search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
history | raw | HEAD
bump product version to 6.4.0.3
[LibreOffice.git] / sysui / desktop / apparmor / program.soffice.bin
blobc611d7635003bbb55340149fd89f4d2a2a0c68e5
1 # ------------------------------------------------------------------
2 #
3 #    Copyright (C) 2016 Canonical Ltd.
4 #    Copyright (C) 2018 Software in the Public Interest, Inc.
5 #
6 #    This Source Code Form is subject to the terms of the Mozilla Public
7 #    License, v. 2.0. If a copy of the MPL was not distributed with this
8 #    file, You can obtain one at http://mozilla.org/MPL/2.0/.
9 #
10 #    Authors: Jonathan Davies <jonathan.davies@canonical.com>
11 #             Bryan Quigley <bryan.quigley@canonical.com>
12 #             Rene Engelhard <rene@debian.org>
13 #
14 # ------------------------------------------------------------------
15
16 # This profile should enable the average LibreOffice user to get their 
17 # work done while blocking some advanced usage
18 # Namely not tested and likely not working : embedded plugins,
19 # Using the LibreOffice SDK and other development tasks
20 # Everything else should be working
21
22 #Defines all common supported file formats
23 #Some obscure ones we're excluded (mostly input)
24
25 #Generic
26 #.txt
27 @{libreoffice_ext} = [tT][xX][tT]
28 #All the open document format
29 @{libreoffice_ext} += {,f,F}[oO][dDtT][tTsSpPbBgGfF]
30 #.xml and xsl
31 @{libreoffice_ext} += [xX][mMsS][lL]
32 #.pdf
33 @{libreoffice_ext} += [pP][dD][fF]
34 #Unified office format
35 @{libreoffice_ext} += [uU][oO][fFtTsSpP]
36 #(x)htm(l)
37 @{libreoffice_ext} += {,x,X}[hH][tT][mM]{,l,L}
38 #.epub
39 @{libreoffice_ext} += [eE][pP][uU][bB]
40 #.ps (printing to file)
41 @{libreoffice_ext} += [pP][sS]
42
43 #Images
44 @{libreoffice_ext} += [jJ][pP][gG]
45 @{libreoffice_ext} += [jJ][pP][eE][gG]
46 @{libreoffice_ext} += [pP][nN][gG]
47 @{libreoffice_ext} += [sS][vV][gG]
48 @{libreoffice_ext} += [sS][vV][gG][zZ]99251
49 @{libreoffice_ext} += [tT][iI][fF]
50 @{libreoffice_ext} += [tT][iI][fF][fF]
51
52 #Writer
53 @{libreoffice_ext} += [dD][oO][cCtT]{,x,X}
54 @{libreoffice_ext} += [rR][tT][fF]
55
56 #Calc
57 @{libreoffice_ext} += [xX][lL][sStT]{,x,X,m,M}
58 @{libreoffice_ext} += [xX][lL][wW]
59 #.dif dbf
60 @{libreoffice_ext} += [dD][iIbB][fF]
61 #.tsv .csv
62 @{libreoffice_ext} += [cCtT][sS][vV]
63 @{libreoffice_ext} += [sS][lL][kK]
64
65 #Impress/Draw
66 @{libreoffice_ext} += [pP][pP][tTsS]{,x,X}
67 @{libreoffice_ext} += [pP][oO][tT]{,m,M}
68 #Flash
69 @{libreoffice_ext} += [sS][wW][fF]
70 #Photoshop
71 @{libreoffice_ext} += [pP][sS][dD]
72
73 #Math
74 @{libreoffice_ext} += [mM][mM][lL]
75
76 @{libo_user_dirs} = @{HOME} /mnt /media
77
78 #include <tunables/global>
79
80 profile libreoffice-soffice INSTDIR-program/soffice.bin {
81   #include <abstractions/private-files>
82
83   #include <abstractions/audio>
84   #include <abstractions/bash>
85   #include <abstractions/cups-client>
86   #include <abstractions/dbus>
87   #include <abstractions/dbus-session>
88   #include <abstractions/dbus-accessibility>
89   #include <abstractions/ibus>
90   #include <abstractions/nameservice>
91   #include <abstractions/gnome>
92 # GnuPG1 only...
