- Package:
- libreoffice-core
- Source:
- libreoffice
- Description:
- office productivity suite -- arch-dependent files
- Submitter:
- Anthony DeRobertis
- Date:
- 2025-08-08 14:20:31 UTC
- Severity:
- normal
- Tags:
I understand the goal is to get AppArmor back in to enforcing mode someday, so presumably these complain-mode allow messages are of use. Presumably the xauth one will effect a lot of people (as that's the value of $XAUTHORITY here, set by KDE/sddm). Then there is a lot of nVidia stuff, probably from this machine using the nVidia proprietary driver. (Side note, I understand sandboxing web browsers and the like with AppArmor. Firefox shouldn't have random access to $HOME. But I wonder if its really worth it for LibreOffice; by its nature it must have access to my important documents. But that's a discussion for elsewhere, I'm sure.) Oct 25 16:52:11 Zia kernel: audit: type=1400 audit(1540500731.877:200): apparmor="ALLOWED" operation="open" profile="libreoffice-oopslash" name="/tmp/xauth-1000-_0" pid=25385 comm="oosplash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 Oct 25 16:52:12 Zia kernel: audit: type=1400 audit(1540500732.729:201): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/nvidia/nvidia-application-profiles-390.87-rc" pid=25398 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:52:12 Zia kernel: audit: type=1400 audit(1540500732.849:202): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/nvidia/nvidia-application-profiles-390.87-rc" pid=25398 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:52:12 Zia kernel: audit: type=1400 audit(1540500732.861:203): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/modules" pid=25398 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:52:12 Zia kernel: audit: type=1400 audit(1540500732.861:204): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/driver/nvidia/params" pid=25398 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:52:12 Zia kernel: audit: type=1400 audit(1540500732.861:205): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/dev/nvidiactl" pid=25398 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0 Oct 25 16:52:12 Zia kernel: audit: type=1400 audit(1540500732.861:206): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/system/memory/block_size_bytes" pid=25398 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:52:12 Zia kernel: audit: type=1400 audit(1540500732.861:207): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/modules" pid=25398 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:52:12 Zia kernel: audit: type=1400 audit(1540500732.861:208): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/driver/nvidia/params" pid=25398 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:52:12 Zia kernel: audit: type=1400 audit(1540500732.861:209): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/dev/nvidia-modeset" pid=25398 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0 Oct 25 16:52:44 Zia kernel: audit: type=1400 audit(1540500764.333:287): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/nvidia/nvidia-application-profiles-390.87-rc" pid=25519 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:52:44 Zia kernel: audit: type=1400 audit(1540500764.453:288): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/nvidia/nvidia-application-profiles-390.87-rc" pid=25519 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:52:44 Zia kernel: audit: type=1400 audit(1540500764.465:289): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/modules" pid=25519 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:52:44 Zia kernel: audit: type=1400 audit(1540500764.465:290): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/driver/nvidia/params" pid=25519 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:52:44 Zia kernel: audit: type=1400 audit(1540500764.465:291): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/dev/nvidiactl" pid=25519 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0 Oct 25 16:52:44 Zia kernel: audit: type=1400 audit(1540500764.469:292): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/system/memory/block_size_bytes" pid=25519 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:52:44 Zia kernel: audit: type=1400 audit(1540500764.469:293): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/modules" pid=25519 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:52:44 Zia kernel: audit: type=1400 audit(1540500764.469:294): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/driver/nvidia/params" pid=25519 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:52:44 Zia kernel: audit: type=1400 audit(1540500764.469:295): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/dev/nvidia-modeset" pid=25519 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0 Oct 25 16:52:44 Zia kernel: audit: type=1400 audit(1540500764.469:296): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/driver/nvidia/params" pid=25519 