sysui/desktop/apparmor/program.soffice.bin

   1 # ------------------------------------------------------------------
   2 #
   3 #    Copyright (C) 2016 Canonical Ltd.
   4 #    Copyright (C) 2018 Software in the Public Interest, Inc.
   5 #
   6 #    This Source Code Form is subject to the terms of the Mozilla Public
   7 #    License, v. 2.0. If a copy of the MPL was not distributed with this
   8 #    file, You can obtain one at http://mozilla.org/MPL/2.0/.
   9 #
  10 #    Authors: Jonathan Davies <jonathan.davies@canonical.com>
  11 #             Bryan Quigley <bryan.quigley@canonical.com>
  12 #             Rene Engelhard <rene@debian.org>
  13 #
  14 # ------------------------------------------------------------------
  15
  16 # This profile should enable the average LibreOffice user to get their
  17 # work done while blocking some advanced usage
  18 # Namely not tested and likely not working : embedded plugins,
  19 # Using the LibreOffice SDK and other development tasks
  20 # Everything else should be working
  21
  22 #Defines all common supported file formats
  23 #Some obscure ones we're excluded (mostly input)
  24
  25 #Generic
  26 #.txt
  27 @{libreoffice_ext} = [tT][xX][tT]
  28 #All the open document format
  29 @{libreoffice_ext} += {,f,F}[oO][dDtT][tTsSpPbBgGfF]
  30 #.xml and xsl
  31 @{libreoffice_ext} += [xX][mMsS][lL]
  32 #.pdf
  33 @{libreoffice_ext} += [pP][dD][fF]
  34 #Unified office format
  35 @{libreoffice_ext} += [uU][oO][fFtTsSpP]
  36 #(x)htm(l)
  37 @{libreoffice_ext} += {,x,X}[hH][tT][mM]{,l,L}
  38 #.epub
  39 @{libreoffice_ext} += [eE][pP][uU][bB]
  40 #.ps (printing to file)
  41 @{libreoffice_ext} += [pP][sS]
  42
  43 #Images
  44 @{libreoffice_ext} += [jJ][pP][gG]
  45 @{libreoffice_ext} += [jJ][pP][eE][gG]
  46 @{libreoffice_ext} += [pP][nN][gG]
  47 @{libreoffice_ext} += [sS][vV][gG]
  48 @{libreoffice_ext} += [sS][vV][gG][zZ]99251
  49 @{libreoffice_ext} += [tT][iI][fF]
  50 @{libreoffice_ext} += [tT][iI][fF][fF]
  51
  52 #Writer
  53 @{libreoffice_ext} += [dD][oO][cCtT]{,x,X}
  54 @{libreoffice_ext} += [rR][tT][fF]
  55
  56 #Calc
  57 @{libreoffice_ext} += [xX][lL][sStT]{,x,X,m,M}
  58 @{libreoffice_ext} += [xX][lL][wW]
  59 #.dif dbf
  60 @{libreoffice_ext} += [dD][iIbB][fF]
  61 #.tsv .csv
  62 @{libreoffice_ext} += [cCtT][sS][vV]
  63 @{libreoffice_ext} += [sS][lL][kK]
  64
  65 #Impress/Draw
  66 @{libreoffice_ext} += [pP][pP][tTsS]{,x,X}
  67 @{libreoffice_ext} += [pP][oO][tT]{,m,M}
  68 #Flash
  69 @{libreoffice_ext} += [sS][wW][fF]
  70 #Photoshop
  71 @{libreoffice_ext} += [pP][sS][dD]
  72
  73 #Math
  74 @{libreoffice_ext} += [mM][mM][lL]
  75
  76 @{libo_user_dirs} = @{HOME} /mnt /media
  77
  78 #include <tunables/global>
  79
  80 profile libreoffice-soffice INSTDIR-program/soffice.bin {
  81   #include <abstractions/private-files>
  82
  83   #include <abstractions/audio>
  84   #include <abstractions/bash>
  85   #include <abstractions/cups-client>
  86   #include <abstractions/dbus>
  87   #include <abstractions/dbus-session>
  88   #include <abstractions/dbus-accessibility>
  89   #include <abstractions/ibus>
  90   #include <abstractions/nameservice>
  91   #include <abstractions/gnome>
  92 # GnuPG1 only...