93 # #include <abstractions/gnupg>
94   #include <abstractions/python>
95   #include <abstractions/p11-kit>
96
97   #List directories for file browser
98   /                                     r,
99   /**/                                  r,
100
101   owner @{libo_user_dirs}/**/           rw,  #allow creating directories that we own
102   owner @{libo_user_dirs}/**~lock.*     rw,  #lock file support
103   owner @{libo_user_dirs}/**.@{libreoffice_ext} rwk,  #Open files rw with the right exts
104   owner @{libo_user_dirs}/{,**/}lu??????????{,?}.tmp rwk, #Temporary file used when saving
105   owner @{libo_user_dirs}/{,**/}.directory r, #Read directory settings on KDE
106
107   # Settings
108   /etc/libreoffice/                     r,
109   /etc/libreoffice/**                   r,
110
111   /etc/cups/ppd/*.ppd                   r,
112   /etc/xml/catalog                      r, #exporting to .xhtml, for libxml2
113   /proc/*/status                        r,
114
115   owner @{HOME}/.config/libreoffice{,dev}/** rwk,
116   owner @{HOME}/.config/soffice.binrc rwl -> @{HOME}/.config/#[0-9]*,
117   owner @{HOME}/.config/soffice.binrc.* rwl -> @{HOME}/.config/#[0-9]*,
118   owner @{HOME}/.config/soffice.binrc.lock rwk,
119   owner @{HOME}/.cache/fontconfig/**    rw,
120   owner @{HOME}/.config/gtk-???/bookmarks r,  #Make bookmarks work
121   owner /tmp/psp[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]* rw, #/tmp/psp1534203998 (printing to file)
122
123   owner /{,var/}run/user/*/dconf/user   rw,
124   owner @{HOME}/.config/dconf/user      r,
125
126   # allow schema to be read
127   /usr/share/glib-*/schemas/            r,
128   /usr/share/glib-*/schemas/**          r,
129
130   # bluetooth send to
131   network bluetooth,
132
133   /{usr/,}bin/sh                        rmix,
134   /{usr/,}bin/bash                      rmix,
135   /{usr/,}bin/dash                      rmix,
136   /{usr/,}bin/rm                        rmix, #deleting /tmp/psp1534203998 (printing to file)
137   /usr/bin/bluetooth-sendto             rmPUx,
138   /usr/bin/lpr                          rmPUx,
139   /usr/bin/paperconf                    rmix,
140   /usr/bin/gpgconf                      rmix,
141   /usr/bin/gpg                          rmCx -> gpg,
142   /usr/bin/gpgsm                        rmCx -> gpg,
143   /usr/bin/gpa                          rix,
144   /usr/bin/seahorse                     rix,
145   /usr/bin/kgpg                         rix,
146   /usr/bin/kleopatra                    rix,
147
148   /dev/tty                              rw,
149
150   /usr/lib{,32,64}/@{multiarch}/gstreamer???/gstreamer-???/gst-plugin-scanner   rmPUx,
151   owner @{HOME}/.cache/gstreamer-???/**                                 rw,
152   unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined),  #Gstreamer doesn't work without this
153
154   /usr/lib{,32,64}/jvm/                         r,
155   /usr/lib{,32,64}/jvm/**                       r,
156   /usr/lib{,32,64}/jvm/**/jre/bin/java          mix,
157   /usr/lib{,32,64}/jvm/**/bin/java              mix,
158   INSTDIR-**                        rw,
159   INSTDIR-**.so                     m,
160   INSTDIR-program/soffice.bin       mix,
161   INSTDIR-program/xpdfimport        px,
162   INSTDIR-program/senddoc           px,
163   /usr/bin/xdg-open                 rPUx,
164
165   /usr/share/java/**.jar                r,
166   /usr/share/hunspell/                  r,
167   /usr/share/hunspell/**                r,
168   /usr/share/hyphen/                    r,
169   /usr/share/hyphen/**                  r,
170   /usr/share/mythes/                    r,
171   /usr/share/mythes/**                  r,
172   /usr/share/liblangtag/                r,
173   /usr/share/liblangtag/**              r,
174   /usr/share/libreoffice/               r,
175   /usr/share/libreoffice/**             r,
176   /usr/share/yelp-xsl/xslt/mallard/**   r,
177   /usr/share/libexttextcat/*            r,
178   /usr/share/icu/**                     r,
179   /usr/share/locale-bundle/*            r,
180
181   /var/spool/libreoffice/               r,
182   /var/spool/libreoffice/**             rw,
183   /var/cache/fontconfig/                rw,
184
185   #Likely moving to abstractions in the future
186   owner @{HOME}/.icons/*/cursors/*      r,
187   /etc/fstab r, # Solid::DeviceNotifier::instance() TODO: deny?