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:55:57 Zia kernel: audit: type=1400 audit(1540500957.387:372): apparmor="ALLOWED" operation="open" profile="libreoffice-oopslash" name="/tmp/xauth-1000-_0" pid=26523 comm="oosplash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 Oct 25 16:55:57 Zia kernel: audit: type=1400 audit(1540500957.491:373): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/nvidia/nvidia-application-profiles-390.87-rc" pid=26536 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:55:57 Zia kernel: audit: type=1400 audit(1540500957.615:374): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/nvidia/nvidia-application-profiles-390.87-rc" pid=26536 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:55:57 Zia kernel: audit: type=1400 audit(1540500957.631:375): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/modules" pid=26536 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:55:57 Zia kernel: audit: type=1400 audit(1540500957.631:376): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/driver/nvidia/params" pid=26536 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:55:57 Zia kernel: audit: type=1400 audit(1540500957.631:377): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/dev/nvidiactl" pid=26536 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0 Oct 25 16:55:57 Zia kernel: audit: type=1400 audit(1540500957.631:378): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/system/memory/block_size_bytes" pid=26536 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:55:57 Zia kernel: audit: type=1400 audit(1540500957.631:379): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/modules" pid=26536 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:55:57 Zia kernel: audit: type=1400 audit(1540500957.631:380): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/driver/nvidia/params" pid=26536 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Oct 25 16:55:57 Zia kernel: audit: type=1400 audit(1540500957.631:381): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/dev/nvidia-modeset" pid=26536 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0
Hi, Maybe. Then the nvidia drivers (which I do not care about at all, to be honest) or libdrm or whatever should ship needed stuff. I mean, it's not LO using the stuff directly, it's those. It would imho be completely nonsense to make LO honour driver-specific things for every possible driver. I think I saw these once in an other report where I reassigned that one or a clone to either of those, need to search for it... Yes, and there's the "get xyz from the filesystem" or "do not run xyz after a security bug was used" scenario. I wouldn't have written a profile if one (incomplete and ooold, as noticed.) wasn't already there and ready to be installed. Not that it matters here, but no -kde(5) even when you're using KDE? Regards, Rene
tag 911897 + moreinfo tag 911897 + unreproducible thanks Really? $ echo $XAUTHORITY /home/rene/.Xauthority (set by sddm logging into GNOME) Shouldn't - if KDE set it - it not have been found when Vincas did https://cgit.freedesktop.org/libreoffice/core/commit/?id=c86e4ad53391d17d1eb54845b5999889f7e65061 ? $ echo $XAUTHORITY /home/rene/.Xauthority (set by sddm logging into Plasma) ^^^^^^^^^^^^^^^^^^ root@frodo:~# aa-enforce /etc/apparmor.d/usr.lib.libreoffice.program.oosplash Setting /etc/apparmor.d/usr.lib.libreoffice.program.oosplash to enforce mode. root@frodo:~# aa-enforce /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin Setting /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin to enforce mode. Starts fine and does NOT print above (or deny) it. Regards, Rene
Hi, Ah, no, I just closed it it seems based on what the real issue in that bug was: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903900 Regards, Rene
apparmor ships an /etc/apparmor.d/abstractions/nvidia — but AFAICT each
app needs to #include it, which I agree is rather silly. E.g.,
Thunderbird and Totem both include it.
Never tried it, actually. I have a such a mix of apps running anyway
that there is no hope of consistency, and I don't run KDE everywhere...
so I'd rather just have LibreOffice look like LibreOffice.
PS: Just saw your other reply about $XAUTHORITY, and yeah, that's how
it's set here. Definitely KDE launched from sddm:
1473 ? Ssl 0:00 /usr/bin/sddm
1707 tty7 Ssl+ 90:32 \_ /usr/lib/xorg/Xorg -nolisten tcp -auth /var/run/sddm/{592354bf-2439-40b4-9616-3bd3943e9502} -background none -noreset -displayfd 17 -seat seat0 vt7
11894 ? S 0:00 \_ /usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket /tmp/sddm-authe60db6a4-a442-404f-9833-9762d7da6686 --id 1 --start /usr/bin/startkde --user anthony
11897 ? S 0:00 \_ /bin/sh /usr/bin/startkde
11960 ? Ss 0:00 \_ /usr/bin/ssh-agent env LD_PRELOAD=libgtk3-nocsd.so.0 /usr/bin/startkde
12010 ? S 0:00 \_ kwrapper5 /usr/bin/ksmserver
... going to try to figure out why my machine is different than yours.