  93 # #include <abstractions/gnupg>
  94   #include <abstractions/python>
  95   #include <abstractions/p11-kit>
  96
  97   #List directories for file browser
  98   /                                     r,
  99   /**/                                  r,
 100
 101   owner @{libo_user_dirs}/**/           rw,  #allow creating directories that we own
 102   owner @{libo_user_dirs}/**~lock.*     rw,  #lock file support
 103   owner @{libo_user_dirs}/**.@{libreoffice_ext} rwk,  #Open files rw with the right exts
 104   owner @{libo_user_dirs}/{,**/}lu??????????{,?}.tmp rwk, #Temporary file used when saving
 105   owner @{libo_user_dirs}/{,**/}.directory r, #Read directory settings on KDE
 106
 107   # Settings
 108   /etc/libreoffice/                     r,
 109   /etc/libreoffice/**                   r,
 110
 111   /etc/cups/ppd/*.ppd                   r,
 112   /etc/xml/catalog                      r, #exporting to .xhtml, for libxml2
 113   /proc/*/status                        r,
 114
 115   owner @{HOME}/.config/libreoffice{,dev}/** rwk,
 116   owner @{HOME}/.config/soffice.binrc rwl -> @{HOME}/.config/#[0-9]*,
 117   owner @{HOME}/.config/soffice.binrc.* rwl -> @{HOME}/.config/#[0-9]*,
 118   owner @{HOME}/.config/soffice.binrc.lock rwk,
 119   owner @{HOME}/.cache/fontconfig/**    rw,
 120   owner @{HOME}/.config/gtk-???/bookmarks r,  #Make bookmarks work
 121   owner /tmp/psp[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]* rw, #/tmp/psp1534203998 (printing to file)
 122
 123   owner /{,var/}run/user/*/dconf/user   rw,
 124   owner @{HOME}/.config/dconf/user      r,
 125
 126   # allow schema to be read
 127   /usr/share/glib-*/schemas/            r,
 128   /usr/share/glib-*/schemas/**          r,
 129
 130   # bluetooth send to
 131   network bluetooth,
 132
 133   /{usr/,}bin/sh                        rmix,
 134   /{usr/,}bin/bash                      rmix,
 135   /{usr/,}bin/dash                      rmix,
 136   /{usr/,}bin/rm                        rmix, #deleting /tmp/psp1534203998 (printing to file)
 137   /usr/bin/bluetooth-sendto             rmPUx,
 138   /usr/bin/lpr                          rmPUx,
 139   /usr/bin/paperconf                    rmix,
 140   /usr/bin/gpgconf                      rmix,
 141   /usr/bin/gpg                          rmCx -> gpg,
 142   /usr/bin/gpgsm                        rmCx -> gpg,
 143   /usr/bin/gpa                          rix,
 144   /usr/bin/seahorse                     rix,
 145   /usr/bin/kgpg                         rix,
 146   /usr/bin/kleopatra                    rix,
 147
 148   /dev/tty                              rw,
 149
 150   /usr/lib{,32,64}/@{multiarch}/gstreamer???/gstreamer-???/gst-plugin-scanner   rmPUx,
 151   owner @{HOME}/.cache/gstreamer-???/**                                 rw,
 152   unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined),  #Gstreamer doesn't work without this
 153
 154   /usr/lib{,32,64}/jvm/                         r,
 155   /usr/lib{,32,64}/jvm/**                       r,
 156   /usr/lib{,32,64}/jvm/**/jre/bin/java          mix,
 157   /usr/lib{,32,64}/jvm/**/bin/java              mix,
 158   INSTDIR-**                        rw,
 159   INSTDIR-**.so                     m,
 160   INSTDIR-program/soffice.bin       mix,
 161   INSTDIR-program/xpdfimport        px,
 162   INSTDIR-program/senddoc           px,
 163   /usr/bin/xdg-open                 rPUx,
 164
 165   /usr/share/java/**.jar                r,
 166   /usr/share/hunspell/                  r,
 167   /usr/share/hunspell/**                r,
 168   /usr/share/hyphen/                    r,
 169   /usr/share/hyphen/**                  r,
 170   /usr/share/mythes/                    r,
 171   /usr/share/mythes/**                  r,
 172   /usr/share/liblangtag/                r,
 173   /usr/share/liblangtag/**              r,
 174   /usr/share/libreoffice/               r,
 175   /usr/share/libreoffice/**             r,
 176   /usr/share/yelp-xsl/xslt/mallard/**   r,
 177   /usr/share/libexttextcat/*            r,
 178   /usr/share/icu/**                     r,
 179   /usr/share/locale-bundle/*            r,
 180
 181   /var/spool/libreoffice/               r,
 182   /var/spool/libreoffice/**             rw,
 183   /var/cache/fontconfig/                rw,
 184
 185   #Likely moving to abstractions in the future
 186   owner @{HOME}/.icons/*/cursors/*      r,
 187   /etc/fstab r, # Solid::DeviceNotifier::instance() TODO: deny?