188   /sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r, # for libdrm
189   /usr/share/*-fonts/conf.avail/*.conf  r,
190   /usr/share/fonts-config/conf.avail/*.conf r,
191   /{,var/}run/udev/data/+usb:* r, # Solid::Device::listFromQuery()
192   /{,var/}run/udev/data/{c,b}*:* r, # Solid::Device::description(), Solid::Device::listFromQuery()
193   @{PROC}/sys/kernel/random/boot_id r, # KRecentDocument::add() -> QSysInfo::bootUniqueId()
194
195   #To avoid "Unable to create io-slave." for file dialog
196   owner /{,var/}run/user/[0-9]*/#[0-9]* rw,
197   #For KIO IO::Slave::createSlave()
198   owner /{,var/}run/user/[0-9]*/soffice.bin*.slave-socket wl ->  /{,var/}run/user/[0-9]*/#[0-9]*,
199
200   owner @{HOME}/.mozilla/firefox/profiles.ini r,
201   owner @{HOME}/.mozilla/firefox/*/secmod.db r,
202   # firefox < 58
203   owner @{HOME}/.mozilla/firefox/*/cert8.db r,
204   # firefox >= 58
205   owner @{HOME}/.mozilla/firefox/*/cert9.db r,
206
207   owner @{HOME}/.local/share/user-places.xbel r,
208
209   # there is abstractions/gnupg but that's just for gpg1...
210   profile gpg {
211     #include <abstractions/base>
212
213    /usr/bin/gpgconf rm,
214    /usr/bin/gpg rm,
215    /usr/bin/gpgsm rm,
216
217     owner @{HOME}/.gnupg/* r,
218     owner @{HOME}/.gnupg/random_seed rk,
219   }
220
221   # probably should become a subprofile like gpg above, but then it doesn't
222   # work either as it tries to access stuff only allowed above...
223   owner @{HOME}/.config/kdeglobals r,
224   /usr/lib/libreoffice/program/lo_kde5filepicker rPUx,
225   /usr/share/qt5/translations/* r,
226   /usr/lib/*/qt5/plugins/** rm,
227   /usr/share/plasma/look-and-feel/**/contents/defaults r,
228
229   # TODO: remove when rules are available in abstractions/kde
230   owner @{HOME}/.cache/ksycoca5_??_* r, # KDE System Configuration Cache
231   owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget
232   owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget
233   owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent()
234   owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
235   owner @{HOME}/.config/trashrc r, # user by KFileWidget
236   /usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent
237
238   # TODO: remove when rules are available in abstractions/kde-write-icon-cache or similar
239   owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader
240
241   # TODO: remove when rules are available in abstractions/kdeframeworks5 or similar
242   /usr/share/kservices5/*.protocol r,
243
244   # TODO: use qt5-settings-write abstraction when it is available
245   owner @{HOME}/.config/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] rw,
246   owner @{HOME}/.config/QtProject.conf rw,
247   owner @{HOME}/.config/QtProject.conf.?????? l -> @{HOME}/.config/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],
248   owner @{HOME}/.config/QtProject.conf.?????? rw, # for temporary files like QtProject.conf.Aqrgeb
249   owner @{HOME}/.config/QtProject.conf.lock rwk,
250
251   # TODO: use qt5-compose-cache-write abstraction when it is available
252   owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r,
253
254   # TODO: use recent-documents-write abstraction when it is available
255   owner @{HOME}/.local/share/RecentDocuments/** r,
256   owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> @{HOME}/.local/share/RecentDocuments/#[0-9]*,
257   owner @{HOME}/.local/share/RecentDocuments/#[0-9]* rw,
258   owner @{HOME}/.local/share/RecentDocuments/*.lock rwk,
259
260   # TODO: use kde-globals-write abstraction when it is available
261   owner @{HOME}/.config/kdeglobals rw,
262   owner @{HOME}/.config/kdeglobals.* rwl -> @{HOME}/.config/#[0-9]*,
263   owner @{HOME}/.config/kdeglobals.lock rwk,
264 }
FREE OFFICE SUITE