#911897 AppArmor complain about /tmp/xauth-1000-_0, set by KDE

Package:
libreoffice-core
Source:
libreoffice
Description:
office productivity suite -- arch-dependent files
Submitter:
Anthony DeRobertis
Date:
2025-08-08 14:20:31 UTC
Severity:
normal
Tags:
#911897#5
Date:
2018-10-25 21:49:27 UTC
From:
To:
I understand the goal is to get AppArmor back in to enforcing mode
someday, so presumably these complain-mode allow messages are of use.
Presumably the xauth one will effect a lot of people (as that's the
value of $XAUTHORITY here, set by KDE/sddm). Then there is a lot of
nVidia stuff, probably from this machine using the nVidia proprietary
driver.

(Side note, I understand sandboxing web browsers and the like with
AppArmor. Firefox shouldn't have random access to $HOME. But I wonder if
its really worth it for LibreOffice; by its nature it must have access
to my important documents. But that's a discussion for elsewhere, I'm
sure.)

Oct 25 16:52:11 Zia kernel: audit: type=1400 audit(1540500731.877:200): apparmor="ALLOWED" operation="open" profile="libreoffice-oopslash" name="/tmp/xauth-1000-_0" pid=25385 comm="oosplash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Oct 25 16:52:12 Zia kernel: audit: type=1400 audit(1540500732.729:201): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/nvidia/nvidia-application-profiles-390.87-rc" pid=25398 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 25 16:52:12 Zia kernel: audit: type=1400 audit(1540500732.849:202): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/nvidia/nvidia-application-profiles-390.87-rc" pid=25398 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 25 16:52:12 Zia kernel: audit: type=1400 audit(1540500732.861:203): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/modules" pid=25398 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 25 16:52:12 Zia kernel: audit: type=1400 audit(1540500732.861:204): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/driver/nvidia/params" pid=25398 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 25 16:52:12 Zia kernel: audit: type=1400 audit(1540500732.861:205): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/dev/nvidiactl" pid=25398 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0
Oct 25 16:52:12 Zia kernel: audit: type=1400 audit(1540500732.861:206): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/system/memory/block_size_bytes" pid=25398 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 25 16:52:12 Zia kernel: audit: type=1400 audit(1540500732.861:207): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/modules" pid=25398 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 25 16:52:12 Zia kernel: audit: type=1400 audit(1540500732.861:208): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/driver/nvidia/params" pid=25398 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 25 16:52:12 Zia kernel: audit: type=1400 audit(1540500732.861:209): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/dev/nvidia-modeset" pid=25398 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0
Oct 25 16:52:44 Zia kernel: audit: type=1400 audit(1540500764.333:287): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/nvidia/nvidia-application-profiles-390.87-rc" pid=25519 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 25 16:52:44 Zia kernel: audit: type=1400 audit(1540500764.453:288): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/nvidia/nvidia-application-profiles-390.87-rc" pid=25519 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 25 16:52:44 Zia kernel: audit: type=1400 audit(1540500764.465:289): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/modules" pid=25519 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 25 16:52:44 Zia kernel: audit: type=1400 audit(1540500764.465:290): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/driver/nvidia/params" pid=25519 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 25 16:52:44 Zia kernel: audit: type=1400 audit(1540500764.465:291): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/dev/nvidiactl" pid=25519 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0
Oct 25 16:52:44 Zia kernel: audit: type=1400 audit(1540500764.469:292): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/system/memory/block_size_bytes" pid=25519 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 25 16:52:44 Zia kernel: audit: type=1400 audit(1540500764.469:293): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/modules" pid=25519 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 25 16:52:44 Zia kernel: audit: type=1400 audit(1540500764.469:294): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/driver/nvidia/params" pid=25519 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 25 16:52:44 Zia kernel: audit: type=1400 audit(1540500764.469:295): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/dev/nvidia-modeset" pid=25519 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0
Oct 25 16:52:44 Zia kernel: audit: type=1400 audit(1540500764.469:296): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/driver/nvidia/params" pid=25519 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 25 16:55:57 Zia kernel: audit: type=1400 audit(1540500957.387:372): apparmor="ALLOWED" operation="open" profile="libreoffice-oopslash" name="/tmp/xauth-1000-_0" pid=26523 comm="oosplash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Oct 25 16:55:57 Zia kernel: audit: type=1400 audit(1540500957.491:373): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/nvidia/nvidia-application-profiles-390.87-rc" pid=26536 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 25 16:55:57 Zia kernel: audit: type=1400 audit(1540500957.615:374): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/usr/share/nvidia/nvidia-application-profiles-390.87-rc" pid=26536 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 25 16:55:57 Zia kernel: audit: type=1400 audit(1540500957.631:375): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/modules" pid=26536 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 25 16:55:57 Zia kernel: audit: type=1400 audit(1540500957.631:376): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/driver/nvidia/params" pid=26536 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 25 16:55:57 Zia kernel: audit: type=1400 audit(1540500957.631:377): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/dev/nvidiactl" pid=26536 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0
Oct 25 16:55:57 Zia kernel: audit: type=1400 audit(1540500957.631:378): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/sys/devices/system/memory/block_size_bytes" pid=26536 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 25 16:55:57 Zia kernel: audit: type=1400 audit(1540500957.631:379): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/modules" pid=26536 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 25 16:55:57 Zia kernel: audit: type=1400 audit(1540500957.631:380): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/driver/nvidia/params" pid=26536 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 25 16:55:57 Zia kernel: audit: type=1400 audit(1540500957.631:381): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/dev/nvidia-modeset" pid=26536 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0