Yes, it is. I think the worst which can happen (I at least hope..) is no acceleration or OpenGL features (I consider LO using OpenGL for some stuff a nuisance anyway, but some stuff of it got disabled upstream anyway. Here it was just apt install sddm kde-plasma-desktop. (don't use KDE myself.) Regards, Rene
clone 911897 -1 retitle 911897 apparmor denies /tmp/xauth-1000-_0 set by sddm/KDE retitle -1 please include nvidia apparmor abstraction to allow nvidia driver resources severity -1 wishlist tag -1 - unreproducible tag -1 - moreinfo tag -1 + wontfix thanks Making a bug out of this for documentation purposes. Wontfix, though. Regards, Rene
So, I installed a new Buster VM to test it out. Install was pretty standard, basically selecting KDE under what to install. And it turns out... it uses *both* ~/.Xauthority and /tmp/xauth-* on the same desktop session. That is so WTF I had to commemorate it with a screenshot. Which one you get depends on the exact way the app is launched. In the screenshot, the xterm on the left was launched as part of session restore; the one on the right was launched from the KDE menu (bottom-left thingy). The same thing happens on my normal desktop. I normally launch my xterms via a KDE hotkey, those get the /tmp one. (And normally I start libreoffice from an xterm). That could explain how it was missed — launch it from the menu instead, and it'll be given ~/.Xauthority. I'm not sure what the intended behavior is here; the current behavior of using both files is surely a bug in KDE. Seems perfectly reasonable to reassign to them.
Hi, Ah... And I "of course" launched konsole from the menu... (Alt-F2, konsole gives the same.) Hmm. Regards, Rene
Hi,
I too seen these /tmp/xauth.. stuff (I'm KDE user), and asked about it in AppArmor mailing list [0],
and later in debian-devel [1].
Nothing new since when, haven given it any more time, but what I would like to achieve is as
"agreement", that if some Debian package changes some "popular" environment variable (like
XAUTHORITY or TMPDIR or whatver), it should ship a AppArmor "tunable" file with these variables
appended. Like in this case, it could be `/etc/apparmor.d/tunables/env.d/kde-plasma` file with these
contents:
```
XAUTHORITY += /tmp/xauth-@{uid}-_[0-9]* r,
```
And that XAUTHORITY would be used in abstractions/X [2] include, that is used in every GUI
application profile.
If you take a look at these mailing list emails, you'll see that not all applicatios use /tmp/xauth,
some still use ~/.Xauthority... I do not know what's the deal here...
Maybe I should just propose to add this `/tmp/xauth..` path into AppArmor upstream X abstraction, or
we just add it into LO profile. In most cases, if application includes "kde" abstraction, it allows
reading `/tmp/*` via `user-tmp` abstraction [3], so no problems are seen. For more smaller
`oosplash` - it's otherwise.
[0] https://lists.ubuntu.com/archives/apparmor/2018-July/011714.html
[1] https://lists.debian.org/debian-devel/2018/08/msg00107.html
[2]
https://gitlab.com/apparmor/apparmor/blob/f729391deb165a0100e27659a0d93bcf17eae067/profiles/apparmor.d/abstractions/X#L20
[3]
https://gitlab.com/apparmor/apparmor/blob/f729391deb165a0100e27659a0d93bcf17eae067/profiles/apparmor.d/abstractions/kde#L17
Also Rene, please add usertag for any AppArmor-related bug, so AppArmor team could see what's going on.
Dear submitter, as the package libreoffice has just been removed from the Debian archive experimental we hereby close the associated bug reports. We are sorry that we couldn't deal with your issue properly. For details on the removal, please see https://bugs.debian.org/1069123 The version of this package that was in Debian prior to this removal can still be found using https://snapshot.debian.org/. Please note that the changes have been done on the master archive and will not propagate to any mirrors until the next dinstall run at the earliest. This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org. Debian distribution maintenance software pp. Scott Kitterman (the ftpmaster behind the curtain)
Humanitarian Grant of 1.5M for you. Reply for claims