/translations/* r, - /usr/lib/*/qt5/plugins/** mr, - /usr/share/plasma/look-and-feel/**/contents/defaults r, - - # TODO: remove when rules are available in abstractions/kde - owner @{user_cache_dirs}/ksycoca5_??_* r, # KDE System Configuration Cache - owner @{user_config_dirs}/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget - owner @{user_config_dirs}/dolphinrc r, # settings used by KFileWidget - owner @{user_config_dirs}/kde.org/libphonon.conf r, # for KNotifications::sendEvent() - owner @{user_config_dirs}/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so - owner @{user_config_dirs}/trashrc r, # user by KFileWidget - /usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent - - # TODO: remove when rules are available in abstractions/kde-write-icon-cache or similar - owner @{user_cache_dirs}/icon-cache.kcache rw, # for KIconLoader - - # TODO: remove when rules are available in abstractions/kdeframeworks5 or similar - /usr/share/kservices5/*.protocol r, - - # TODO: use qt5-settings-write abstraction when it is available - owner @{user_config_dirs}/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] rw, - owner @{user_config_dirs}/QtProject.conf rw, - owner @{user_config_dirs}/QtProject.conf.?????? l -> @{user_config_dirs}/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9], - owner @{user_config_dirs}/QtProject.conf.?????? rw, # for temporary files like QtProject.conf.Aqrgeb - owner @{user_config_dirs}/QtProject.conf.lock rwk, - - # TODO: use qt5-compose-cache-write abstraction when it is available - owner @{user_cache_dirs}/qt_compose_cache_{little,big}_endian_* r, - - # TODO: use recent-documents-write abstraction when it is available - owner @{user_share_dirs}/RecentDocuments/** r, - owner @{user_share_dirs}/RecentDocuments/*.desktop rwl -> @{user_share_dirs}/RecentDocuments/#[0-9]*, - owner @{user_share_dirs}/RecentDocuments/#[0-9]* rw, - owner @{user_share_dirs}/RecentDocuments/*.lock rwk, - - # TODO: use kde-globals-write abstraction when it is available - owner @{user_config_dirs}/kdeglobals rw, - owner @{user_config_dirs}/kdeglobals.* rwl -> @{user_config_dirs}/#[0-9]*, - owner @{user_config_dirs}/kdeglobals.lock rwk, -} diff --git a/apparmor.d/groups/apps/usr.lib.libreoffice.program.xpdfimport b/apparmor.d/groups/apps/usr.lib.libreoffice.program.xpdfimport deleted file mode 100644 index d934834f..00000000 --- a/apparmor.d/groups/apps/usr.lib.libreoffice.program.xpdfimport +++ /dev/null @@ -1,31 +0,0 @@ -# ------------------------------------------------------------------ -# -# Copyright (C) 2016 Canonical Ltd. -# Copyright (C) 2017 Software in the Public Interest, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -# -# Authors: Bryan Quigley -# Rene Engelhard -# -# ------------------------------------------------------------------ - -include - -profile libreoffice-xpdfimport /usr/lib/libreoffice/program/xpdfimport flags=(complain) { - include - - include - - /usr/share/poppler/** r, - /usr/share/libreoffice/share/config/* r, - owner @{user_config_dirs}/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw, - - /usr/lib/libreoffice/program/xpdfimport pxm, - - #Uncomment for build testing (should be one directory <- of instdir) - #/mnt/store/git/libo/** r, -} -