#911897#10
Date:
2018-10-26 15:26:56 UTC
From:
To:
Hi,

Maybe.

Then the nvidia drivers (which I do not care about at all, to be honest)
or libdrm or whatever should ship needed stuff. I mean, it's not LO using
the stuff directly, it's those. It would imho be completely nonsense to
make LO honour driver-specific things for every possible driver.

I think I saw these once in an other report where I reassigned that one
or a clone to either of those, need to search for it...

Yes, and there's the "get xyz from the filesystem" or "do not run xyz
after a security bug was used" scenario.

I wouldn't have written a profile if one (incomplete and ooold, as noticed.) wasn't
already there and ready to be installed.

Not that it matters here, but no -kde(5) even when you're using KDE?

Regards,

Rene

#911897#15
Date:
2018-10-26 16:00:25 UTC
From:
To:
tag 911897 + moreinfo
tag 911897 + unreproducible
thanks

Really?

$ echo $XAUTHORITY
/home/rene/.Xauthority

(set by sddm logging into GNOME)

Shouldn't - if KDE set it - it not have been found when Vincas did
https://cgit.freedesktop.org/libreoffice/core/commit/?id=c86e4ad53391d17d1eb54845b5999889f7e65061
?

$ echo $XAUTHORITY
/home/rene/.Xauthority

(set by sddm logging into Plasma)
                                                           ^^^^^^^^^^^^^^^^^^

root@frodo:~# aa-enforce /etc/apparmor.d/usr.lib.libreoffice.program.oosplash
Setting /etc/apparmor.d/usr.lib.libreoffice.program.oosplash to enforce
mode.
root@frodo:~# aa-enforce /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin
Setting /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin to
enforce mode.

Starts fine and does NOT print above (or deny) it.

Regards,

Rene

#911897#24
Date:
2018-10-26 16:22:01 UTC
From:
To:
Hi,

Ah, no, I just closed it it seems based on what the real issue in that
bug was:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903900

Regards,

Rene

#911897#29
Date:
2018-10-26 16:13:00 UTC
From:
To:
apparmor ships an /etc/apparmor.d/abstractions/nvidia — but AFAICT each
app needs to #include it, which I agree is rather silly. E.g.,
Thunderbird and Totem both include it.
Never tried it, actually. I have a such a mix of apps running anyway
that there is no hope of consistency, and I don't run KDE everywhere...
so I'd rather just have LibreOffice look like LibreOffice.


PS: Just saw your other reply about $XAUTHORITY, and yeah, that's how
it's set here. Definitely KDE launched from sddm:

  1473 ?        Ssl    0:00 /usr/bin/sddm
  1707 tty7     Ssl+  90:32  \_ /usr/lib/xorg/Xorg -nolisten tcp -auth /var/run/sddm/{592354bf-2439-40b4-9616-3bd3943e9502} -background none -noreset -displayfd 17 -seat seat0 vt7
11894 ?        S      0:00  \_ /usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket /tmp/sddm-authe60db6a4-a442-404f-9833-9762d7da6686 --id 1 --start /usr/bin/startkde --user anthony
11897 ?        S      0:00      \_ /bin/sh /usr/bin/startkde
11960 ?        Ss     0:00          \_ /usr/bin/ssh-agent env LD_PRELOAD=libgtk3-nocsd.so.0 /usr/bin/startkde
12010 ?        S      0:00          \_ kwrapper5 /usr/bin/ksmserver

... going to try to figure out why my machine is different than yours.

