summaryrefslogtreecommitdiffstats
path: root/debian/patches/apparmor-gnupg-tofu.diff
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/apparmor-gnupg-tofu.diff')
-rw-r--r--debian/patches/apparmor-gnupg-tofu.diff28
1 files changed, 28 insertions, 0 deletions
diff --git a/debian/patches/apparmor-gnupg-tofu.diff b/debian/patches/apparmor-gnupg-tofu.diff
new file mode 100644
index 0000000000..a2ee52f404
--- /dev/null
+++ b/debian/patches/apparmor-gnupg-tofu.diff
@@ -0,0 +1,28 @@
+From: Benjamin Barenblat <bbaren@google.com>
+Subject: Support tofu+pgp trust model in GnuPG
+Bug-Debian: https://bugs.debian.org/955271
+Forwarded: no
+
+GnuPG supports a trust-on-first-use layer that sits on top of the
+standard PGP trust model. If this is enabled, 'gpg --list-keys' needs
+write and lock permissions on the TOFU database to return any useful
+data. Allow this access through AppArmor.
+
+--- libreoffice-7.1.2.2/sysui/desktop/apparmor/program.soffice.bin
++++ libreoffice-7.1.2.2/sysui/desktop/apparmor/program.soffice.bin
+@@ -2,6 +2,7 @@
+ #
+ # Copyright (C) 2016 Canonical Ltd.
+ # Copyright (C) 2018 Software in the Public Interest, Inc.
++# Copyright (C) 2021 Google LLC
+ #
+ # This Source Code Form is subject to the terms of the Mozilla Public
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+@@ -215,6 +216,7 @@ profile gpg {
+
+ owner @{HOME}/.gnupg/* r,
+ owner @{HOME}/.gnupg/random_seed rk,
++ owner @{HOME}/.gnupg/tofu.db rwk,
+ }
+
+ # probably should become a subprofile like gpg above, but then it doesn't