 188   /sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r, # for libdrm
 189   /usr/share/*-fonts/conf.avail/*.conf  r,
 190   /usr/share/fonts-config/conf.avail/*.conf r,
 191   /{,var/}run/udev/data/+usb:* r, # Solid::Device::listFromQuery()
 192   /{,var/}run/udev/data/{c,b}*:* r, # Solid::Device::description(), Solid::Device::listFromQuery()
 193   @{PROC}/sys/kernel/random/boot_id r, # KRecentDocument::add() -> QSysInfo::bootUniqueId()
 194
 195   #To avoid "Unable to create io-slave." for file dialog
 196   owner /{,var/}run/user/[0-9]*/#[0-9]* rw,
 197   #For KIO IO::Slave::createSlave()
 198   owner /{,var/}run/user/[0-9]*/soffice.bin*.slave-socket wl ->  /{,var/}run/user/[0-9]*/#[0-9]*,
 199
 200   owner @{HOME}/.mozilla/firefox/profiles.ini r,
 201   owner @{HOME}/.mozilla/firefox/*/secmod.db r,
 202   # firefox < 58
 203   owner @{HOME}/.mozilla/firefox/*/cert8.db r,
 204   # firefox >= 58
 205   owner @{HOME}/.mozilla/firefox/*/cert9.db r,
 206
 207   owner @{HOME}/.local/share/user-places.xbel r,
 208
 209   # there is abstractions/gnupg but that's just for gpg1...
 210   profile gpg {
 211     #include <abstractions/base>
 212
 213    /usr/bin/gpgconf rm,
 214    /usr/bin/gpg rm,
 215    /usr/bin/gpgsm rm,
 216
 217     owner @{HOME}/.gnupg/* r,
 218     owner @{HOME}/.gnupg/random_seed rk,
 219   }
 220
 221   # probably should become a subprofile like gpg above, but then it doesn't
 222   # work either as it tries to access stuff only allowed above...
 223   owner @{HOME}/.config/kdeglobals r,
 224   /usr/lib/libreoffice/program/lo_kde5filepicker rPUx,
 225   /usr/share/qt5/translations/* r,
 226   /usr/lib/*/qt5/plugins/** rm,
 227   /usr/share/plasma/look-and-feel/**/contents/defaults r,
 228
 229   # TODO: remove when rules are available in abstractions/kde
 230   owner @{HOME}/.cache/ksycoca5_??_* r, # KDE System Configuration Cache
 231   owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget
 232   owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget
 233   owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent()
 234   owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
 235   owner @{HOME}/.config/trashrc r, # user by KFileWidget
 236   /usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent
 237
 238   # TODO: remove when rules are available in abstractions/kde-write-icon-cache or similar
 239   owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader
 240
 241   # TODO: remove when rules are available in abstractions/kdeframeworks5 or similar
 242   /usr/share/kservices5/*.protocol r,
 243
 244   # TODO: use qt5-settings-write abstraction when it is available
 245   owner @{HOME}/.config/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] rw,
 246   owner @{HOME}/.config/QtProject.conf rw,
 247   owner @{HOME}/.config/QtProject.conf.?????? l -> @{HOME}/.config/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],
 248   owner @{HOME}/.config/QtProject.conf.?????? rw, # for temporary files like QtProject.conf.Aqrgeb
 249   owner @{HOME}/.config/QtProject.conf.lock rwk,
 250
 251   # TODO: use qt5-compose-cache-write abstraction when it is available
 252   owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r,
 253
 254   # TODO: use recent-documents-write abstraction when it is available
 255   owner @{HOME}/.local/share/RecentDocuments/** r,
 256   owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> @{HOME}/.local/share/RecentDocuments/#[0-9]*,
 257   owner @{HOME}/.local/share/RecentDocuments/#[0-9]* rw,
 258   owner @{HOME}/.local/share/RecentDocuments/*.lock rwk,
 259
 260   # TODO: use kde-globals-write abstraction when it is available
 261   owner @{HOME}/.config/kdeglobals rw,
 262   owner @{HOME}/.config/kdeglobals.* rwl -> @{HOME}/.config/#[0-9]*,
 263   owner @{HOME}/.config/kdeglobals.lock rwk,
 264 }