#911897#34
Date:
2018-10-26 16:52:08 UTC
From:
To:
Yes, it is.

I think the worst which can happen (I at least hope..) is no acceleration or OpenGL
features (I consider LO using OpenGL for some stuff a nuisance anyway, but some
stuff of it got disabled upstream anyway.

Here it was just apt install sddm kde-plasma-desktop. (don't use
KDE myself.)

Regards,

Rene

#911897#39
Date:
2018-10-26 17:05:39 UTC
From:
To:
clone 911897 -1
retitle 911897 apparmor denies /tmp/xauth-1000-_0 set by sddm/KDE
retitle -1 please include nvidia apparmor abstraction to allow nvidia
driver resources
severity -1 wishlist
tag -1 - unreproducible
tag -1 - moreinfo
tag -1 + wontfix
thanks

Making a bug out of this for documentation purposes. Wontfix, though.

Regards,

Rene

#911897#48
Date:
2018-10-26 17:24:52 UTC
From:
To:

So, I installed a new Buster VM to test it out. Install was pretty
standard, basically selecting KDE under what to install. And it turns
out... it uses *both* ~/.Xauthority and /tmp/xauth-* on the same desktop
session. That is so WTF I had to commemorate it with a screenshot.

Which one you get depends on the exact way the app is launched. In the
screenshot, the xterm on the left was launched as part of session
restore; the one on the right was launched from the KDE menu
(bottom-left thingy). The same thing happens on my normal desktop. I
normally launch my xterms via a KDE hotkey, those get the /tmp one. (And
normally I start libreoffice from an xterm). That could explain how it
was missed — launch it from the menu instead, and it'll be given
~/.Xauthority.

I'm not sure what the intended behavior is here; the current behavior of
using both files is surely a bug in KDE. Seems perfectly reasonable to
reassign to them.

#911897#53
Date:
2018-10-27 08:41:37 UTC
From:
To:
Hi,

Ah... And I "of course" launched konsole from the menu...
(Alt-F2, konsole gives the same.)

Hmm.

Regards,

Rene

#911897#60
Date:
2019-02-14 18:10:11 UTC
From:
To:
Hi,

I too seen these /tmp/xauth.. stuff (I'm KDE user), and asked about it in AppArmor mailing list [0],
and later in debian-devel [1].

Nothing new since when, haven given it any more time, but what I would like to achieve is as
"agreement", that if some Debian package changes some "popular" environment variable (like
XAUTHORITY or TMPDIR or whatver), it should ship a AppArmor "tunable" file with these variables
appended. Like in this case, it could be `/etc/apparmor.d/tunables/env.d/kde-plasma` file with these
contents:

```
XAUTHORITY += /tmp/xauth-@{uid}-_[0-9]* r,
```

And that XAUTHORITY would be used in abstractions/X [2] include, that is used in every GUI
application profile.

If you take a look at these mailing list emails, you'll see that not all applicatios use /tmp/xauth,
some still use ~/.Xauthority... I do not know what's the deal here...

Maybe I should just propose to add this `/tmp/xauth..` path into AppArmor upstream X abstraction, or
we just add it into LO profile. In most cases, if application includes "kde" abstraction, it allows
reading `/tmp/*` via `user-tmp` abstraction [3], so no problems are seen. For more smaller
`oosplash` - it's otherwise.

[0] https://lists.ubuntu.com/archives/apparmor/2018-July/011714.html
[1] https://lists.debian.org/debian-devel/2018/08/msg00107.html
[2]
https://gitlab.com/apparmor/apparmor/blob/f729391deb165a0100e27659a0d93bcf17eae067/profiles/apparmor.d/abstractions/X#L20
[3]
https://gitlab.com/apparmor/apparmor/blob/f729391deb165a0100e27659a0d93bcf17eae067/profiles/apparmor.d/abstractions/kde#L17

#911897#65
Date:
2019-02-14 18:16:47 UTC
From:
To:
Also Rene, please add usertag for any AppArmor-related bug, so AppArmor team could see what's going on.
#911897#70
Date:
2024-04-17 11:53:46 UTC
From:
To:
Dear submitter,

as the package libreoffice has just been removed from the Debian archive
experimental we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/1069123

The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.

Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

#911897#79
Date:
2025-08-07 22:13:21 UTC
From:
To:
Humanitarian Grant of 1.5M for you. Reply for claims